Tracking technologies – and especially ‘ad tech’ – used by businesses to pinpoint customer activities and trends, are themselves under greater scrutiny as new and evolving privacy laws enter enforcement.
As we’ve seen recently, high profile privacy law enforcement actions do more than bring individual businesses to account for non-compliance – they make examples of them to put countless other companies (and their vendors) on notice too.
We recently hosted a webinar with Ryan Ostendorf, Product Manager at TrustArc, and Taylor Blum, partner at BakerHostetler, on this very topic: Managing Online Tracking Technology Vendors: A Checklist for Compliance.
Privacy Law Enforcement Actions Targeting Online Tracking
Arguably, the California Attorney General’s August 2022 enforcement action against personal care and beauty retailer Sephora for breaches of the California Consumer Privacy Act (CCPA) was as much about calling out how vendors of ad tech/online tracking technology are managed – via criticism of Sephora not having valid controls in service provider contracts – as it was about the business failing to respect consumers’ opt-out rights.
In its settlement, Sephora agreed to:
- Pay $1.2 million
- Clearly notify consumers of their opt-out rights
- Process opt-out requests signaled via the Global Privacy Control
- Enter CCPA-compliant contracts with service providers
- Establish a two-year compliance program for vendors and other third parties.
That last settlement term put many organizations into a spin over their ad tech vendor contracts because many of them knew they faced serious privacy law compliance risks.
Not surprisingly, twelve months later in August 2023, the Interactive Advertising Bureau (IAB) reported nearly half of all respondents to its State Privacy Law Survey “do not feel prepared to comply with the vendor due diligence obligations of the laws” and there was “consensus that a lack of adequate contract controls are in place”.
In our webinar, Taylor Blum highlights some other big takeaways from the IAB State Privacy Law Survey results:
1. “Most respondents truly believe the term ‘sale’ is a broad concept under each of these data privacy laws, and it generally captures making personal information available for sharing or targeted advertising, ad delivery and measurement activities.”
2. “The majority of respondents stated that after a user opts out, ads can be selected using publisher first-party data or contextual signals. There is still another significant percentage of the market that expressed a problematic belief that ad selection based on advertiser personal information can be leveraged, which I think is a big disconnect there … these can have liability if they fail to conduct adequate diligence on privacy compliance requirements in effectuating app campaigns.”
What Broad Definitions of ‘Personal Information’ Mean for Website Tracking
Blum notes the CCPA definition of ‘personal information’ is a good baseline for businesses to understand the privacy implications of their website tracking activities.
Under CCPA section § 1798.140(v), ‘personal information’ is defined as:
“…information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household….” and includes “a unique personal identifier, an online identifier, an Internet Protocol Address, an email, other similar identifiers, internet or other electronic network activity information, or geolocation.”
In our own experience helping businesses manage privacy law compliance, I’ve found it’s vital that decision makers planning to use online tracking technologies – for example in marketing – understand the legal implications of collecting personal information.
They must also flag intended uses of these technologies with the privacy office or legal counsel. Similarly, if you’re in the privacy office, ensure people in the business understand just how granular definitions of personal information have become.
As online tracking technologies are often designed to capture one or more main categories of personal information, it’s useful to understand how they’re defined in subsections of the CCPA:
1. Unique identifiers (defined under CCPA § 1796.140(aj)) – personal information includes “Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers or similar technology, customer number, unique pseudonym, or user alias; telephone numbers, or other forms or persistent or probabilistic identifiers that can be used to identify a particular consumer or device that is linked to a consumer or family”.
2. Precise geolocation (defined under CCPA 1798.140(w)) – information about a person’s location “derived from a device that is used or intended to be used to locate a consumer within a geographic area that is not equal to or less than the area of a circle with a radius of 1,850 feet”.
3. Internet or other electronic network activity information (defined under CCPA s 1798.140(f)) – information about a person’s online activities, such as “browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement”.
Online Tracking Technologies That Can Collection Personal Information
Most people are well familiar with cookies, but as Ryan Ostendorf explains, it’s also important to understand how other kinds of online tracking technologies work:
“Mechanisms where users are identified on the web might be based on a cache object on the browser. Maybe not as a known person but identifying them in such a way that tracking and collection of personal data are possible using the underlying technologies on the website. First-party cookies are also becoming more common, especially from your ad tech vendors, so you need to know if they – or their underlying technologies – are used to collect personal information.”
How Common Online Tracking Technologies Work
- Pixels – tiny invisible images placed in web pages or emails that load HTML code to collect information about visitors and track their activities.
- Web beacons – images (GIFs) embedded in a web page (often by third parties) to track whether a user has accessed specific content and analyze how they navigate through content.
- Software Development Kits – code integrated in mobile apps to connect them to third-party technologies and services, such as in-app ad displays and tools for analytics or re-engagement. SDKs are often used to track users with a device identifier, such as whether they’re using Android or iOS. They can also be used to collect information such as geolocation or IP address.
- Cookies – small data files stored in a user’s web browser that allow advertisers to track their behavior and personalize their online experience, such as displaying better-targeted ads and content optimized for their location, language, and device.
- Third-party libraries – collections of data not owned or controlled by a business, bought from third parties to help analyse potential customer audiences. Businesses are moving away from their reliance on third-party data as privacy regulations restrict sale or sharing of personal information; and updates to web browsers and mobile devices bring stronger privacy protections.
- Session replay technology – trackers added to a user’s browser to record how they navigate a website (mouse clicks and scrolling) and interact with content. Analyzing how users interact with navigation controls and content can reveal friction points which cause drop offs, and show which design elements or content types appeal most. Session replays are sometimes also used to profile users for marketing and sales purposes.
“We’ve seen a variety of litigation regarding the use of session replay technology, which tries to equate them to various wiretapping laws,” explains Taylor Brum. “A lot of times they’re used to see how users use your website. But it’s important to understand what you’re capturing and making sure you’re not using them on pages where sensitive data is being inputted.”
Market Forces Affecting Tracking Technology Practices
In our work, we’ve seen several major market forces impact privacy compliance programs. They’re mostly driven by changes to privacy regulations – and so far, the biggest impact is CCPA enforcement.
California’s Enforcement of Sale/Share
The California Attorney General’s enforcement action against Sephora delivered for many a new understanding of ‘sale’ when online tracking technologies are involved:
“…where the business discloses or makes available consumers’ personal information to third parties through the use of online tracking technologies such as pixels, web beacons, software development kits, third-party libraries, and cookies, in exchange for monetary or other valuable consideration including personal information… analytics or free or discounted services.”
Recommended action: ensure your tracking technology vendors are compliant with this new understanding of ‘sale’. If an organization is engaging in sale/share this triggers several different enforceable obligations.
How to assess your ad tech vendor:
- Is your organization subject to CCPA?
- Does your organization use online tracking technologies?
- Is your organization disclosing or making available California consumers’ personal information to third parties?
- If there are benefits exchanged with the third party, are they monetary (direct financial payment or other financial benefits) or non-monetary (analytics or free/discounted services)?
- Are there any exceptions to the sale?
- Is your vendor classified as a service provider or third-party? If it’s a third-party, you must give consumers an opt-out.
Updates to State Privacy Regulations for Consumers’ Rights to Opt-out
Several states’ privacy regulations now deliver stronger rights for consumers to opt-out from some forms of tracking.
In California the CCPA delivers the right to opt-out of sharing for cross content behavioural advertising (effective January 1, 2023); while the following state regulations deliver the right to opt-out of processing for purposes of targeted advertising:
- Virginia Consumer Data Protection Act – effective January 1, 2023
- Colorado Privacy Act – effective July 1, 2023
- Connecticut Data Protection Act – effective July 1, 2023
- Utah Consumer Privacy Act – effective December 31, 2023.
“It’s important to note while all five of these laws give consumers the right to exercise controls around targeted advertising, they do preserve the ability for businesses to engage in contextual advertising,” explains Taylor Blum. “For an ad to be contextual it needs to be relevant (in context) to the content of a website the user is viewing; for example, an ad for running shoes placed on a running forum.”
Health Privacy Under HIPAA
The FTC has been very active in expanding the definition of consumer data through its enforcement of Health Insurance Portability and Accountability Act (HIPAA).
The updated definition of sensitive health data is no longer limited to personal health information under HIPAA, and now includes data that conveys information or enables inferences about a consumer’s health.
Recommended action: exercise extreme caution when using online tracking technologies and ensure you’re not creating inferences about a consumer’s health from any data collected.
Health Privacy Under Washington My Health My Data Act
Washington My Health My Data Act goes into effect on March 31, 2024, for large businesses and June 30, 2024, for small and medium businesses.
It covers any business that collects, uses, discloses, or sells health data of Washington consumers and provides a private right of action for consumers reporting breaches of privacy.
Consumer health data is very broadly defined under the Act and includes any data that could be used to reveal or infer a health condition or diagnosis.
Recommended action: analyze whether your business is processing health data of Washington consumers (under the very broad definition of ‘health data’); and if so, ensure compliance with data processing restrictions under the Act across your business and in contracts with third parties.
Litigation Trends Related to Online Tracking Technologies
We’re seeing increasing volumes of lawsuits focusing on notice, consent, and disclosure practices associated with online tracking technologies.
And some of these actions involve plaintiffs’ attorneys using non-traditional privacy laws to allege violations as these laws may make stronger remedies available, such as punitive, statutory, and treble damages.
Legal theories we’ve seen used to litigate against tracking technologies – and especially session replay technologies – include:
- Wiretapping laws
- Video Privacy Protection Act
- California Invasion of Privacy Act
- RICO Conspiracy
- California Penal Code 631 and 632.
Recommended action: while some claims may be baseless, it’s important to understand the increasing risks of using online tracking technologies. You need to know what you’re using, how, and why (and whether it’s truly business critical). A legal counsel can help you review your use of online tracking technologies and assess business risks of continuing or discontinuing their use.
Tracking Technologies Under Review for EU/UK GDPR Compliance
The EU GDPR and UK GDPR definitions of personal information do not specifically call out tracking technologies, however their scope is broad enough to interpret trackers such as cookies as personal information.
On December 7, 2023, the European Data Protection Board (EDPB) published an urgent binding decision “imposing a ban on Meta Ireland for the processing of personal data for behavioural advertising purposes on the basis of contract and legitimate interest”.
The EDPB is also championing the European Commission’s ‘Cookie Pledge’, an initiative designed to help protect fundamental rights and freedoms of users in the EU by giving them ‘concrete’ information on how their data is processed and the consequences of accepting different types of cookies.
We expect more data protection authorities across Europe will join Belgium, France and Spain to issue cookie consent guidance documents.
The European Union’s data protection authorities are focussing on consent, cookie walls, and cookie banner compliance and we anticipate enforcement will ramp up in 2024/25.
Recommended action: ensure compliance on EU data protection authorities’ rules around cookie banners and other tracking technologies. And prepare for expanding scope of rules in 2024/25 regarding personal information and tracking technologies.
Best Practices and Legal Compliance Software for Managing Ad Tech/Tracker Risk
1. Understand how vendors’ technologies identify users
2. Know which third-party technologies are sitting on your website – and how trackers work on a consumer’s browser
3. Implement a Tag Management System (TMS) to control how third-party code is executed on your website, including enforcement of opt-in or opt-out: the TMS will allow blocking of cookies/trackers and other mechanisms of data collection when users have opted-out of ad tech and/or analytics and tracking
4. Use a Consent Management Provider (CMP) to give users a notice and choice mechanism, which in tandem with your TMS will automate how users’ choices are respected
5. Scan your website (discovery processes) to reveal categories of trackers (i.e., functional, analytics, performance, or ad tech)
6. Consult your Privacy Office / legal counsel to determine Tag Management System controls for tracker codes based on users’ consent choices in the CMP and their location (e.g., automatically opting-out users located in the EU)
7. Conduct scans of your website to validate compliance with all applicable privacy regulations:
- Are trackers still dropping in GDPR regions before users opt in?
- Are trackers dropping if users have opted out?
- Are advertising trackers still dropping if users under CCPA have opted out of advertising?
8. Ensure your system is configured to prevent vendors’ trackers/ad tech from functioning and collecting personal information where users have opted out (or been automatically opted out based on location)
9. Keep your notices updated to reflect the latest technologies on your website – and users’ choices about those technologies – ensuring disclosers are accurate, transparent, and clear to consumers
Alternatives to Tag Management:
- Use a tag-blocking solution in a CMP, which will attempt to auto-block requests to third-party code
- Use an API in a CMP to block your own code and only allow it to be executed if users opt-in via the CMP’s notice and consent choices
Checklist for Onboarding an Ad Tech Vendor
2024 Privacy Trends
- After several delays, Google may deprecate third cookies in Chrome and move towards a ‘privacy sandbox’ – when this happens, Consent Management Platforms will need new solutions
- European Data Protection Board (EDPB) will likely expand the scope of personal information and tracking technologies
- More Data Protection Authorities in the EU will harmonize cookie enforcement
- U.S. Federal Trade Commission (FTC) will continue enforcement against businesses for violations involving tracking technologies
- California Privacy Protection Agency (CPPA) will focus more on what’s going on ‘behind the scenes’ – CPPA is hiring technologists to develop solutions for scanning and defining session debt, tracking, mobile apps and SDK opt-outs, ensuring they function and that data flows are shut off
- Washington My Health My Data Act goes into effect – March 31, 2024, for large businesses and June 30, 2024, for small and medium businesses – providing private right of action for violations
- Litigation will continue to focus on Meta pixel use, session replay technologies and activities triggering UCL (unfair competition law) claims.
Recommend action: Understand how your online tracking vendors’ technologies are working on your website; review contracts for compliance; understand the litigation risks and ensure due diligence to manage risks.
TrustArc Solutions For Tracking Technologies and Cookies
Identify and monitor cookies, trackers, and website behavior to deliver a secure digital user experience.