Privacy Governance for Cookies and Other Digital Technologies
Join Teresa Troester-Falk and Ben Isaacson to expound upon the privacy considerations in the adtech space when using digital technologies such as cookies and pixels. Listen to the recording here. Transcription below:
Hi, everyone, and welcome to today’s PrivacySnapshot. And we’re back here with Ben Isaacson, who is a luminary in our field of data privacy. We’ve known each other a long time, going back to, I think, my days at DoubleClick when we first connected. So, Ben, you have had a lot of years working very specifically within adtech for companies who are trying to figure out the maze of regulations in this space. And one of the things that we’ve all noticed after the GDPR was the ubiquitous cookie banner. And it didn’t necessarily pan out maybe for consumers the way we might have expected but it became a useful tool to manage cookies and pixels and those kinds of technologies.
So the same thing is now happening with the CCPA where companies are looking at “Do I need a banner or don’t I and how am I going to this whole world of digital technologies” — with the regulators focused on it and a bit of uncertainty about what I need to do. And you and I’ve talked about this, and you’ve distilled four key areas that you walk through with companies and have them think about, so I’m just going to hand this over to you. We could talk about this for a few hours, but just give a high-level overview of those four areas and the key points that companies should be thinking about.
Thanks, Teresa. It’s great to be here. Thank you for having me. So the first thing to keep in mind is there’s amazing tools out there now that we just didn’t have, you know, a few years ago, even. The first one is tag managers. In the old days, whenever you wanted a cookie to be placed on your website, you had to hard-code a pixel into the HTML of the website itself. And those days are now gone or can be gone. We still see a lot of old publishers doing it the old way. But there are a lot of tools like Google’s Tag Manager like Tealium that become a bottleneck for the use of a single point of, you know, governance from all the pixel tags on your website, and they can dig and change any page to another page, but is still goes through that same Tag Manager.
So the privacy professional can say, Yes, I want this company to be on this page and not that company on this page, and actually play a role in managing privacy in real-time. And those same tag managers — also many of them offer the consent management tool in a consent management platform, as they’re now called CMPS that go with GDPR, or in some cases with CCPA. To say we want to present this type of cookie banner to this type of user. And you know, with the GDPR being an evolution over the last couple of years, we’re now seeing a requirement to really create preferences that go beyond just opt-in or opt-out, but rather personalization, advertising, and analytics. So, you know, even granular, you know, cookie-specific preferences. So, it is extremely important to have both a Tag Manager and a content management platform to be able to help you do global pixel and cookie compliance.
The second thing is to really vet each partner that you’re allowing to place a pixel tag on your website, and specifically, whether they have subprocessors or partners that they work with — the key term of art is piggybacking. You don’t want any cookie, you know, pixel partner of yours to allow a third party to also place a pixel because they can just automatically enable that to happen. I’ve unfortunately seen a number of cases where it was unknown to a publisher or advertiser that some other company was sitting on top of their website collecting data potentially for retargeting on other media. So getting a list of those partners and an understanding what really what their core purposes are, and if there are tertiary purposes beyond just what you’re hiring them for, that could be what that data could be used for. And again, coming back to this notion of within the California law in particular, is this partner a vendor? Or are they like a service provider? Or are they a third party? And this is a very important distinction to make. And that’s why the third category is contracts.
So, in the contract, that must be crystal clear. Is this a service-provider relationship? Or am I essentially selling my data to you under the CCPA? And how do we work through managing that opt-out or, you know, data deletion or any other kind of sales requirements that are now inherent in the CCPA, which is adtech really the federal law at this point?
Then the last thing is auditing and tracking. So, tools like Evidon let you audit the pixels on your website. So you can actually go to covid.com, and, you know, test and plugin, you want to see, you know, all the different partners that show up, and hopefully, all of them are under contract. But then you can also test that, with different tools, that the consent management process, and getting it from, you know, a lower percentage rate to a higher percentage rate simply by changing the positioning of the banner, changing the text of the banner, changing the creative and looking for trends in how your consent is working.
For the most part, we’re seeing cookie consent, at least, even for Europe in the 90% range, which is pretty great, depending on the publisher, but for most, you know, trusted publishers, they’re getting a high-quality consent. Same with the CCPA. The opt-out is extremely low that people are actually opting out. So trying to benchmark your own website versus these others is a good thing to do.
So thank you. That is certainly excellent advice. To sum up: Using tag managers and content management platforms. And there are lots of tools out there now to help organizations do this. Vetting your partners — that is so critical. We’re just seeing so many privacy problems emerge because of those third parties, right? Looking at your contracts, and finally auditing and tracking your website itself.
And so you spoke a lot about the use of tools. And I think this is, this is new for us, right? You and I have grown up in this space and have been in it for 20-plus years. We didn’t have the luxury of automated tools. We were using Word documents and spreadsheets and policies and procedures. And so it’s not a panacea, and it doesn’t solve all the issues, but it’s solving a lot of problems and creating more efficiency. At BlueSky Privacy, we do view it as our job to stay on top of this ever-changing privacy tech ecosystem and help you properly evaluate tools out there and effectively optimize your use of them so that they don’t end up being shelfware. So thank you, Ben, for joining us. Again, this is excellent. And for those of you looking for compliance support, we’re here to help you.
Let’s talk about Privacy and the Governance of Cookies, pixels, and other digital technologies.
Are you ready to demonstrate compliance with the CCPA, the GDPR, or other privacy laws? The key is operational know-how, a practical plan, and privacy expertise.
Ask us how we can help you feel confident and at ease with your privacy compliance efforts.
Follow us on LinkedIn: https://www.linkedin.com/company/blueskyprivacy/mycompany/