Five Issues With How We Approach Web Privacy, and How to Fix It
Protecting customers’ privacy online is getting increasingly complex. Companies are trying to balance complying with a patchwork of state and industry-specific laws against website technology that, at its core, encourages sharing information with other parties. Here are five reasons the approach to website privacy today is broken and a few recommendations to fix it.
Issue #1: How we build websites gives companies little control over client-side activity. We build websites with countless tools, everything from CDNs to online forms, embedded video hosting, analytics, heatmaps, session recording, and ad tech tools that collect visitor data from a company’s website, and many of them also share that information with other parties. We’ve found ten times more hidden trackers than visible ones on the average website. This form of website development encourages more data to be collected and shared with more entities, increasing the likelihood that the data may be sold, misused, or stolen.
Issue #2: The US regulatory framework is happening state-by-state, leaving a patchwork of laws that companies must navigate. Compliance needs to be dynamic, not passive. Since the United States lacks a comprehensive federal data protection law, states have been left to pass their own data protection and privacy laws. In addition to California’s existing CPRA, five state laws are going into effect this year, including Colorado, Virginia, Utah, and Connecticut; just recently, Iowa passed a privacy law that will take effect on January 1, 2025. Of course, each of these has slightly different requirements and rules.
In addition to the state data privacy laws we’ve listed, industry-specific privacy laws further complicate compliance. These include HIPAA (the Health Insurance Portability and Accountability Act), which applies to healthcare providers and insurance companies, and the Gramm-Leach-Bliley Act (GLBA), which applies to financial institutions.
And lastly, there are even more specific laws like the Video Privacy Protection Act and Wiretapping Laws that we’ve seen cited in recent privacy lawsuits for unlawful sharing of visitor video consumption data and for illegally recording visitor behavior on websites via session recording tools, respectively.
This myriad of data protection laws creates complexity and challenges for companies operating nationally or internationally. Each regulation may have different requirements, definitions, and standards for data protection, privacy practices, user rights, and compliance obligations.
Issue #3:Consumer (and regulator) intent isn’t what they get with cookie consent. Consent is a legal framework, not data protection.
Many consumers may not fully understand the implications of cookie consent or the extent of data collection that occurs through cookies. Cookie consent primarily serves as a legal framework to ensure compliance with data protection regulations. It does not guarantee comprehensive data protection or address all aspects of privacy.
Regulators may have intended cookie consent to enhance user privacy and control over their data. However, the implementation of cookie consent by websites often falls short of these intentions. Websites may design cookie consent pop-ups or banners that are confusing, manipulative, or difficult to understand, leading to user frustration and a lack of meaningful consent.
While obtaining user consent is essential to complying with data protection regulations, it is not synonymous with ensuring robust data protection practices.
Issue #4: Getting a user to “Accept All” cookies don’t protect companies from bad actions by third parties served a company’s website
Suppose a user accepts all cookies, including those from third parties. In that case, that doesn’t mean the website owner or company can’t face potential risks or liabilities associated with the actions of those third parties. Often websites use services from third-party providers, like social media widgets, analytics tools, and other plugins. These third parties may set cookies on the user’s device to track their browsing behavior or gather data for various purposes. The website owner or company could be held accountable if a third party engages in malicious or inappropriate actions, such as unauthorized data collection, security breaches, or unethical practices.
Companies are responsible for ensuring that any third parties they engage with adhere to data protection regulations and follow ethical practices. The company’s responsible for carefully vetting and monitoring the third parties they work with to ensure they meet the necessary data protection and privacy standards.
Issue #5: Too many of today’s tools focus on past privacy actions rather than ongoing, real-time data protection.
As we’ve mentioned, the digital landscape constantly evolves, with new technologies and data collection methods being added to websites regularly. Many practices and tools focus on obtaining one-time consent or doing one-time vendor or risk assessments. These actions become immediately outdated when the technology and risks change quickly and don’t offer protection when regulations or technology changes.
Approaching web data privacy in real-time allows organizations to stay up-to-date with these changes, stay compliant with the latest requirements, adapt privacy policies and practices as needed, and mitigate the risk of non-compliance or regulatory penalties.
Also, real-time monitoring and analysis of web data can help identify and respond to security incidents or data breaches promptly. Organizations can take immediate action to address potential security vulnerabilities, mitigate risks, and protect user data by having systems that provide real-time alerts and notifications.
Data Privacy Recommendations:
Companies cannot simply adopt a one-time, static approach to compliance. Instead, they should continuously monitor and adapt their practices to comply with evolving regulatory requirements, detect changes in the third-party technology on their website, and detect any new threats that those tools present.
Companies should use practical tools that provide visibility and control over the third parties running on their websites, that allow them to determine if they are sharing information with other parties, and block any sharing activity that violates privacy regulations.