What your lawyers say you’re doing VS What your growth team and developers are actually doing …. the real impacts of CCPA and GDPR
CCPA and GDPR force companies to “put pen to paper” about their global user data policies and partner data sharing, but as with any system of accountability in a marketplace, the mere existence of regulatory frameworks that force transparency, don’t ensure that the data being shared is accurate or universal for all users.
And with both CCPA and GDPR, there will always be a common mantra of exposure… “your data sharing partners put your business out of compliance…”
Over the last 12–24 months, numerous companies have been founded that probably have on the first slide of their pitch decks something along the lines of, “We’re going to be LegalZoom™ for User Data Privacy Requests and Complaints!” These are typically data supply products but not data supply solutions –they are the equivalent of a Spiderman Band-Aid for a double amputation.
I’ve personally vetted most of the new data supply companies that have been popping up to support American user data privacy complaints, and I also did the same before/during/after GDPR with mostly-European companies founded to support the IAB’s Consent Management Provider frameworks.
When I vetted the CMP’s, I found that the very best CMP was a little-known (at the time) tool called “Faktor.io” and they were special for a number of technical reasons that I don’t need to share, and their company was eventually acquired by the massive LiveRamp for an undisclosed sum. Similar situations exist with how companies are approaching CCPA and the whole concept of user data compliance and revocation audits — some companies are doing it right, and others are just “going through the motions” and trying to copy more sophisticated peers.
GDPR forced companies across the world to think about “cookie consent boxes” not as a UI/UX legal catch-all, but as a technical barrier, controlled by the user, which could actually, factually, segment a user’s data flow based on their preferences, and also support the revocation of that data along the supply chain, as-warranted by the user at some point in the future or based on pre-agreed-upon rules.
Good CMPs are not really about “managing cookies” but much more about federating strings and organizing the fine-grained event data so that the CMP was more like a tag management solution with 3rd party integrations and revocation triggers — a full-cross-platform-data-event-suite. Bad CMP’s are just rudimentary page-load JavaScript blockers with bolted on post-consent JS piggybacking. The difference is vast, but woefully misunderstood by numerous companies in the market today.
Below you’ll find a flowchart I made a few years ago that demonstrated where holes could exist in a user data consent flow across devices and user experiences. If your organization conducts a real and similar audit and flowchart across your digital platforms , you will immediately find huge user data holes across various features, apps, integrations, widgets, and partners in your ecosystem — guaranteed.
There are technical ways to do parts of these audits, but data supply auditing has no silver bullet — you must carefully audit every piece of technology, every user step, every engagement, and map what is actually, factually happening. Otherwise, if you rely on JavaScript CMPs and other technical “user data blockers” without going that extra step, you’ll never see what data you aren’t collecting and what data is flowing outside your control.
Where is the upstream user data noncompliance for your organization? Where is user data shared, and where do your partners have the opportunity to share it even further outside your control?
GDPR, for all its perceived faults, created very strong definitions for “data controllers” and “data processors” — with the primary difference being that if you are a “controller” you are responsible for the data that you share to all of your partner processors — and if one of those processors then shares to additional/new companies, that processor is upgraded to a controller, and the data supply chain now has multiple joint-controllers of data, with their own legal exposure to complaints.
CCPA’s framework is obviously different than GDPR, but there are numerous similarities with how it forces companies to “identify partners” and have the ability to control the flow of the user data to those partners.
CCPA also has many months ahead before it will be clear how enforcement plays out, and with the impending second data privacy referendum being put on the California ballots in 2020, and potential efforts to pass a wide-ranging user data privacy and security bill in Congress, we’re only dipping our toes into what will eventually become a working user data and user PII framework here in the United States.
For decades there have been fragmented efforts in the U.S. on these, from healthcare privacy to banking privacy, to video game rental privacy, to mobile phone beacon privacy, and other niche-privacy efforts that largely just created a patchwork of confusion that is rarely enforced by the FTC and other relevant agencies.
The private right to action in CCPA and other American user data privacy frameworks that are coming online in 2020 (and potentially strengthened by Congress) are going to further differentiate the “American GDPR” vs the actual European GDPR — and we’re many years from companies across the internet ecosystem fully feeling the effects of all these changes.
In the coming months and years, some companies will lurch out of existence quickly from enforcement actions or scandals, whereas others will slowly lose revenue as data flow stops to their previously-non-compliant user data sharing practices.
And as someone who has been building and optimizing data flow systems for over a decade, and auditing complex data supply projects for several years, I know for a fact that I don’t always have the answers, because every technical system has new ways to share data and new protocols that partners can exploit, and every company has partners and features/apps/integrations/widgets that only their marketing team or development team knows about — and due to the inherent nature of running a business on the internet, in any given week, it will be your developers and marketers who put your entire business out of compliance. And your exposure will be further compounded by your partners sharing data with their partners, further outside your control.
Moving forward, when it comes to data supply auditing and user data privacy compliance frameworks, there will always be a gap between what your lawyers say you’re doing, versus what your growth team and developers are actually doing.
2020 is going to be the first year that U.S. companies finally know what happens when they can’t account for their user data or their partner practices… but there are years of claims, settlements and FTC consent decrees ahead for those unwilling to acknowledge this shift.
//
Follow me on Twitter @ thezedwards for updates in the weeks to come on CCPA, GDPR and important data supply research about the global ecosystem.