From compliance to trust

As data breaches fill headlines and consumer skepticism is at an all-time high, the traditional view of privacy as merely a compliance requirement is rapidly becoming outdated. Privacy is growing. And it’s now a must-have for businesses.

Today, leading organizations understand that privacy is not just about meeting regulatory demands; it’s a strategic asset that can differentiate a brand and build deep, trusting customer relationships.

What caused this shift?

With the rise of technology and the internet over the past two decades, the amount of data available has exploded. Businesses recognized the potential to use this information to increase efficiency and profits.

And as technology use accelerated, regulators fell behind. In some companies, data protection and privacy fell by the wayside. But the enactment of the General Data Protection Regulation (GDPR) in 2018 ushered in a new era of privacy, where compliance was especially prioritized.

A positive privacy experience increases brand preference by as much as 43%.

Yet, in 2024, the tides have shifted again. Gone are the days when privacy was seen solely through the lens of regulation and compliance. Most of the population is protected under some type of data privacy regulation, and businesses have moved beyond privacy compliance to leveraging privacy as a differentiator.

For the second year in a row, TrustArc’s annual Global Privacy Benchmark survey reveals that ‘keeping brand trust’ was the top privacy goal for responding organizations. The report also highlights ‘risks to reputation and trust’ as the second highest privacy risk.

Consumers have also gotten savvier. Now, privacy is a pivotal point of customer experience, with a positive privacy experience increasing brand preference by as much as 43%. This dramatic shift signifies that customers are interested in the end product and the ethics and practices of the companies they engage with.

Companies like Apple are using this shift to their advantage. For example, Apple is known for championing user privacy. It encrypts all data stored on its devices and has a strict policy against collecting and sharing user data without explicit consent. And it focuses on educating consumers about how companies use their data and what options they have to protect it.

34% of consumers will switch companies after one suffers a data breach.

The standard has changed. B2B and B2C consumers expect businesses to be deeply committed to data protection and privacy. In fact, 34% of consumers will switch companies after one suffers a data breach.

The obscurity of trust and safety information

However businesses are running into a problem. Many companies’ policies, notices, communications, cookie banners, etc., aren’t building trust—they’re doing the opposite.

You can’t use privacy to build trust if your policies, notices, disclosures, overviews, and communications are scattered, outdated, and too hard to understand. From managing personalized data privacy preferences to real-time notifications about policy changes, customers want a better solution.

As technology advances and data becomes more valuable than ever, the importance of privacy and transparency will only grow. It’s no longer enough for organizations to simply comply with regulations and meet minimum requirements; they must prioritize building trust with their customers through transparency.

What is a unified Trust Center?

A Trust Center is more than a website or a section on a company’s page. It’s a comprehensive, centralized, virtual space where organizations transparently share privacy, legal, compliance, and security information. These centers demonstrate an organization’s commitment to safeguarding data and respecting user rights, showcasing everything from security reports such as SOC 2 and privacy certifications (e.g. TRUSTe Responsible AI Certification) to real-time updates on policy changes.

TrustArc’s Trust Center exemplifies this evolution, offering a seamless blend of brand elements that reinforce trust while managing all front-facing trust and safety information efficiently. By enabling organizations to update documents instantly and toggle between public and private settings, Trust Centers have become dynamic tools that reflect an organization’s live commitment to trust and safety.

It serves as a hub for consumer engagement, answering critical questions about a company’s privacy policies and practices. It has become a standard tool for managing trust content – crucial for organizations that uphold trust as a core brand value.

The ability to quickly provide stakeholders with easy access to privacy and security information streamlines workflows and drives tangible ROI through enhanced consumer relationships.

Unified Trust Center development

While building a unified Trust Center will vary depending on the organization, below is an example of what’s included in the process. For most organizations this takes at least three months and requires cross-collaboration between many stakeholders including privacy, security, legal, compliance, IT, marketing, and web development.

1. Strategic Planning and Vision:

Identify the trust center’s primary goals and determine its target audience and their specific needs. For example, simplify how the organization communicates and manages all trust and safety information, including privacy, security, legal, compliance, and product. The target audience includes consumers, regulators, and business partners or vendors. Establish a leadership team to oversee the project, align stakeholders, and assign roles and responsibilities.

2. Data Security and Privacy Notices and Policies:

Create or locate your data security and privacy notices and policies that adhere to applicable standards and regulations. Develop an internal audit of content and methods for easy maintenance of content updates.

3. Infrastructure and Technology:

Working with your organization’s information technology and security teams, establish a secure IT infrastructure with advanced security measures, secure data storage solutions, and backup mechanisms. Choose appropriate platforms for the Trust Center’s content management and website development.

4. Content Development:

Design a clear and intuitive information architecture for the Trust Center. Organize content into logical sections such as security, legal, privacy, and transparency/availability. Develop all necessary detailed documents including policies, procedures, certifications, and FAQs. Plan to update this content regularly to reflect the latest practices and updates.

5. Compliance and Certification:

If you haven’t already, consider obtaining relevant security and privacy certifications to display prominently on the Trust Center. Conduct regular audits and address their findings promptly and updated practices as needed.

6. User Experience and Design:

Design the Trust Center with a focus on usability and availability. Test the website’s responsiveness and be sure it works well on various devices and browsers. Incorporate interactive features like compliance reports, self-service portals, and customer support options. Provide tools for customers to assess your compliance and security posture and make individual rights requests.

Keep in mind that poor management of individual rights requests and a subpar user experience can undo the benefits of spending millions on building positive customer sentiment.

7. Continuous Improvement and Monitoring:

Implement tools to monitor the Trust Center’s performance, security, and user engagement. Use analytics to understand user behavior and improve the Trust Center continuously. Establish channels for user feedback and incorporate relevant suggestions into the Trust Center. Regularly review and iterate on your Trust Center based on user needs and industry trends.

8. Communication and Training:

Ensure all stakeholders know their roles in maintaining the Trust Center. Develop a communication plan to promote the trust center to customers and partners. Use various channels to keep stakeholders informed.

9. Incident Response and Management:

Have a clear process for reporting security incidents to customers. Provide timely updates and detailed reports on incidents and resolutions in the Trust Center.

10. Documentation and Reporting:

Gather detailed records of all security measures, compliance activities, and audit results. Be sure this information is easily accessible and current.

Aligning all stakeholders to plan and build a homegrown Trust Center is no easy task.

Not to mention, the build and continuous updates take away time from marketing and web development, costing between $15,000 and $30,000. It also takes weeks and months to build and maintain it (e.g., updating a policy or adding a downstream vendor).

There’s also an enhanced compliance risk to consider as legal and security teams will often need to wait several weeks for their updates to be implemented into the platform.

Don’t Create, Use Trust Center by TrustArc

The transition to viewing privacy as a trust-building tool represents an organizational cultural shift. TrustArc’s no-code Trust Center embodies this change, centralizing privacy, security, legal, and availability workflows, thereby enabling organizations to manage their front-facing trust efficiently.

As privacy regulations continue to evolve, so will the importance of trust and transparency in business practices. Organizations that strategically invest in building a strong Trust Center now will position themselves for long-term success as customer expectations shift towards increased privacy protection.

Creating a modern trust and safety hub like TrustArc’s unified Trust Center empowers core teams, setting up in minutes without the need for coding, and seamlessly blending brand elements into the Trust Center to reinforce trust. This approach enhances efficiency and showcases an organizational commitment to trust and safety by centralizing all relevant information.

The evolution of privacy from compliance to trust is an ongoing process, but embracing this shift can benefit businesses and consumers significantly.

By prioritizing transparency and investing in a comprehensive Trust Center, organizations can build strong customer relationships based on trust and ethical data practices. This will set them apart in a crowded marketplace and foster long-term loyalty and support, as privacy remains a crucial concern for individuals worldwide.

So, the message is clear- make sure your organization has a robust Trust Center in place to reduce reputational and legal risk, while achieving trust by demonstrating your commitment to privacy.

With more alternatives than ever, trust is paramount for business today. Consumers on all sides of the transaction prioritize organizations that are transparent, honest, and reliable. Across every transaction multiple layers of trust coincide.

As a consumer, you trust that a product or service is accurately described and of the quality you expect. If you’re making an online purchase, you trust that the business will, in fact, ship the product after receiving your payment. And your trust also extends to how the organization protects the information you share with it during the transaction.

In a business-to-business environment, you trust that the vendor will meet your needs and provide adequate service levels throughout the relationship. You also trust that your partner will adhere to the terms of your contract regarding proprietary information and company data. Similarly, you must trust that they hire trustworthy people and select other trustworthy vendors for their business.

Every employee in every business has a role to play in building trust inside and outside the organization. Especially the privacy, security, legal, compliance, marketing, and communications teams. These functions are responsible for having accurate information, such as privacy notices and customer-facing policies, available on the organization’s website.

The current state of trust management

Think about how things are run in your company. There’s the Privacy team, the Legal folks, Information Security pros, Compliance officers, the Marketing crew, and the Web Development team. Each group holds a crucial piece of what makes customers trust a company. But they’re often doing their own thing, making it tough to create a united front for earning customer trust.

When efforts and content is scattered, building trust with external stakeholders like customers and partners can fall short. Things like updating privacy policies are important, but if they’re just one-off tasks, they don’t add up to a big picture of trust.

A PWC report found that 24% of bosses say that not having a clear “trust boss” is a big roadblock.

That means there’s a huge opportunity being missed to work better and see real benefits from building trust.

What’s needed is a big shake-up in how companies approach trust. It’s about bringing all external-facing trust and safety information (e.g. legal terms, policies, security disclosures, compliance overviews, subprocessor disclosures, and more) together under one roof. Companies can make a real shift by aligning every action and decision with a clear plan and common goal.

The future of trust involves everyone moving together towards making customers feel secure and valued. That’s how you turn the act of building trust into something that not only feels good but also pays off.

The demand for a unified online hub

The amount of data created online daily is exploding. At the same time, privacy laws are getting stricter, and compliance is becoming more time-consuming. And have you seen the new AI regulations on the way?

On top of regulations are consumer demands.

A staggering 72% of people emphasize the importance of knowing a company’s AI policy before purchasing.

Legal, privacy, compliance, security, and marketing teams are burdened with keeping customer-facing policies, privacy notices, legal terms, compliance updates, overviews, and disclosures current. Likewise, expecting consumers to navigate too many “legal” links can be problematic for a good user experience.

This situation calls for something super handy: a one-stop online hub. You might have heard them called Trust Pages, Privacy Pages, Security Trust Centers, or Trust Portals. Despite the different names, their purpose is unified—to build trust by showcasing your organization’s commitment to all things trust and safety in a clear and easily available manner.

Think of it as a central station where customers can find everything they need to feel safe and informed. Policies? Check. Security details? Got it. Want to know about data handling or give your consent? It’s all there. Even system updates and legal stuff are included.

Plus, this hub makes it easy for everyone to use their privacy rights without a hassle. It’s about keeping things clear, secure, and user-friendly.

This hub is a unified, no-code Trust Center. It’s designed to consolidate fragmented data privacy, security, availability, and legal elements and operations into a unified platform, simplifying how organizations communicate and manage all trust and safety information . So you can easily demonstrate your commitment to data protection.

The storefront of your organization’s data governance practices

A Trust Center is a window into how you manage and protect customer data. It allows users to exercise individual rights, see your privacy certifications and policies, and access any compliance information like regulatory attestations and subprocessor lists.

It’s an interactive section of your website that’s constantly updated. One of the key features of Trust Centers is their user-friendliness. They should be easy to navigate, ensuring users can find needed information easily.

The Trust Center spectrum – Security, privacy, legal, and homegrown solutions

As the digital landscape evolves, Trust Centers have also advanced. Our latest count identifies over 15 different types of platforms; each offering varied capabilities, from standalone automated solutions to integrated systems within broader compliance frameworks.

This diversity means you have options. And you should carefully consider the tools to select the right one for your organization’s unique needs.

The future of trust management: The unified Trust Center

Welcome to the new age of trust management, where we’ve revolutionized the concept of Trust Centers. Our innovative approach combines everything – Privacy, Legal, Security, Compliance, and Product status – into one powerful, cohesive product. Here’s how it works:

• Privacy: Ensures all privacy documents, like policies and disclosures, are updated in line with global regulations.
• Legal: Keeps your organization ahead of legal and regulatory changes significantly reducing compliance risks.
• Security: Easily share important security documents – certifications, SOC reports, and encryption policies securely. Cuts down on incoming questionnaires and speeds up your sales process.
• Product Status: Offer real-time updates on product status and system availability, crucial for upholding Service Level Agreements.

We’re putting the power back into the hands of those who manage legal, security, compliance, and privacy matters. By doing so, organizations can cut down on marketing and development costs while staying compliant in real-time and slashing legal, reputational, and compliance risk.

But what’s in it for you besides cost savings and boosted team productivity? Plenty:

Empower Your Customers: Allows customers and vendors to take control, easily accessing and managing their data. This self-serve model amps up your trust credentials.
Meet Modern Trust Demands: Whether you’re dealing with B2B or B2C clients, our unified Trust Center meets today’s trust challenges head-on, efficiently and effectively.
Boost Trust Perception: When people can see your privacy policies and security measures clearly, they feel safer. It’s all about building confidence.

TrustArc Trust Center isn’t just for the privacy and legal eagles. We’ve designed it to support security, compliance, GRC, marketing, web development, and even product/IT teams. The result?

A smooth, hassle-free user experience that not only demonstrates your commitment to trust but also aligns with your brand values and supports scalable business growth.

In this era, trust is everything. And with a unified Trust Center, you’re not just keeping up; you’re leading the way.

Tracking technologies – and especially ‘ad tech’ – used by businesses to pinpoint customer activities and trends, are themselves under greater scrutiny as new and evolving privacy laws enter enforcement.

As we’ve seen recently, high profile privacy law enforcement actions do more than bring individual businesses to account for non-compliance – they make examples of them to put countless other companies (and their vendors) on notice too.

We recently hosted a webinar with Ryan Ostendorf, Product Manager at TrustArc, and Taylor Blum, partner at BakerHostetler, on this very topic: Managing Online Tracking Technology Vendors: A Checklist for Compliance.

Privacy Law Enforcement Actions Targeting Online Tracking

Arguably, the California Attorney General’s August 2022 enforcement action against personal care and beauty retailer Sephora for breaches of the California Consumer Privacy Act (CCPA) was as much about calling out how vendors of ad tech/online tracking technology are managed – via criticism of Sephora not having valid controls in service provider contracts – as it was about the business failing to respect consumers’ opt-out rights.

In its settlement, Sephora agreed to:

• Pay $1.2 million
• Clearly notify consumers of their opt-out rights
• Process opt-out requests signaled via the Global Privacy Control
• Enter CCPA-compliant contracts with service providers
• Establish a two-year compliance program for vendors and other third parties.

That last settlement term put many organizations into a spin over their ad tech vendor contracts because many of them knew they faced serious privacy law compliance risks.

Not surprisingly, twelve months later in August 2023, the Interactive Advertising Bureau (IAB) reported nearly half of all respondents to its State Privacy Law Survey “do not feel prepared to comply with the vendor due diligence obligations of the laws” and there was “consensus that a lack of adequate contract controls are in place”.

In our webinar, Taylor Blum highlights some other big takeaways from the IAB State Privacy Law Survey results:

1. “Most respondents truly believe the term ‘sale’ is a broad concept under each of these data privacy laws, and it generally captures making personal information available for sharing or targeted advertising, ad delivery and measurement activities.”
2. “The majority of respondents stated that after a user opts out, ads can be selected using publisher first-party data or contextual signals. There is still another significant percentage of the market that expressed a problematic belief that ad selection based on advertiser personal information can be leveraged, which I think is a big disconnect there … these can have liability if they fail to conduct adequate diligence on privacy compliance requirements in effectuating app campaigns.”

What Broad Definitions of ‘Personal Information’ Mean for Website Tracking

Blum notes the CCPA definition of ‘personal information’ is a good baseline for businesses to understand the privacy implications of their website tracking activities.

Under CCPA section § 1798.140(v), ‘personal information’ is defined as:

“…information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household….” and includes “a unique personal identifier, an online identifier, an Internet Protocol Address, an email, other similar identifiers, internet or other electronic network activity information, or geolocation.”

In our own experience helping businesses manage privacy law compliance, I’ve found it’s vital that decision makers planning to use online tracking technologies – for example in marketing – understand the legal implications of collecting personal information.

They must also flag intended uses of these technologies with the privacy office or legal counsel. Similarly, if you’re in the privacy office, ensure people in the business understand just how granular definitions of personal information have become.

As online tracking technologies are often designed to capture one or more main categories of personal information, it’s useful to understand how they’re defined in subsections of the CCPA:

1. Unique identifiers (defined under CCPA § 1796.140(aj)) – personal information includes “Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers or similar technology, customer number, unique pseudonym, or user alias; telephone numbers, or other forms or persistent or probabilistic identifiers that can be used to identify a particular consumer or device that is linked to a consumer or family”.
2. Precise geolocation (defined under CCPA 1798.140(w)) – information about a person’s location “derived from a device that is used or intended to be used to locate a consumer within a geographic area that is not equal to or less than the area of a circle with a radius of 1,850 feet”.
3. Internet or other electronic network activity information (defined under CCPA s 1798.140(f)) – information about a person’s online activities, such as “browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement”.

Online Tracking Technologies That Can Collect Personal Information

Most people are well familiar with cookies, but as Ryan Ostendorf explains, it’s also important to understand how other kinds of online tracking technologies work:

“Mechanisms where users are identified on the web might be based on a cache object on the browser. Maybe not as a known person but identifying them in such a way that tracking and collection of personal data are possible using the underlying technologies on the website. First-party cookies are also becoming more common, especially from your ad tech vendors, so you need to know if they – or their underlying technologies – are used to collect personal information.”

How Common Online Tracking Technologies Work

• Pixels – tiny invisible images placed in web pages or emails that load HTML code to collect information about visitors and track their activities.
• Web beacons – images (GIFs) embedded in a web page (often by third parties) to track whether a user has accessed specific content and analyze how they navigate through content.
• Software Development Kits – code integrated in mobile apps to connect them to third-party technologies and services, such as in-app ad displays and tools for analytics or re-engagement. SDKs are often used to track users with a device identifier, such as whether they’re using Android or iOS. They can also be used to collect information such as geolocation or IP address.
• Cookies – small data files stored in a user’s web browser that allow advertisers to track their behavior and personalize their online experience, such as displaying better-targeted ads and content optimized for their location, language, and device.
• Third-party libraries – collections of data not owned or controlled by a business, bought from third parties to help analyse potential customer audiences. Businesses are moving away from their reliance on third-party data as privacy regulations restrict sale or sharing of personal information; and updates to web browsers and mobile devices bring stronger privacy protections.
• Session replay technology – trackers added to a user’s browser to record how they navigate a website (mouse clicks and scrolling) and interact with content. Analyzing how users interact with navigation controls and content can reveal friction points which cause drop offs, and show which design elements or content types appeal most. Session replays are sometimes also used to profile users for marketing and sales purposes.

“We’ve seen a variety of litigation regarding the use of session replay technology, which tries to equate them to various wiretapping laws,” explains Taylor Brum. “A lot of times they’re used to see how users use your website. But it’s important to understand what you’re capturing and making sure you’re not using them on pages where sensitive data is being inputted.”

Market Forces Affecting Tracking Technology Practices

In our work, we’ve seen several major market forces impact privacy compliance programs. They’re mostly driven by changes to privacy regulations – and so far, the biggest impact is CCPA enforcement.

California’s Enforcement of Sale/Share

The California Attorney General’s enforcement action against Sephora delivered for many a new understanding of ‘sale’ when online tracking technologies are involved:

“…where the business discloses or makes available consumers’ personal information to third parties through the use of online tracking technologies such as pixels, web beacons, software development kits, third-party libraries, and cookies, in exchange for monetary or other valuable consideration including personal information… analytics or free or discounted services.”

Recommended action: ensure your tracking technology vendors are compliant with this new understanding of ‘sale’. If an organization is engaging in sale/share this triggers several different enforceable obligations.

How to assess your ad tech vendor:

• Is your organization subject to CCPA?
• Does your organization use online tracking technologies?
• Is your organization disclosing or making available California consumers’ personal information to third parties?
• If there are benefits exchanged with the third party, are they monetary (direct financial payment or other financial benefits) or non-monetary (analytics or free/discounted services)?
• Are there any exceptions to the sale?
• Is your vendor classified as a service provider or third-party? If it’s a third-party, you must give consumers an opt-out.

Updates to State Privacy Regulations for Consumers’ Rights to Opt-out

Several states’ privacy regulations now deliver stronger rights for consumers to opt-out from some forms of tracking.

In California the CCPA delivers the right to opt-out of sharing for cross content behavioural advertising (effective January 1, 2023); while the following state regulations deliver the right to opt-out of processing for purposes of targeted advertising:

• Virginia Consumer Data Protection Act – effective January 1, 2023
• Colorado Privacy Act – effective July 1, 2023
• Connecticut Data Protection Act – effective July 1, 2023
• Utah Consumer Privacy Act – effective December 31, 2023

“It’s important to note while all five of these laws give consumers the right to exercise controls around targeted advertising, they do preserve the ability for businesses to engage in contextual advertising,” explains Taylor Blum. “For an ad to be contextual it needs to be relevant (in context) to the content of a website the user is viewing; for example, an ad for running shoes placed on a running forum.”

Health Privacy Under HIPAA

The FTC has been very active in expanding the definition of consumer data through its enforcement of Health Insurance Portability and Accountability Act (HIPAA).

The updated definition of sensitive health data is no longer limited to personal health information under HIPAA, and now includes data that conveys information or enables inferences about a consumer’s health.

The FTC is taking a similar approach with tracking technologies used to collect or disclose sensitive personal information, which may be deemed an unauthorized disclosure under Health Breach Notification Law or breach the promises in a privacy policy if the consumer has not given consent for the collection/disclosure.

Recommended action: exercise extreme caution when using online tracking technologies and ensure you’re not creating inferences about a consumer’s health from any data collected.

Health Privacy Under Washington My Health My Data Act

Washington My Health My Data Act goes into effect on March 31, 2024, for large businesses and June 30, 2024, for small and medium businesses.

It covers any business that collects, uses, discloses, or sells health data of Washington consumers and provides a private right of action for consumers reporting breaches of privacy.

Consumer health data is very broadly defined under the Act and includes any data that could be used to reveal or infer a health condition or diagnosis.

Recommended action: analyze whether your business is processing health data of Washington consumers (under the very broad definition of ‘health data’); and if so, ensure compliance with data processing restrictions under the Act across your business and in contracts with third parties.

Litigation Trends Related to Online Tracking Technologies

We’re seeing increasing volumes of lawsuits focusing on notice, consent, and disclosure practices associated with online tracking technologies.

And some of these actions involve plaintiffs’ attorneys using non-traditional privacy laws to allege violations as these laws may make stronger remedies available, such as punitive, statutory, and treble damages.

Legal theories we’ve seen used to litigate against tracking technologies – and especially session replay technologies – include:

• Wiretapping laws
• Video Privacy Protection Act
• California Invasion of Privacy Act
• RICO Conspiracy
• California Penal Code 631 and 632.

Recommended action: while some claims may be baseless, it’s important to understand the increasing risks of using online tracking technologies. You need to know what you’re using, how, and why (and whether it’s truly business critical). A legal counsel can help you review your use of online tracking technologies and assess business risks of continuing or discontinuing their use.

Tracking Technologies Under Review for EU/UK GDPR Compliance

The EU GDPR and UK GDPR definitions of personal information do not specifically call out tracking technologies, however their scope is broad enough to interpret trackers such as cookies as personal information.

On December 7, 2023, the European Data Protection Board (EDPB) published an urgent binding decision “imposing a ban on Meta Ireland for the processing of personal data for behavioural advertising purposes on the basis of contract and legitimate interest”.

The EDPB is also championing the European Commission’s ‘Cookie Pledge’, an initiative designed to help protect fundamental rights and freedoms of users in the EU by giving them ‘concrete’ information on how their data is processed and the consequences of accepting different types of cookies.

We expect more data protection authorities across Europe will join Belgium, France and Spain to issue cookie consent guidance documents.

The European Union’s data protection authorities are focussing on consent, cookie walls, and cookie banner compliance and we anticipate enforcement will ramp up in 2024/25.

Recommended action: ensure compliance on EU data protection authorities’ rules around cookie banners and other tracking technologies. And prepare for expanding scope of rules in 2024/25 regarding personal information and tracking technologies.

Best Practices and Legal Compliance Software for Managing Ad Tech/Tracker Risk

1. Understand how vendors’ technologies identify users

2. Know which third-party technologies are sitting on your website – and how trackers work on a consumer’s browser

3. Implement a Tag Management System (TMS) to control how third-party code is executed on your website, including enforcement of opt-in or opt-out: the TMS will allow blocking of cookies/trackers and other mechanisms of data collection when users have opted-out of ad tech and/or analytics and tracking

4. Use a Consent Management Provider (CMP) to give users a notice and choice mechanism, which in tandem with your TMS will automate how users’ choices are respected

5. Scan your website (discovery processes) to reveal categories of trackers (i.e., functional, analytics, performance, or ad tech)

6. Consult your Privacy Office / legal counsel to determine Tag Management System controls for tracker codes based on users’ consent choices in the CMP and their location (e.g., automatically opting-out users located in the EU)

7. Conduct scans of your website to validate compliance with all applicable privacy regulations:

• Are trackers still dropping in GDPR regions before users opt in?
• Are trackers dropping if users have opted out?
• Are advertising trackers still dropping if users under CCPA have opted out of advertising?

8. Ensure your system is configured to prevent vendors’ trackers/ad tech from functioning and collecting personal information where users have opted out (or been automatically opted out based on location)

9. Keep your notices updated to reflect the latest technologies on your website – and users’ choices about those technologies – ensuring disclosers are accurate, transparent, and clear to consumers

Alternatives to Tag Management:

• Use a tag-blocking solution in a CMP, which will attempt to auto-block requests to third-party code
• Use an API in a CMP to block your own code and only allow it to be executed if users opt-in via the CMP’s notice and consent choices
• Checklist for Onboarding an Ad Tech Vendor

Checklist for Onboarding an Ad Tech Vendor

2024 Privacy Trends

• After several delays, Google may deprecate third cookies in Chrome and move towards a ‘privacy sandbox’ – when this happens, Consent Management Platforms will need new solutions
• European Data Protection Board (EDPB) will likely expand the scope of personal information and tracking technologies
• More Data Protection Authorities in the EU will harmonize cookie enforcement
• U.S. Federal Trade Commission (FTC) will continue enforcement against businesses for violations involving tracking technologies
• California Privacy Protection Agency (CPPA) will focus more on what’s going on ‘behind the scenes’ – CPPA is hiring technologists to develop solutions for scanning and defining session debt, tracking, mobile apps and SDK opt-outs, ensuring they function and that data flows are shut off
• Washington My Health My Data Act goes into effect – March 31, 2024, for large businesses and June 30, 2024, for small and medium businesses – providing private right of action for violations
• Litigation will continue to focus on Meta pixel use, session replay technologies and activities triggering UCL (unfair competition law) claims.

Recommended action: Understand how your online tracking vendors’ technologies are working on your website; review contracts for compliance; understand the litigation risks and ensure due diligence to manage risks.

TrustArc Solutions For Tracking Technologies and Cookies

TrustArc helps businesses address global consent requirements for compliance with regulations on cookies, web tracking technologies, and ad tech.

Identify and monitor cookies, trackers, and website behavior to deliver a secure digital user experience.

All businesses must adopt an always-on approach to managing privacy risk because regulators won’t accept ‘one-and-done’ audits of an organization’s privacy program.

Now they expect to see up-to-date records of how privacy risk is managed day-to-day across the organization, as well as reports on third-party privacy risks.

This shift in expectations began when the EU General Data Protection Regulation (GDPR) became enforceable in May 2018, followed in the US by the introduction of the California Consumer Privacy Act (CCPA) in September 2018, which became effective on January 1, 2020.

Since then, as more privacy laws are introduced and enforced in the United States, most US businesses have had to scramble to keep their data protection policies and processes up to date.

Data protection is now as much about privacy as cybersecurity. This shift means:

• Senior leaders will need to ensure privacy and security are equally prioritized across the organization – a change in business culture is a must.
• Leaders need to model and invest in privacy best practices.
• Organizations need well-resourced privacy programs – given most businesses can’t afford to do it all in-house, they can significantly improve their privacy programs by investing in privacy software and services.

Third-Party Risk Assessment Processes Must Prioritize Privacy

This change in emphasis – elevating privacy as a key concern – means vendor risk assessments must change too.

I explained why this change must happen in a recent EM360 podcast titled “Effectively Managing Third-Party Risk”: no matter what industry you are in, the size of your organization, or the maturity of your privacy program, conducting routine vendor risk assessments is a recognized best practice in data privacy management.

Some organizations choose to run their privacy programs lean. To save some upfront costs, they rely on traditional Q&A or checkbox spreadsheets when conducting privacy risk assessments of third-party vendors. But there are better approaches that are more efficient, accurate, and effective.

I’ve outlined the pros and cons of managing third-party risk assessments using spreadsheets versus specialized software in another article: How Well Does Your Company Manage Third-Party Vendor Privacy Risk?

The short answer is that vendor management solutions (VMS) can help your organization capture, analyze and report better data about third parties, from due diligence to risk assessment processes and contract reviews. Some VMSes offer automated reporting to help you update contract requirements over time, including flagging privacy risks.

As there are so many VMS options available, I recommend creating a checklist of your organization’s requirements, including features that will help you assess vendor privacy and cybersecurity risks.

Vendor Management Solutions (VMS) Checklist

I recommend your organization reviews a least 4-5 providers of software and solutions in vendor management and privacy/security. Below are some important questions for your team:

Have you agreed on risk posture and vendor KPIs?

Before you review any vendors, make sure your procurement, cybersecurity, and privacy teams agree on your organization’s risk posture and set security and privacy KPIs for the solutions you’ll consider.

Next, consider the user experience:

Is the VMS intuitive?

The interface and toolsets must be user-friendly otherwise you risk not capturing key data during assessments at the front end, or useful insights for managing contracts down the track. I recommend ensuring it supports secure direct access by relevant employees.

Is it easy to administrate?

Decide if you need a VMS that supports cross-functional approvals and consider other features that improve efficient administration. For example, does it have a common ability to publish an assessment for cybersecurity and privacy?

Also, consider whether the VMS needs to integrate with other solutions, such as contract life-cycle management tools.

Does it streamline reporting?

Look for features that support your ongoing reporting needs, from the upfront assessment of vendor risk to contract reviews.

For example, some VMS automate workflow and scoring to improve decision-making at every stage. Look for features that improve insights: does it automatically generate insight reports? Will it alert you to gaps in compliance or attestations?

And finally: when issues are identified, will it provide you specific guidance on what is necessary to achieve compliance?

What support is available?

Review the level of software support offered end-to-end. Start with questions about the onboarding and implementation process. And are there extra costs for each user?

Then ask about the level of ongoing support: some VMS providers include support in the purchase price, others make it free (generally with self-service support tools), while some charge an annual support subscription. Moreover, make sure you understand the duration of such support. Is it for the duration of the license agreement or good for only the first 90 days?

Finally, ask about the frequency of software updates and how they’re managed, including shared technology roadmaps.

What is the total cost of ownership?

Further to my points above, too often I hear of businesses not knowing the variety or scale of potential ongoing fees when choosing software. Extra fees for software support or adding users can add up quickly. And don’t be mesmerized by ‘shiny’ things your organization doesn’t really need.

Many supposed enhancements in vendor management solutions aren’t needed for assessing privacy and security compliance.

How qualified is the VMS provider?

Bear in mind the lowest-priced VMS might not be the best deal. The real value of a vendor management solution is built on the experience and expertise of the provider. Therefore, it’s worth considering:

• Is the VMS provider a pioneer in privacy or recent to the industry?
• Does the provider have privacy and/or security experts on staff?

TrustArc’s Assessment Manager Is Powered by Our Privacy Expertise

TrustArc is a pioneer in privacy: we’ve been solving privacy and data governance challenges for our clients since 1997, when we were known as TRUSTe.

We changed the company name to TrustArc in 2015 to reflect our expanded offerings, including unmatched privacy expertise, technology, and certifications – and we remain the only provider to offer all three.

Alongside our high-quality certification and assurance services, we have earned a strong reputation for the deep expertise of our team. Many of our consultants have served as privacy or data security leads with Fortune 500 companies, and we strengthened our privacy thought leadership in 2019 when we acquired Nymity, as well as, the pioneer that developed Nymity’s Privacy Management Activities Framework.

TrustArc’s Assessment Manager is our core solution for vendor management, offering:

• Powerful technology to ensure vendors that may process personal information on behalf of your organization are accurately assessed against your privacy and security expectations.
• Intuitive templates (custom or out-of-the-box) to capture vendor responses and support efficient review by anyone in your organization.
• Conditional answer-based logic built-in, so vendors only need to complete relevant questions.
• Automated approval workflows and notifications – if a specific answer needs a specific action, such as prior approval, Assessment Manager will create a specific action and flag it. For example, an assessment question about privacy will be emailed to a privacy lead.
• Automated identification of gaps – if a vendor hasn’t (or can’t) address any organizational expectation during the assessment, it automatically flags the gaps and generates an action item, with specific guidance for even the most novice people working in the privacy or security office.

Third-party information security risk is a massive concern for companies of all sizes. And it’s not just because they’re facing greater regulatory compliance demands.

Failing to comply with data protection and privacy regulations can mean severe legal and financial penalties in the short term. But failing to protect customers’ privacy rights can trigger even bigger financial issues in the long term when customer trust and loyalty are lost.

So your organization needs to be hyper-vigilant about ensuring third-party vendors protect the privacy of your customers’ personal information – as if those customers were their own. Because if you lose customers, so do they.

Privacy is one of the biggest factors in third-party vendor risk

In a recent episode of the EM360 podcast titled Effectively Managing Third-Party Risk I was asked if privacy is one of the biggest challenges companies face in the third-party risk landscape. The answer is yes, of course.

But it’s not a simple answer, because there is a lot of confusion about the current state of privacy and a lot of uncertainty about the future state of privacy – all of which has great implications for effectively managing third-party risk.

Many companies tend to be reactionary to risk. So this can mean there isn’t a consistent approach to managing third-party vendor risk: some are more cybersecurity focused, and others are more privacy focused.

Previously, information security teams typically took the lead in assessment and management of vendor risks related to data protection, but now the explosion of the Internet of Things makes data privacy equally important, and privacy teams need to have a seat at the table.

Procurement teams will need to reach agreements with cybersecurity and privacy teams on their desired outcomes when selecting and managing vendors. It might not be easy, but it will be even more challenging if clear risk principles and guidelines aren’t established internally first.

I believe the assessment and management of third-party risk should be a shared approach between the privacy office and cybersecurity.

Given the prevalence of data sharing across any organization, this approach will help ensure you have company-wide clarity on both data privacy and cybersecurity risks. And then you can set expectations and standards for any third parties who may collect or have access to your customers’ personal data.

Which approach do you use to identify and assess third-party risks?

We see various ways privacy and security risk assessments of third-party vendors are administered among the organizations TrustArc meets. Though they usually fit into one of the following approaches:

1. Low-tech assessment – administered using spreadsheets.
2. High-tech assessment – administered within a software platform.

We used to encounter some organizations with no approach to assessing third-party risks because they didn’t know how or where to begin – or they didn’t see the need – but these cases are now rare thanks to recent enforcements of privacy regulations, particularly from California.

Pros and cons of low-tech third-party risk assessments using spreadsheets

Pros:

• Spreadsheets are readily available in business software packages.
• Most employees know how to work with spreadsheets: they’re easy to use and easy to start.
• They offer a low barrier to entry for recording third-party risk assessments.

Cons:

• Spreadsheets are very labor-intensive to maintain and become increasingly cumbersome to work in, year on year.
• It is difficult to identify gaps or risks recorded in a spreadsheet-based assessment due to its basic (and often rigid) structure.
• One size fits all: vendors can only respond to the questions they’re asked, and there is no conditional logic that opens up additional questions based on the relevancy of a vendor’s answers.
• There is no automated reporting, making it difficult to track what has changed in third-party vendor risk over time.

Pros and cons of high tech third-party risk assessments using specialized software

Pros:

• Specialized risk assessment software allows for conditional or logic-based questions: for example, if X is selected show Y, which means vendors answer only relevant questions and companies gain better risk insights.
• Risk assessment software includes automated workflows, which improve the quality of data on each risk assessment process, such as vendor collection, follow-ups, approvals, and revalidation efforts.
• They give companies useful controls to flag and generate plans of action or lists of potential risks that need to be addressed.
• Their automated reporting capabilities give companies useful insights for managing vendor contracts over time, including a risk summary that scores inherent and residual risks. Insights from automatic pivot tables, for example, prompt actions, such as alerting legal teams to add clauses into vendor contracts based on the results of a risk assessment.

Cons:

• New software needs to be bought, which is an additional expense that needs to be added to a company’s risk management budget.
  Employees need to be trained on using the software, and a user guide needs to be created and given to vendors so they can meet their third-party risk assessment obligations.
• Like most software as a service (SaaS) solutions, risk assessment software depends on external support.
• SaaS is managed off-premises, meaning a third party is involved, and thus normal security concerns are triggered about data and systems managed externally.

TrustArc’s recommendation: adopt risk assessment software

Your company is likely already working with multiple vendors with access to some of your customers’ personal data, all of whom need to be regularly assessed to ensure they meet security and privacy compliance.

Just as your company must keep up to date and be compliant with new privacy and data protection regulations, you are also responsible for auditing third-party compliance.

This means you can no longer rely on occasional audits. Third-party privacy risk assessments must be part of your ongoing privacy risk management program.

How TrustArc helps companies manage ongoing third-party vendor risk

Managing third-party risk can seem complicated, though it doesn’t have to be. As the leader in privacy management software, TrustArc offers outstanding expertise, experience, and intuitive solutions to help your company quickly adopt smart and effective vendor risk assessment processes.

Don’t Gamble with Vendor Risk Management

Picture this: You caught wind that the Marketing Department just onboarded a third-party application that shares sensitive organizational data without including your privacy team in the validation process.

Data shared includes employee contact information, customer data, and financial information. Your organization signed with an external vendor without due diligence of privacy risks.

Vendor Risk Management can feel uncomfortable for an organization. It’s certainly easier to assume that this vendor has done its due diligence, and I do not have to worry about it.

This can bite you, as it has for many other organizations.

And governments are cracking down on these partnerships. Demanding that the sharing of data of their citizens be protected and used according to their respective laws and regulations (GDPR, CCPA, PIPL, etc.).

Security breaches are all too common in the headlines today, and it seems to be a matter of when it will occur rather than if. After all, 25% of all global security breaches resulted from “third-party attacks or incidents.”

Resulting in an average international cost per data breach reaching $4.24M – which isn’t pocket change.

Overall, breaches can result in high financial penalties, a loss in company brand perception, a loss of trust, and potential lawsuits.

So, to sum up, crossing your fingers and hoping your third-party vendors have put controls in place to mitigate privacy risk is a gamble that could result in disastrous consequences.

Your organization needs a solid framework to build a foundational vendor risk management program.

Where is the best place to start?

Deciding what roles to outsource, of course!

That’s right, it all begins with understanding what business activities are best handled by third-party vendors. When writing up request for proposal (RFPs) for prospective vendors, a section should be dedicated entirely to privacy.

Construct this section to make it easy for direct comparison with other vendors.

Lastly, it should cover the following topics:

Defining the Vendor Risk Landscape

Each country and jurisdiction use their own laws and regulations regarding data privacy. It’s the role of your vendor risk management program to decide how much risk your organization is willing to take.

Once outlined, determine the minimum standards your organization needs to meet.

Risk is a part of doing business, you need to establish guidelines on where that limit exists. Use this to facilitate discussions with potential vendors to see if their appetite is the same.

Creating a Data Flow Inventory Map Across All of Your Vendors

No organization is an island and they all operate with multiple external vendors.

Mapping out exactly where all the data flows across your entire vendor network will identify possible overlaps and show opportunities for streamlining & reducing costs.

Merging data flow duplication areas and deleting unnecessary data flows ensures that your organization reduces their exposure to third-party risk.

Data Transfer Risk Assessment

In addition to determining how data flows for all of your vendors within your organization, assess any data transfer risk based on where your vendors’ systems are hosted and the location of individuals whose data is being processed to ensure appropriate safeguards for international data transfers.

Ongoing Monitoring of Vendors

As always, nothing stays static for very long, and your organization may need to actively monitor vendor partners for any changes in data risk to the company. Some vendors may even need in-person reviews annually.

Leverage and include departments from across the organization to assess all aspects of data risk.

Policies and Procedures

To ensure that your company has oversight, be prepared to share your determined data policies and procedures with your third-party vendors as it pertains both to your customers and vendors.

Develop straightforward policies, meeting controls, and have a set of proprietary implementation strategies.

Vendor Contracts

Work with your leaders, procurement, and legal teams to ensure that your contract management system tracks what you need to know from a privacy perspective.

Free vendors, or inexpensive ones, generally don’t hit thresholds for procurement or legal review – make sure this is controlled!

Termination of Vendor Relationship

Lastly, all good things must come to an end. Have processes put in place that covers both natural terminations along with terminations for cause.

Your business must be prepared to end the relationship if the vendor is non-compliant with data protection and where the risk is high.

So there you have it.

Following these 7-steps will set you with stable foundations to build your vendor management program and avoid any non-compliance fines.

Of course, there is much more involved when it comes to vendor risk management.