Web Privacy Risk Evaluation Finds Almost One-Third of the S&P 500’s Websites Are at Significant Risk of Online Data Privacy Violations
LOKKER’s Web Privacy Risk Score™ Reveals Half Received Failing Grades for Consent Practices, Critical Threat as Class-Action Lawsuits and States’ Privacy Laws Increase
REDWOOD CITY, Calif., May 23, 2023 /PRNewswire/ — LOKKER, provider of online data privacy and compliance solutions for enterprises, today released new online privacy risk research for the Standard and Poor’s 500 (S&P 500) websites. LOKKER’s Web Privacy Risk Score findings revealed notable risk to consumers’ personal information, with 30% of these organizations’ websites found to be at medium or high risk. With regards to specific industries, information technology companies and financial services businesses were found to have websites with the most significant risk factors. LOKKER’s Web Privacy Risk Score assessment tool quantifies a company’s potential risk of privacy violations pertaining to the collection and sharing of customers’ online information.
Across all industries, businesses are being closely watched for their use of trackers to collect consumer data. The challenge is that most organizations are not aware of or understand the amount of trackers, cookies and other applications that run in the background of their websites and the dramatic privacy risks they present. An increase in state privacy laws, class-action lawsuits and federal regulatory enforcement measures demonstrate that businesses must maintain control over consumer privacy or face the potential significant financial and reputational repercussions of not doing so.
To better understand where S&P 500 companies’ websites – which consumers regularly interact with – stand with regards to online privacy, LOKKER utilized its Web Privacy Risk Score tool to evaluate their risk. It measures a variety of risk factors, including trackers, session recorders, cookies, malware, consent practices, sensitive data collection, and risky foreign domains.
Failing Grades for Consent Practices, Cookies and Trackers Lead to Risk of Privacy Violations and Resulting Lawsuits
- LOKKER found that 50% of these websites received the lowest grade possible for their consent practices, indicating they either didn’t have a cookie consent banner or it’s misconfigured. Data privacy laws such as the CPRA, GDPR, HIPAA, GLBA, VPPA, ECPA and others require that consumers give their consent prior to data being collected and shared. While some websites lacked a consent banner altogether, the research uncovered that others are misconfigured and load first- and third-party cookies on the page before the user can consent to them. Several of the laws mentioned above include a private right of action clause which allows consumers to bring class-action lawsuits for the unauthorized use of their data, which can pile on top of fines set forth from regulators. This can become financially burdensome very quickly for companies.
- With regards to cookies, they are another significant privacy concern, with just under 50% of these organizations’ websites receiving a failing score. One of the worst offenders has 542 cookies on its website, including 71 first-party cookies and 471 third-party cookies. The average cookies per website is 27. Unnecessary cookies put site visitors’ data at higher risk of being shared with unidentified third parties and, worse, cookie hijacking, which could allow hackers to access and steal their personal data, potentially making businesses liable.
- Trackers are another online consumer privacy threat the S&P 500 are facing. About 40% of S&P 500 websites received a failing grade for their tracker use. A failing grade is generated based on a mix of factors, including the number of trackers, what data they’re collecting, and which pages they are on. For example, many of the recent privacy lawsuits filed under the VPPA have been related to the Meta pixel tracker sharing protected video viewing data with a third party. Plaintiffs can sue for up to $2,500 per violation.
“This sample of websites represents what we’ve seen more broadly from our research – roughly 25-30% of all websites scanned have been found to be at significant privacy risk,” said Ian Cohen, CEO of LOKKER. “We are proactively sharing these insights as a warning for businesses to check their websites for these common privacy risks, as they can lead to expensive, often unexpected class-action lawsuits as a result. One thing is to remove third parties online that aren’t necessary, like duplicate tracking tools and technology you no longer use, or to implement software like LOKKER’s Privacy Edge platform that blocks data sharing with certain tools automatically.”
Industry-wise, IT and Financial Services Companies at Highest Risk
- LOKKER found that 48% of S&P 500 information technology companies’ websites had significant risk when it comes to consumer data privacy.
- 42% of financial services organizations’ websites were found to be at medium- to high-level risk.
For additional recommendations on how to protect consumers’ online privacy, reduce the risk of lawsuits, and maintain compliance, visit https://lokker.com/protect-your-website-from-privacy-risks-insights-from-scanning-the-sp-500-websites/.
LOKKER is a Silicon Valley-based data privacy technology company creating software for companies to protect their customers’ sensitive personal information. LOKKER’s Privacy Edge™ platform is an enterprise solution that automates detection and mitigation of online threats that lead to major incidents, fines and reputational damage for companies. For more information visit, lokker.com.