S2 E29: Website Privacy Functions and Controls

Audio version

Website Privacy Functions and Controls

Transcript

Jordan Eisner: Alright, welcome back everybody to another episode of Compliance Pointers. I’m joined today from an audio standpoint, but also a video standpoint with Matt Dumiak.

Matt, good to have you back on the show.

Matt Dumiak: Thanks for having me, Jordan.

Jordan Eisner: And for those of you unaware, Matt Dumiak is our Director of Privacy Services. He’s also the father of twin boys. I think he’s better known for that.

You may have heard him referred to in different circles as the privacy prophet. A self-proclaimed nickname.

Matt Dumiak: Definitely. You can tell my demeanor right now. Self-proclaimed for sure.

Jordan Eisner: So we’re going to talk today, Matt, about keeping your organization’s website, its privacy functions, in compliance with all applicable laws and regulations. We’re going to use the recent commentary or news or guidance out of New York really as the catalyst for talking about this.

But this is something we’re seeing existing with other organizations too, where maybe they’re using a platform or maybe they’re doing other things, but they feel that their website is compliant or they’re good, cookie trackers, consent, you name it. But there’s a glitch in the system or there’s back end type components that are not configured correctly or there’s additional steps that weren’t taken. And they might have peace of mind that they’re compliant, but they’re not actually doing it and that could rear its ugly head.

So as our audience would guess, I’ve got a list of questions that I want to get into and ask, but first, just to keep you on your heels here, how did you earn the nickname privacy profit?

Matt Dumiak: It was over a few years during the pandemic, grew out the hair, but then also just continue to demonstrate expertise in the privacy space obviously too. So a combination of things.

Jordan Eisner: But a profit doesn’t necessarily just demonstrate expertise. A profit exemplifies it, preaches it, educates, inspires. Was there some of that?

Matt Dumiak: Absolutely. As you know, I’ve been on the speaking circuit over the last couple of years.

Jordan Eisner: I’m going to take your short answers as just humility as a profit would have.

So what triggered this conversation, like I said, the state of New York published privacy controls guidance or privacy controls guidance website, right?

Matt Dumiak: Yeah, exactly. A website.

Jordan Eisner: So what’s the purpose of this website? Break that down for our listeners before we go any further.

Matt Dumiak: Yeah, of course. So this website was created by the New York attorney general’s office to assist organizations with how to comply with or what they should be really looking at when it comes to digital advertising primarily.

So this website, I know we talked broadly about website compliance. This guidance is primarily focused on digital advertising and it gives tips and tricks for organizations that they should follow or look into should they have cookie preference centers or cookie consent solutions, modules on their website and they’re running those tools.

Lots of organizations are. The broad applicability of the state privacy laws would dictate that they have those types of things. And so it breaks down on this website the types of things the New York attorney general saw when they investigated some common e-commerce sites. So some common issues, but then also at a very high level, mind you, they don’t get into the technical nitty-gritty of how to stand up a preference center. I should caveat that right for cookie consent.

But what they’ll do is they said, here are the issues we saw and here are some steps that organizations could take or should take. So it’s like a top 10 tips and tricks. I would like to think that while it’s geared towards businesses, consumers could also look at that and educate themselves on what organizations should be doing as well. So I think it serves a dual purpose of helping businesses on an area maybe they weren’t aware of that they were falling short on and then educating consumers as well. But again, it is geared towards businesses.

Jordan Eisner: Have any other states done this?

Matt Dumiak: California has released a ton of guidance on this. Other states have released certainly FAQs on any number of topics under the data privacy laws, privacy rights, notices, but nothing is targeted or in detail in terms of, hey, we have found issues with digital advertising on very large companies’ websites and what to do about it. So FAQs and things, but nothing to this degree.

And then, and I think you called it out, that this is a little bit unique in that I’ve mentioned California did it and some other states with privacy laws.

Jordan Eisner: New York does not have a privacy law.

Matt Dumiak: Exactly.

Jordan Eisner: I feel like I’m making the face Don Corleone makes when Solonzo wants to be in his family looking for protection while he pursues his enterprise endeavors. I won’t mention what they are. Not exactly, I think, PC for this podcast.

Matt Dumiak: Well, spoiler alert, too.

Jordan Eisner: Yes, exactly. But he says, why am I so fortunate that you bring this offer to me? Why did New York feel without their law that they should put this out? Maybe you don’t know the answer to that.

Matt Dumiak: It’s a good question. To your point, they don’t have a comprehensive state privacy law in New York. They’ve proposed several. They have not been able to pass one just yet, but that’s because I think they’ve had so many competing bills.

However, New York, as many states do, have laws prohibiting unfair and deceptive trade practices. And that’s going to tie to this because what they found through their investigation was that organizations, businesses were either holding out in good terms, like they were trying in best efforts to comply, so not trying to be nefarious or anything, but saying, hey, to consumers when you visit the site, you can opt out of certain cookies and trackers being placed on your machine or even under the guise of we hold back cookies and trackers. And that’s kind of a term of not placing cookies and trackers until the consumer consents.

And so businesses were either letting consumers or supposedly letting consumers opt out of cookies or allow only collecting cookie or placing cookies when they collected consent. And so what they found was that this was basically a deceptive practice or misleading practice to say to give a consumer a choice when in reality they didn’t have it.

And so I think it’s their way of really positioning themselves as while we don’t have a comprehensive privacy law today, we see this as an issue and a priority for the residents of our state. We have laws where we can enforce these types of things if you are making claims that you are actually not following up on as a business.

So it’s much broader than data privacy.

Jordan Eisner: It’s very New York. We don’t have a law on data privacy, but we’re going to tell you how you should do your data privacy.

Matt Dumiak: Through other laws. Exactly right.

Well, and it’s interesting because I think what we’re going to see is this is you asked about have other states release like FAQs or guidance. Yep, under their state privacy law they have.

I don’t know if other states were potentially thinking about this just yet, but as you know, because we consult on a lot of different regulatory obligations that organizations have and help them operationalize that these AGs, they have annual attorneys generals across the country have annual meetings. They talk, they discuss, they work together. I believe that this could be just the start of what states are looking at in terms of, I think this is a precursor for other states to say, oh wow, interesting perspective on that. We could take that, maybe take that up on our side as well. And we haven’t really thought about it in that way, even though, you know, almost just under 19 states have privacy laws, but again, 31 don’t. They could take this approach too.

Because a lot of, again, as we mentioned, the majority of, if not all states have prohibitions on unfair or deceptive trade practices. So it’ll be interesting to see where this maybe is going to go.

Jordan Eisner: And there’s a federal prohibition on that.

Matt Dumiak: That’s right.

Under the FTC, I believe section five. So yes, the FTC can enforce against unfair trade practices too.

Jordan Eisner: Whoa, whoa, whoa, privacy profit. Come back down to earth here. Okay. No, just average listeners. You’re throwing out terms like nefarious.

The other piece here, and maybe you mentioned it, was there was an investigation by the New York AG and this uncovered these issues that this guidance is around. What were the common ones that you found in the investigation?

I think you spoke to them a little bit. Categorize them. Give them a title. Give them quick hitters for our audience on the main things you saw that you think they should be concerned with.

Matt Dumiak: Yeah, of course. I think a good point you call out there is that first off, the New York Attorney General took it upon themselves to do this investigation. That is somewhat unique in the privacy space in that regulators can go out and check an organization, a business’s website to see if they’re complying with the requirements they potentially have.

So they are being proactive. We’ve seen that in California. We see that here with New York, that the regulators are, the attorneys generals are going out and proactively looking to ensure that businesses are complying with their law. So I think it’s really critical when organizations are thinking about risk and how to manage that under the privacy, in the privacy program or under their privacy obligations.

Publicly facing is going to be first and foremost, right? Because that’s where these regulators are looking. And so to prioritize that. But some things to kind of get back to answer your question directly, some things that the New York Attorney General’s investigation revealed or what they reported on that they saw were issues, were a few things.

And we’ve seen this for a long time when we help companies or organizations implement their cookie preference centers or modules is things like uncategorized or miscategorized cookies and tags. We all see from the cookie preference providers in the space that they offer some functionality around website scanning and auto-categorization.

That is a strength for these solutions. I’m not going to like harp on it too much. However, they’re not perfect. And so they either don’t these digital advertising cookies trackers, they’re changing all the time. There’s a new one created probably as we’re on this podcast, right? Every minute. So those are changing all the time.

These solutions, while they have a team that’s dedicated to researching these and categorizing them and then kind of building that into their code base to auto categorize eventually, they can only work so quickly. And so there’s that side of the coin.

The other side is organizations are businesses are at times miscategorizing cookies themselves. So even if the solution says, oh, it’s an I’m going to auto categorize this as an analytics cookie. Maybe the business goes in and says, oh, I disagree, these tools will allow you as a user to recategorize a cookie.

Also, maybe they don’t know what it is, right? So there’s a whole host of things that maybe could have led to this. I think it’s probably a combination of the technology not being managed and the auto categorizations are working to a degree. But if you’re not checking these solutions on a regular basis to make sure that A, they’re accurate B that they’re catching all the cookies, C that you actually categorize them and save them and publish them to your website. Those types of things can lead to miscategorization or uncategorized cookies.

What then goes in is that these tools are not working well with the ad with the digital advertising on the business’s website. They can also break the website. So there’s some disincentive to miscategorize cookies because as we talk through this, organizations may be tempted to say, oh, we, this is a marketing cookie, but we’re going to do it strictly necessary so that consumers can opt out or so that it runs before consent is given. That will break a website.

But even on top of that, potentially it will break a website. Even on top of that, it is obviously a violation. So there’s a lot of things working against there, but that is not uncommon when you find that a cookie solution is not managed by a business is that there are a lot of uncategorized or miscategorized cookies sitting in their solution.

And so going in there, taking an exercise to clean it all up. It’s a little bit of a hunt and peck sometimes to find out what these cookies are even like through different websites. You can find them through the from the developers websites, that type of thing, like the actual cookie who developed it. But even that sometimes can prove challenging.

Jordan Eisner: Hunt and peck?

Matt Dumiak: You know, on the keyboard, like, okay, it’s not, there’s not an easy process at times. So it’s not it’s not the home keys of typing when you’re categorizing cookies.

Jordan Eisner: I thought maybe that was a reference to a bird.

Matt Dumiak: Hunt and peck. Just not very efficient. Sometimes it’s not easy.

Jordan Eisner: And the origin of the term cookie for our listeners. Do you know this?

Matt Dumiak: No, I don’t.

Jordan Eisner: I’m going to have to look it up. Somebody told me one time and I didn’t commit it to memory, probably because I was just dreaming of real cookies while they were saying it.

Matt Dumiak: So even beyond that, uncategorized cookies, misconfigured tools and hard coded tags, some complications there when you get a little bit more in the weeds.

When you look at how to implement these solutions, you can see on the on the privacy preference center, like the software that’s offering these types of solutions. When you look at their website, it can look relatively straightforward. It can be a snippet of JavaScript on the header of the website.

When you really get into it, the reality is it can be a little more complex. It depends on the website. It depends on if you’re using tag managers, which help companies manage cookies and trackers like Google Tag Manager or GTM. You’ve probably heard of it.

So it can be a little more complex than that. And so I think that might be a function of folks not engaging the appropriate skill set within their business in that they think that it’s easier to set up than it really is in reality.

And so even to say, OK, when we talk about uncategorized cookies, that’s a management issue. That means it’s implemented, but there’s a management issue. When they say misconfigured and hard coded tags and things not talking to the to the solution, that is absolutely an implementation issue. It’s like right up front.

And it’s again, it’s a combination of things. It’s probably a little bit of the sales side from the software, making it look really easy to do and not engaging, actually, in doing the appropriate testing to make sure it’s operating like you think it is.

Jordan Eisner: You had to throw sales under the bus?

Matt Dumiak: So, you know, there’s ownership all around that. Because when you buy that solution, you’re ultimately responsible for it and you have to implement it and make sure that it’s operating effectively. And so when you look in and find that it’s not operating like that, that to me speaks to there’s a lack of a software development lifecycle in place to ensure that you’re implementing it and testing it to begin with.

And then also you’re not monitoring and managing the solution to say, OK, we’ve implemented this. Let’s go audit it. Not only is our cookie banner popping, because that’s a real easy check, right? Our banner is popping. Or if I click on opt out of cookie, if I click on cookie settings and it pops the cookie drawer that allows you to opt out, those are easy things to check.

Where it gets a little more complex is on the back end. To say, OK, when I make these choices, is it actually honoring that? And that’s where you have to engage your digital advertising team. If you’re outsourcing that as a business to an ad agency, they can assist usually. Consultants, things like that, to say, come in and actually make sure this thing is running.

Jordan Eisner: Because that’s what I was going to say. You’ve got to know what you’re looking for to audit.

Matt Dumiak: Yes, exactly right.

It’s not as simple as going in and looking at, OK, the drawer pops. You really do need to get into the back end of that website and make sure that it’s shared. It’s configured the right way and that it’s placing the approval. It’s operating like you think it should be.

Jordan Eisner: Well, that’s a good segue into what was going to be my final question. Unless you had anything else you wanted to add on that investigation.

Matt Dumiak: No, I don’t think so. We hit the high points there.

Jordan Eisner: So I want to ask what companies can do. Our listeners have gone this far with us and our terrible humor to understand how they can ensure their website complies with privacy and consumer protection laws.

See, I added consumer protection laws because New York don’t have that.

So list some of those that are top of mind that they can do for our listeners. But getting back to what you were just talking about with how it’s implemented and that being a function of responsibility. Maybe somebody didn’t exactly know how to set it up and they should have leveraged somebody else internally.

What is the committee? I get this question a lot when I’m talking with organizations about our services. Who typically owns this? Is this a legal thing? Is this an IT thing? Is this an information security thing? When you’re working talking about us as a consultant, when you’re working with an organization on data privacy, who’s your counterpart?

And I tell them, which has been my experience, it’s usually a committee. Unless a group has a dedicated privacy person that has both legal and technical expertise, which is very tough. It’s a committee of IT and legal together. What about for this specific item? Having a software or platform or tool for website functionality, who do the organization need to ensure is involved in implementation, setup, testing, auditing, software development lifecycle, you name it. All of that.

Matt Dumiak: And so you gave us a good start there. Certainly legal because at the end of the day, this is going to be a legal obligation, but also the organization is going to have some obligations around how they, disclosures they make to consumers.

That is a big point on this New York website in that you’re stating things as a business, make sure that you’re honoring them. So when we’re assisting our clients with implementing these types of solutions, we’re typically working with inside in-house counsel, outside counsel, their digital advertising team, their marketing team, IT and IS beyond that, if we’re testing or ensuring that the solution we’re selecting has the appropriate technical and security controls.

And then of course, like we just talked about ourselves as well from a consulting perspective to operationalize it. And so from a compliance side and then to implement it too. And so it is absolutely a committee.

Usually it is somewhat, it’s challenging to find a single person or point of contact that could do this from start to finish just yet. I’m sure that’s down the road, right? There’ll be an opportunity for individuals to really make a name for themselves, but that’s the gear right now.

Jordan Eisner: And your answer, I think answered this question, which is why isn’t there a designated person? Why don’t more organizations have somebody that’s solely focused on this? And that’s because it’s budding, right? It’s still emerging. You mentioned that there’s 19 laws or 19 states that have one, there’s still 31 that don’t.

So it’s growing, it’s increasing, but perhaps there’s not enough threat yet for organizations to start designating a person or an owner. And so it kind of lives by committee. And that’s because there’s not fines being levied out. There are some, right? But it hasn’t been a heavy hand for organizations potentially violating this. But as we’ve seen, it’s changing.

Professional plaintiffs starting to come out, right? So organizations have more than previous to worry about in this affecting reputation. They want to comply with the law. But it’d be in their pockets sooner rather than later.

Matt Dumiak: I mean, you hit the nail on the head. There’s a lot of professional plaintiffs on this side now, both from a, we’ve actually seen cases where they’re claiming the business offered it opt-out and then didn’t honor it, or that they said they were not going to place cookies until they collected consent. And then they did.

These professional plaintiffs are tech-savvy. They are going through the dashboard on the website through common browsers and collecting what they deem to be the appropriate evidence.

Obviously, at this point, there have not, when we talk about professional plaintiffs, this is alleged violations, of course, so I will caveat that. It’s alleged violations when you get that demand letter. Organizations can choose to fight it or they can settle. And so a lot of organizations today are settling. And I think that’s where a lot of the risk resides.

I do think this New York release highlights that the AGs and the government authorities are also becoming more technically savvy because they investigated on the back end as well to see how these websites were operating.

So they know what they’re doing, right? They’re getting educated on this type of thing too. And I think that it’s just more to come. It’s the tip of the iceberg, really.

Jordan So what else besides what you just mentioned, if anything, can organizations do to comply? From a website functionality standpoint.

Matt Dumiak: So I think to your point, I think that it’s about establishing the committee, certainly having the right skill set to implement the solution.

Big thing though is going to be testing. So ensuring that it’s operating effectively, like we’ve mentioned. That seems to have been dropped by several large e-commerce businesses, which are not out. They are not named in this website. It’s just outlined in the blog post or through the release that the attorney general did that it was 13 major e-commerce sites. They mentioned that they sell books and things like that. So I think that really getting in the back end and ensuring that it’s operating like you think it is.

So that’s going to be, again, engaging the digital advertising team and the ad agencies who know the digital ad space and really working with them to ensure it’s operating effectively. And then implementing some type of ongoing audit program to test its effectiveness as well. So I think those are really critical pieces that I would leave the audience with.

Jordan Eisner: It was Books a Million, wasn’t it?

Matt Dumiak: Books a Million?

Jordan Eisner: Yeah, the online retailer that sells books.

We’ll end there. Matt, thank you for your time, a plethora of knowledge. You continue to validate for me why they call you the privacy prophet. Well done.

Thank you for listening. If you like this content, please continue to come back because we’ll continue to push it out.

Subscribe, whatever platform you’re listening to, leave us a review. And if you have questions or you want to inquire with CompliancePoint about any of these topics or how we can help, please feel free to reach out to us on our website on LinkedIn.

You can email us at connect@compliancepoint.com.

Until next time. Thanks, everyone.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.