Beyond the Law: Why Organizations need to be Conscientious about Privacy Compliance

Your online visitors today are more aware and pay more attention to the use of their data on the web, so addressing privacy concerns in an open and honest way establishes much needed trust within the visitor experience and brand identity. It doesn't hurt to be ahead of the curve, especially in inherently sensitive areas like financial services, insurance and healthcare, as it only takes one seemingly minor public misstep to tarnish a sterling reputation that required years to establish. 
Here in the US, companies can be thankful they are not saddled with frustrating and hard to navigate cookie and data collection regulations at the national level like our friends in the EU and UK. Although at least in the case of the latter group, when presented with something deserving of ridicule, they are happy to oblige.  
But just because the full force of law is not compelling you to care about visitor preference around the collection and use of their data (well, except for states going ahead and enacting their own laws… you do know you have to show exactly how you treat Do Not Track settings for California visitors… right?) that doesn't mean you can completely ignore the issue. 
A company’s first stop in establishing trust with their visitors is their privacy policy – every company has one, usually buried in a link in the footer, describing what data is collected and how it is used, ideally in simple and general terms. But few companies have a way for users to adjust their own preferences and the ones that do typically rely on third party systems that can be opaque at best, if not downright confusing. In the worst cases, this can involve just a link to the opt-out page of every vendor you’ve ever used. Talk about making the problem worse, this can freak out a visitor when confronted with how many vendors are collecting and reselling their data, maybe enough to seek out a browser plugin that would block everything. 
The point of giving customers transparency and control is to ensure they are comfortable enough to stay opted-in to the important and vetted analysis and testing programs, not to drive them away completely. The old chestnut "if you want happy customers, then unless you are running a haunted house around Halloween, don't completely freak them out when they walk in the door of your business" is covered on the first day of Marketing 101.
The “No More Jim” Policy
The crux of the issue is that marketing tag vendors require reams of visitor data to deliver on the promises of their service, but they do not typically have direct access to it. As shared interests tend to create strange bedfellows, tag vendors end up partnering with other service providers to flesh out their data pool -  data providers who then subsequently partner with their own set of providers, and so on. This results in a single tag deployment quickly turning into a proliferation of calls to external parties, most of which have no direct business relationship with you. It's kind of like inviting your close friend, Jim, to have dinner with your family, only to have him show up with his cousins, his cousin’s old college friends, and his cousin’s old college friend’s drinking buddies. How soon after they raid the liquor cabinet does your wife kick out everyone and institute a new "no more Jim" policy? My wife would figure out a way to politely slam the door before they made it across the front lawn.
This is nothing new of course, the Wall Street Journal documented this proliferation of 4th and 5th party tracking scripts and brought it to the mainstream way back in 2010, but likely owing to the complexity of the issue and focus on compliance with other existing laws, many companies have only given it a passing thought since then. 
"just like this, but with more javascript and less college-age hijinx"
Oh and as an added bonus, you may have vetted the performance and infrastructure of a vendor you are doing business with, but these piggybacking tags are doing no favors to your page performance. To stretch the previous metaphor a bit, after you've kicked everyone out of your house and they've piled back into the VW Bug they arrived in, how fast do you think that thing will be moving out of the neighborhood?
So what to do? There are a few options for staying ahead of the chaos:
Option 1: Centralized Tag Control
A TMS (ideally coupled with a solid data layer) allows you to specify exactly what tags will appear on your site, and under what conditions. Most if not all TMS systems allow you to conditionalize deployment based on an opt-out cookie, providing for a roll-your-own solution of sorts. This solution does require a significant uptick in maintenance and complexity, however, as you are telling each tag, "Check if the customer has opted out… No? Ok deploy the tag!" A very real benefit of a TMS and data layer combo is control, not only of the tags deployed but what data they are able to receive. 
That said, even with a great TMS implementation, actions can still be deployed outside of the TMS. And it doesn't quite address the issue of piggybacking 4th and 5th party tags; dropping the old metaphor entirely and spinning up a new one, that cool new retargeting vendor deployed through your TMS is still going to sneak all of their friends into your pool as soon as you open the gate.
Option 2: Ad-hoc scanning 
“An example of the incredibly useful ObservePoint reports”
Using any number of tools like ObservePoint, Ghostery, or even can help you quickly assess which tags are on which pages. ObservePoint and Ghostery of course have the advantage of a deeper scan ability and better visualizations and reporting, with very useful tools for analytics auditing and data quality validation in ObservePoint’s case. And I dare you to not have fun playing with Ghostery’s demo Trackermap
These tools quickly give you a list of "surprises" to investigate, which you can use to either have some hard conversations with a few vendors, or in some cases where they perform poorly or inconsistently, just eliminate them through IT or your TMS. But the protection ends after that scan and evaluate effort; if a "simple" conversion tag sneaks onto a new landing page right after your last scan, it may be days or weeks before you catch it. 
Option 3: BOLOOO! Big ‘Ol List Of Opt-Outs
As more of a proactive approach, I described adding links to opt-out directly with the vendors you use above, an approach with quite a few practical downsides. If you’ve ever clicked on the seemingly ubiquitous AdChoice triangle in display ads (head here to check out what trackers are currently on your browser) you know what this can look like. You are showing how the sausage is made and visitors may not be impressed by your comprehensive list of every marketing technology on earth. The fact that these partner technologies may well be 4th/5th party scripts that you aren't even deploying will not prove well when establishing trust from your visitors. So an ‘A’ for compliance with future legislation, but a solid ‘D’ for visitor experience. And yes, I just made up 'BOLOOO'. All that said, Ghostery/Evidon do have a way to implement a clean, albeit an externally hosted, opt-out experience on your site, so using this could be a valid approach for addressing visitor choice and control. 
Option 4: Gateway based control
This scenario uses a tagging gateway implemented across all pages, with a specific "white list" of approved vendors you control centrally. The gateway is also optionally tied to a clean, branded opt-out preferences so visitors can control what is collected, allowing you to control the experience and make a strong case for them to stay opted into the things you really care about. The benefit of this approach is universal coverage and protection from piggybacking tags; if a vendor is not on the whitelist, their tag never makes a call from the page. The first three approaches above all require differing levels of vigilance and maintenance, as does a gateway, but a gateway has the huge advantage of continual and automatic protection. It should be noted that due to the way browsers behave with scripts and iframes, a gateway does need visibility into a container to be effective. It can block a rogue floodlight tag someone deployed outside of the TMS, but you shouldn’t be using a floodlight tag deployed through your TMS if you want 100% protection from 4th and 5th party tag proliferation. Luckily use of a TMS makes those tag deployments easier and safer than any container tag,
Ensighten is currently the only vendor that offers this level of technology with their Ensighten Privacy solution. It’s primarily in use by multi-national customers for obvious reasons, but seeing wider use in US companies getting ahead of the curve on proactively controlling data collection. It’s also available standalone, no need to be an Ensighten Manage customer to use it.
Regardless of the approach chosen, taking control of the technologies that are on your site to collect data from your visitors is imperative. Scrutiny will only become tighter as the public continues to take notice that more and more vendors crowd your pages, looking to gather insights on their behavior. And ultimately, if compliance isn't forced by your visitor’s expectations, it may well be forced by legislation. 
To ensure you are regarded as a conscientious organization, dedicated to the privacy of your visitors, it’s a good idea to get ahead of the issue. Every company has different needs to consider and tradeoffs to weigh and Stratigent can help recommend and implement the right mix for you, but no company can ignore the issue forever.
If you'd like to learn more, email us at or leave a comment below!
By David 'DJ' Johnson
About the Author:

David 'DJ' Johnson is the Vice President, Account Development at Stratigent.

Contact Us Now