Website Privacy Testing: What Is It & Why Companies Need It

Website Privacy Testing Image

Assessing a big poorly understood problem

Privacy fines resulting in 2% to 4% of your annual revenue are the tip of the iceberg. Reputational damage stemming from a privacy loss event can cost companies substantially more.

We often write about the rapid increases in companies utilizing 3rd party applications for core functionality on their websites and the user exposure problem this creates. The current per website average is now up to 63 outside parties capable of accessing sensitive user information. Website owners are responsible for the behavior of third parties who can utilize user information at any time, creating massive, unmanaged risk for millions of companies worldwide.

Continuous invisible information gathering

Website owners are responsible for what outside parties do with their users’ information; however, they can’t see how third parties track, collect, or share the information they access. This creates a considerable privacy and cybersecurity problem that is especially difficult to address.

An unmanaged interaction layer exists where user information exchanges hands on the client-side between the website owners’ web code, outside parties’ cloud-controlled applications, and the end users’ computers. This client-side data exchange layer is a dynamic layer that most companies have avoided understanding for far too long because it is complex and constantly changing. It requires continuous monitoring to understand what is going on.

Challenges with transparency

The adage, “you can’t fix what you can’t see,” has never been more fitting when it comes to web privacy and compliance. Companies worldwide are getting fined and sued for privacy violations because they simply can’t see what outside parties involved with their web operations are doing with their web visitors’ information.

The analogy is similar to if you built a physical store and allowed 60+ different vendors to put up cameras in other parts of your store, some of which had facial recognition and sophisticated ID matching capabilities. Yet, you couldn’t tell who was recording your visitors or storing personal information on anyone coming into your store. You couldn’t even tell if vendors were sharing or selling your customer information with other parties based on user activities in your store.

Now suppose you learned you could be fined millions of dollars for consumer privacy violations if any of those cameras were recording? How long would you allow those cameras to be in your store?

The importance of gaining visibility

Companies that conduct business in the EU (GDPR), CA (CCPA), VA (CDPA), or CO (CPA) already face a similar problem, yet most don’t realize it. Companies operating in these jurisdictions must know exactly how they and any third parties they work with process user information. Not only are companies required to understand how they are processing user information, but they are also required to disclose those processes to their users. Companies are also mandated to allow users to consent to those uses, enable users to restrict what type of information they are comfortable sharing and allow users to request the deletion of the information being used.

If your company can’t even see what third parties are doing with your web visitors’ information, it is unlikely you comply with the other privacy regulation requirements. It would seem necessary to learn what third parties can do with your visitors’ information to evaluate the base level of risk you are operating under. One of the first things companies should do is perform a website privacy test to determine how many third-party applications have access to user information.

Website Privacy Testing

Like penetration testing for cybersecurity systems, website privacy testing has as its goal the identification of privacy loss vulnerabilities in website operations. Privacy testing is more like web user data exfiltration testing for websites.

Lokker developed a web privacy testing service that scans web domains using synthetic user data to safely and accurately identify all third-party applications accessing user information.

Lokker’s website privacy testing service can detect:

  • the number of 3rd party domains accessing user information from your website
  • if user PII is propagating to 3rd parties
  • if 3rd party browser fingerprinting scripts are present
  • the number and type of 3rd party cookies set from your website
  • the number and type of 3rd party scripts run from your website
  • the number and type of 3rd party advertising trackers running on your website
  • the number of 3rd party domains accessing user information from your website
  • the number of recently registered domains with access to users from your website

This is critical privacy loss information you need to know to investigate problematic 3rd party behavior occurring on your website to take immediate action to protect your company and your users.

Additionally, Lokker can provide a ranking of your website about other companies in your industry or against the Fortune 1000 averages in each of the above categories so you can assess your relative level of risk in comparison to your competitors.

Knowledge is power

Web privacy has moved well beyond a wish list capability. It is now a required technical necessity that will be very expensive for your business if you are not fully capable of demonstrating. Websites were not fundamentally built with privacy in mind, especially as the adoption of third-party applications became widespread. Understanding where you are losing control of user information to third parties in your web operations is paramount to running a good business in general. If not for understanding your operational risks better but for living up to your corporate responsibility to your customers.

Time is of the essence

Gartner estimated that by 2023 65% of the world’s population would be covered by some form of GDPR style privacy regulation. However, Gartner’s prediction was made before China passed its new comprehensive privacy law, the Personal Information Protection Law (PIPL), which is set to effect on November 1 of this year. The PIPL will cover an additional 1.4 billion people ahead of schedule with one of the strictest privacy laws in the world – one that could result in fines of up to 5% of annual revenue for companies found to have violated it.

China has now moved ahead of the US concerning implementing a national standard on Privacy Law will put new pressure on the federal government to define a national privacy law here in the US. It is no longer a question of if but when.

The decision to run a website privacy test to gain knowledge on web privacy matters will bring companies new insights to fix chronic problems that will head off hefty privacy fines, prevent lawsuits, and potentially avert catastrophic brand damage. Companies that are smart enough to move fast can leverage privacy as a brand differentiator and turn a significant risk factor into a valuable market advantage.

To learn more about Lokker’s website privacy testing service or to schedule a test of your website’s privacy loss vulnerabilities, please visit https://lokker.com/website-privacy-scan/.

Author:
Kurt is an experienced marketing and sales executive with a passion for privacy and technology. From the background of a successful media and content agency entrepreneur, Kurt delivers fresh insights by making connections between tech, marketing, security, and personal freedom and responsibility.