Episode 10: 6 Website Privacy Questions You Should be Asking

September 7, 2022

DataChat LIVE! Episode 10: 6 Website Privacy Questions You Should Be Asking

Cameron Cowan and Mike Fong from ObservePoint discuss how to solve some of the top issues around website data privacy.

They address:

  • The 6 most prominent website privacy questions you should be asking your team
  • How to answer each question and set up ongoing solutions to monitor them
  • Examples of brands doing it right or wrong and how they can improve

 

Cameron Cowan

Cameron Cowan is the Sr. Director of Product Strategy & Marketing at ObservePoint and a veteran of the marketing analytics, digital advertising, and enterprise software industries. He plays an active role in product management, technical marketing, and GTM execution. Prior to his time at Strala, Cameron spent 13 years working for Adobe (via the Omniture acquisition), and gained experience in account management, consulting, and technical sales before establishing himself as a leader in product management, technical marketing, and business strategy. His career has included living overseas on multiple occasions and collaborating with marketers and technologists on four continents.

 

Mike Fong

Mike Fong is the Senior Solutions Engineer at ObservePoint and assists in aligning the Product, Marketing, and Revenue teams on product strategy, value propositions, and promotion. Previously a Senior Consultant and Solutions Engineer on ObservePoint’s EMEA team in London, Mike has been integral in ensuring ObservePoint users are obtaining the highest quality of data from their marketing technologies. With over 10 years of experience in the analytics world, Mike is an expert when it comes to data analytics, SQL, problem solving, and spreading good vibes.

Register and subscribe to future episodes here and follow our podcast on SpotifyBuzzsprout, and Stitcher!


Cameron Cowan:

Welcome everybody again, if you've already been welcomed by Mike, to the next episode and installment of DataChat LIVE! Joining me, as always is Mike, from the European side of our world. Mike, what's been going on over in London?

 

Mike Fong:

What's been going on over here? I guess we're in full flow. Just selling… What are you mouthing at me?

 

Cameron Cowan:

I'm just wondering what full flow means. What does full flow mean?

 

Mike Fong:

I don't know. Same old, same old really. Just keeping up to date with various data governance and privacy goings on. There's been a few big events in the last month since we last spoke and actually, the way I keep up to date with these is one of the resources that I'd love to share with our audience today. You know it's definitely not secret information, but all these fines are actually public. We're here to share. This is a podcast, and we want to share information and keep our audience up to date on all the various resources that are available at our fingertips.

 

Cameron Cowan:

Nice. A big part of what we're going to talk about today is, in fact, the world of privacy, privacy regulation and some of the findings that have been hit by some big news out of the US that we want to talk about here in a little bit. But Mike, why don’t I let you start. Let's start with sharing that list. As you said, most people are probably aware of this but the GDPR enforcement has been going now for what three years. Is that what we're at?

 

Mike Fong:

I think we're in four. 

 

Cameron Cowan:

Okay, Jeez, I mean. So I remember it first rolled out, in were talking, springtime in 2018. We're now in summer of 2022. So we're looking in access to four years. In that four years, what does enforcement look like? And are talking about just a whole lot of minor fines, just a very small number of really big one?. What does that look like from your side of the world? 

 

Mike Fong:

Why, don't you let me share my screen, and I will show you a great website that has all the answers that you could wish for.So  this is a resource that is a really useful resource for anyone that's kind of working in the privacy space and just wants to generally keep on top. This is enforcementtracker.com and it has essentially a list of all the GDPR enforcement actions and fines across the entire continent.

And it's a table. It's not that glorious you can filter by country, date size of fine. I find these statistics actually slightly more interesting. Just the cumulative totals. The cumulative total is now 1.6 billion billion euros. There's a few large, notable jumps here. These are those large fines for the tech giants that happened in the last year or two. I think that big one is an Amazon one. I think one is Amazon and the two of them is Google. Something along those lines and you can see the second chart here. This is just number of fines, so you can see they've kind of reached terminal velocity maybe they're just a constant speed. I'm thinking back to my physics lessons at school, constant speed, constant rate of fines.

 

Cameron Cowan:

So there's definitely been not only a significant total volume, but also i'm seeing just that uptick. There’s a definite step change just a year or so ago. Am I reading that right? That's right. Ye, let me let me zoom in for your old eyes coming.

 

Mike Fong:

That's right. Let me let me zoom in for your old eyes Cameron. So it really was July last year, or just before June last year, where it suddenly went boom! You know, six hundred, six hundred thousand, six hundred million, I should say,  for I believe Amazon.

 

Cameron Cowan:

So when when people are getting hit by these fines, obviously, there's a lot to GDPRs different ways in which violations can happen. As far as what you've been working on with the experts you interact with over there, what are some of the mistakes or missteps that you're seeing that could potentially meet people open to these type of fines and enforcement?

 

Mike Fong:

For me it's very easy to say the principles and you know we'll go for principles first, and then actually, we'll talk through what each of those means. In reality you'll do it one by one. So the first principle is checking that GDPR even applies to you right. For example, if you're a Swiss company and you're only dealing with Swiss customers, then actually Switzerland is not part of the EU. So technically, Switzerland isn't bound by the GDPR. Now, of course there are data adequacy agreements and there are simply, you know, everyone around you is bound by GDPR So for ease and for convenience, you might join in just for standardizations sake. But that's the first step. Deciding which jurisdictions your customers belong to, what websites do you have and even that in itself is quite a large undertaking. If you imagine yourself as say, a Unilever, or any other kind of large multi-brand multinational, you probably have to be on the IT team or a webmaster, or you have to be some kind of overlord to actually know all of your business units and all of the regional footsteps. So even that in itself is not an easy task.

After that, the next step then, of course, is to actually identify all of your web footprint, and I don't mean we have a UK page, we have a Germany page, and then we have a America page. It literally means we have five thousand web pages on this content management system. We've got another four hundred web pages on our Legacy content management system. We've got all these platforms around the world. Again, no easy task. There's often a situation where many of our customers find out for the first time that they've got web pages that they own, but they didn't even know they owned. So a crawling technology is really useful  just to get that huge inventory. Alternatively talking to your web teams if they've got a really good hold, a pretty excellent management of all their content management systems and asset
that can be a great start as well.

I'll say this is sort of the planning stage. After that you need to choose a content management platform implement it, and then, that's the first test. Do you have a consent management platform on 100% of your page? That's a mistake we see frequently. I'm just going to stop sharing my screen here. That's a mistake we see frequently, and then once the content management platform is actually implemented tis also the fact that, maybe, it's not implemented correctly. It might be on every page but does it actually block marketing tags? Have you decided that an analytics tag is required or not required in a given jurisdiction? Is all the technical wiring correct? Have you got your tags categorized correctly? Your tags and your cookies categorize correctly? And actually, I've got a before and after example, to show you as well. I hope I’m not monopolizing the air time today.

 

Cameron Cowan:

Part of the reason why you are the star guest today Mike, because you know this stuff rather than just about anybody, and being there in Europe, and all the different changes that are involved there. I think you guys are well in advance of what we're doing here in North America. We can definitely dive into some of that. But I want to see some of your examples

 

Mike Fong.

Cool. So here's a before and after right? So this is the ObservePoint platform
This is a public-facing website that we scanned on July the fourteenth, and if I scroll down we can see that they've got OneTrust on 100/100 of the pages scanned. Excellent. They've got Google TagManager, and then they've got nothing else. So they've actually got a really clean, excellent implementation. Now, a lot of people would think job done, high five right? Let's get some beers. Well fast forward to August the fourteenth and notice this report load again and lo and behold, we've got a Google Ads Marketing and a Google Video Heartbeat.
So even just in the space of a month on just 100 pages, randomly scanned, we have marketing popping up nowhere. And remember, this is a cookies not accepted scan. So this means that this organization has probably unknowingly broken GDPR.

So this is one thing I found a couple of weeks ago, and I really wanted to show that over time content management, MarTech tagging, it just degrades. Things go bad over time. I'm sure anyone who's worked in the tech space for a while will realize that.

 

Cameron Cowan:

Yeah, that a lot of physics, entropy, things just fall apart.

 

Mike Fong:

I call it the law of human nature. Things fall apart.

 

Cameron Cowan:

It's interesting that you bring up OneTrust as the consent management platform, because what if if anybody's doing this right, it should be them. I've actually spent a while looking at their website, and how they’ve actually done a pretty good job of implementing their own technology, and just being sure they’re buttoned up. It actually led me to put together a list of what are the things that people need to be making sure, not just Is your consent management platform working, Is it there or not, is it working or not, but almost a maturity curve as far as, if I'm in North America and, you did some great research on this, where I think was 25% or less of North American brands, have a consent management banner today and it was a little bit higher in Europe but still a little bit lower than we would expect. So what happens if I'm not even to that point yet. One of the things that I want to share out is that list. I want to walk the audience through this real quick checklist. It is what I think is the 6 things that you should be looking at from the most basic to the most advanced. 

Using zoom's sharing ability, I should be open this. Give me a second to pull this up. Mike while I'm doing that, I know that you've had some other examples that you've looked over the years. Is it just about opt in vs opt out, or are the other states people should be looking at? How do you think people would be looking at the way they're checking these type of things?

 

Mike Fong:

Sure, yeah So let me share my screen again. So here is a different account. A very similar example. I've actually circled the issue here, just for the audience to bring their eyes. And again, we're not picking on OneTrust. In fact, OneTrust is an excellent technology. The implementation mistakes that were highlighting today that they're not at all anything negative towards OneTrust. It definitely is the way the technology has been set up. It's been implemented. Remember, this is still a very new space in technology, in marketing implementations, or you might not call the marketing implementations anymore. You might call them privacy technology implementations. But either way these are brand new, so it's four years old, still kind of new, especially in the US. But what we're seeing here is another example where an organization did not do that first step that I suggested, which was that you need to know what all your websites, what all your web pages are, so that you can run a complete implementation of your chosen CMP. 

And there are others. There's TrustArc. There's our friends over at Didomi. There are probably, I would say, four or five from large C entry providers. OneTrust is one of the large players.

But you're right. It's not just a state of OneTrust helping customers opt in or opt out.
And in my previous example it's not just a situation where, if you have advertising when you're opted out, then it's against GDPR. There's also all the permutations. If your website wishes to offer customers the choice where you can opt-in, opt-out, marketing only, analytics only, marketing and analytics, but not personalization.

All of these permutations are going to interact with each other in hard to predict ways. And that's why regression testing on a regular basis through all of those different permutations in an automated way is definitely something that you need, or that we recommend customers invest in.

So this screenshot here, not only do we have the issue that some pages don't actually have the consent measuring platform. It's also the issue that many of some pages have marketing tags even when again, cookies are all denied now. Now it’s no coincidence that 11 pages don’t have the CMP and you know less than eleven pages have marketing type, so the pages with somatic, are a subset of the eleven pages that do not have the CMP running. I've seen this so many times, and it just keeps happening over and over again. And that's why we keep bleating about it to be honest. 

 

Cameron Cowan:

That is true. I think I'm able to share now on Zoom so I'll go ahead and share out those six points I was talking about and one of them is exactly what you just prescribed there. But I want to take you a further step back and talk about simply is your privacy laws set. Whether you're required to have a consent management platform or not, making sure that privacy policy is there, and on every page is important. 

 

Mike Fong:

I'm just, sorry. I'm just going to interrupt you there. We do have a question in the chat. The question comes from KG So Hi, KG. Thank you for joining, and his or her question is, does this platform support that recommended regression testing, or is it used after regression testing is done elsewhere and just validates?

 

Mike Fong:

So I think the answer, if I'm understanding the question correctly, KG, you're asking whether we can do testing before you publish to live or after you publish to live? And the answer is both we help many of our customers check their live websites in order to ensure what it's like. What is there now right? What is their current obligation? What is the current exposure? We can help customers do that very quickly. We call that a discovery audit.

And then there is  once you've discovered, you know all your all your what's and all, we also help you actually go and prevent this by working in your staging environments or your Dev or QA Tag management containers. We really help you find those issues so that your team can go forward and solve those in a proactive way rather than reacting. 

 

Cameron Cowan:

The last thing you want to do is not check it, push something live and there's something broken and not find it out for hours or days or weeks later. So yeah, I absolutely agree. You should be checking beforehand as long as you go. I mean, in fact, to that point, what I want to do real quickly here is not only share with you these questions, but run through exactly what you just talked about, Mike, and that's a discovery audit. Now we found a lot of really bad sites that are doing this very poorly. Whether it's missing the do not sell link or compliance with the California law, whether it's problems with the CMP. As you mentioned, failure to comply with GDPR. Lots of problems pop up. Now, I figured if anybody's doing this well, it's our friends over at OneTrust. They have their own consent management platform that they deploy, that they are the leader in the Privacy and Data Privacy space. 

So what I wanted to do is jump over to their website. I can see, yes indeed there at the bottom, there is a consent banner and I can even jump into specific things or I can actually get more prescriptive and tell it exactly what categories I am and am not okay with. I can also scroll to the bottom of the page and see down here that they do have a do not sell link, so there's the California law compliance and a privacy notice and a cookie notice. And what we want to understand is, are they checking all the boxes? Like I said, If anybody's doing this right, it's going to be OneTrust. And so what we did is exactly that. This is a live website. It is publicly available information, and we said, just go scan 1000 pages. And the reason we did 1000 pages is they were doing so well on the top two, three, four hundred pages that we couldn’t find any problems at all. If you really have to dig into their site just to find anything wrong. 

 

Mike Fong:

You have a vendetta against them?

 

Cameron Cowan:

It tells you just how well they're doing this. I don't think I've ever gone to a website anywhere where I can't crawl deep enough and find some problem. So this is more for illustrative purposes more than anything else. We actually love the folks over at OneTrust. A lot of our customers are OneTrust customers. So a lot of the validation that's happening on the ObservePoint platform is for the consent management platform. 

But the first step, as I was mentioning earlier, let's just jump back to that list for reference, is that privacy policy link there, and is the do not share link there? Now we can do a spot check, and I can see, yes, indeed, on the home page those were there. Is it on every page? You might comply it on every page. So what I did is I ran just a high-level discovery audit. 1000 pages crawled on the OneTrustrust public website and if I jump over here into variable inventory, I’ve set up a quick look that says, look for those exact links, those exact threads that say is my privacy notice there, and is my d0 not sell my personal information there. If I click to privacy notice first, that's the question we were going to ask. So 935 of those pages have that on.

Unfortunately, there's a very small percentage,  62% of the 1000 pages that don't and I can actually dive in and see exactly all the pages on which that may be missing. So one of those things where gaps exist everywhere, it's probably either a new template is being used or a campaign landing page. A lot of times as we roll out things that are not on our regular website we tend to overlook some of those just four elements or quarters. Things like that.

If I was working over at OneTrust, I’d say, okay, let me find me these 62 pages, update them to the right template and now I've got coverage on that privacy. Similarly, for do not sell, I want to make sure I'm in compliance with California law. I can see what, 923, the vast vast majority of these all have that in place but there's 74 URLs where either it's not there, we don’t necessarily say they're broken, maybe they're using a different string or a different link that's going somewhere else. So I want to check these 74 to see, okay, why is it not detecting this specific stream, do not sell my personal information? Is it missing? In which case I want to add it in. Is it not following a standard? So I could update it to make sure it matches the website. 

Those two checks alone are critical for any company here in the United States at the very least. I know that just about every website in the world and every privacy jurisdiction requires a privacy policy or privacy notice. That do not sell is becoming more and more critical here in the United States. 

 

Mike Fong:

and Cameron, just to be clear, this is a CCPA requirement that we're looking at?  Is it the case? And obviously you're based in the US and I’m here in EMEA.  Is it the case that for CCPA that of those two notices, or those two buttons or functions must be available on every single page> Is that the kind of the intent? 

 

Cameron Cowan:

I'm not a lawyer so I won't give legal advice but my understanding is that you absolutely should have a privacy policy, privacy notice on every page. Not just if you're in the US, pretty much everywhere. For that California law, do not sell, and it changed the wording so sometimes it's do not share. Regardless I would recommend that it's right down there in the global footer and on every page as well. All the brands we work with have their own in-house counsel or legal advisors. Talk with them to make sure you're in compliance, but at the very least know where it isn't, o you can understand what gaps you may have, and you may want to address to fit that strict standard. 

Okay, So that's just that the baseline. That's the two links that should be on most pages, or all pages, are they there and clickable? 

The next thing that I want to understand, is that Consent Banner Tag showing up? Does the consent banner load no matter what page on the website I first entered. So I give my customers, my visitors the opportunity to opt in. Now, as we mentioned with the OneTrust  website, there's that banner right at the bottom, and it shows up just about everywhere. I can personally click through. I clicked through dozens of pages, and it was there. But rather than just spot check this and spend a lot of my own time, I wanted to see what about 1000 pages. And so jumping back to that discovery audit and going to our tag inventory report I can see right there at the top, OneTrust CMP. So that's the tag that loads that banner and I can see as I go from percent to number that 992, so almost every single page of these 100-0, It was their present and interactable. But there were eight pages, and can click on this and see exactly which eight pages that didn't exist on.

Now once again it may be appropriate in certain scenarios that doesn't have to be there. I know that there are instances when you're not on the public website which is what we are looking at now but you're looking behind authentication walls and logins. A lot of times those aren't needed. So I would just want to become familiar with these eight pages. Is there a reason my banner isn't loading ? And if it should be, how do I quickly remediate that so I close that  gap as well? 

But it's not just the banner loading too. It’s, does that banner effectively block or allow cookies and tags based on the consent the user says. So if I come in here to the OneTrust platform and I say you know what, I’m not cool with analytics, I'm not cool with advertising or personalization. I'm going to click disable all. Is that being respected and so I’m going to jump back one more time into the audit. I did one where I was opted out of all those settings, so I’m simulating that exact same environment I just created as a user and as I jump in and I look to see what tags are still loading, even after I opted out I can still see that there is about a dozen or so tags that are loading.  And now on most pages, those aren't showing up so that may be partly a factor of where that banner is and isn’t at. But more appropriately, I can still see that there are 46 pages that are loading Google Ads and Remarketing tags, and another 46 pages, potentially the same 46 that are loading Google Universal Analytics tags.

And in the scenario in which I as a user said, I’m not ok  with opting in. I want you to not measuring me. I want you to not be retargeting me. Those are our gaps that we at least want to look at and see, Is that an area where I could be out of compliance? Or are there reasons for that state to exist? 

Mike this sounds a lot like the examples you went through earlier. Is this something you see quite a bit over on your side of the world?

 

Mike Fong:

Yeah, absolutely. What I would say is that our technology helps customers to validate. You can only validate the decisions that your businesses have already made. You're working in conjunction, marketing, legal and technology digital teams and this is how you're going to get to that state of happiness,

 

Cameron Cowan:

That’s right. And you're probably sick of me saying it. But I keep saying it. This may not be bad, or may not be wrong, but you want to know about it. Once again, we're not here to give legal advice. We're simply here to uncover what the state truly is of what's happening on the website. Whether or not this is or isn’t in compliance with GDPR stipulations, California stipulations. There's five total states in the US that ave already rolled out their own privacy regulations, and another dozen on the table. So you're going to want to understand how your standards and how your legal guidance is for your own business, all ObservePoint is here to do is to help you understand what is the reality? What is happening? So you know how to best close the gaps where they may exist.

One other set of questions that I do want to jump into, this starts to get a little bit beyond what we said at the beginning, is where our new and unapproved cookies and technology is showing up. So it's one thing to say, okay, what is the state now, but as you mentioned, you did an audit, time over time, month of a month i hink is what you said. And I may have a list in my CMP, here are all of the approved cookies. I want to know where things showing up that weren't on that original list. It may be that they're not bad cookies, but they weren’t actually part of my consent management settings and part of my original set list.  

So I'm going to jump back to the standard discovery audit. And in this case I can see, I've got eight unapproved cookies and four unapproved tags that showed up on this discovery audit. So did the same thing. I ran the audit for OneTrust,  waited a month or two, and they ran it again, and I can see eight called a new cookies that weren't part of my original standards list. And as I drill in there, I can see exactly which cookies they are, and exactly which pages these are, I see exactly which pages they exist on. And so, in some instances I may think, ok well trustweek.onetrust.com. That's a new microsite or sub domain on my website. That's perfectly okay. I just didn't know about it months ago so it wasn't part of that initial list. I want to come in here. I want to add it to consent category to make it approves and that I'm all running, and I'm no longer flagged by that one.

There may be some others, and this is just me not knowing their website. Adsymptotic.com. That may or may not be an acceptable cookie, so I may want to dig in a little bit more. Find out who owns that, and the tag that's associated to it. A way to bubble to the surface anything that's not part of that standard list that I've already categorized, but I've already given my stamp of approval saying, yes, these things should be on my website. Anything else, at least let me know, so I can make that determination going forward. 

And then the last part of that is not only understanding what is approved and unapproved tags and cookies, which is what we're mostly concerned about when we talk about consent management, but also are there any sort of geographical considerations? And this is where I want to end up today.

Mike, I know that there's been a lot of discussions we've had about International data transfers. Those laws are continually in flux and being discussed, especially there in Europe. But as I come in and I see, okay, where is my data potentially going. Where are those network requests coming from? And where could these data responses going. I can see France, Ireland, and the Netherlands. Those weren't on my original list of places my data could or should go. Now I may see okay optanpn.blob.core.windows.net I don’t know what exactly that is. That domain is part of the OneTrust brand so maybe that Ireland one is ok and once again I can just come in here and say add that to a consent category and know Ireland and that specific domain is ok. Whereas as others, Netherlands, I definitely don’t know why my data is being sent to the Netherlands, I want to dig in further.  

I guess that theme of all of this is, we want to be able to shine a light on where there could be gaps,  where things could be falling apart. So you can quickly close those gaps. We're not necessarily saying this is wrong or this is right. We're giving you the ability to make that determination.

Any thoughts on especially that the data transfer component Mike?

 

Mike Fong:

Nothing much from me but we do have another question in the chat. This one's from Andy Mott. Do we have time for some more questions, Cameron?

 

Cameron Cowan:

If people need to sign out, this will be recorded and available on demand, but I am happy to answer questions. 

 

Mike Fong:

Let's go for it. So the question is, can ObservePoint’s scan from a specific region, specific IP address? To clarify the question, GDPR  Does not necessarily apply to pages if the visitor is not geographically located within a GDPR country. OneTrust even offers Geo rules to determine whether to apply consent rules. Therefore, can I scan a website from, say, Germany or California, so that the scan results are relevant and specific to specific geographies.

 

Cameron Cowan:

Yeah, it's a great question. And yes, if you use the advanced settings. I'll just do it for this audit that I've been already the advanced settings within an ObservePoint audit do allow you to decide the location you're auditing from. So by default we're out of North America where ObservePoint is based, but there are proxies that exist around the world. And so we have the ability to go in. For example, one of the scans I did for for OneTrust was saying, Do it from inside of Germany because I know that if they're doing it in Germany the default state should be opted out and only if I explicitly choose to opt in am I going to see additional things. So I came in here and I said rerun this exact same audit, but do it as though I were in Frankfurt, Germany. And then right there I can rerun the scan see if the state is different. 

So there are proxies. Running it from an exact IP address, I don't think that's possible. But, Mike, you probably have a lot more experience in people using the proxy service than even I do.

 

Mike Fong:

For enterprise organizations we do have an even more granular option to run, essentially, run your audits from anywhere. So there are organizations that want to run from a specific state in the US. There are organizations that want to run from specific cities. We're thinking the Vatican for example or certain parts of, say, Asia, East Asia, like China. So very, very granular for the enterprise. 

Well Cameron, we are coming to the end of our time. I know that very recently there was a step change in the situation in CCPA in terms of the level of actual enforcement. So do you want to talk us through what's happened there very recently. 

 

Cameron Cowan:

Indeed there was. So Sephora, for those who are familiar with the brand. Sephora is a very large makeup and personal care products company but became the first public CCPA enforcement with a fine of $1.2 Million. If I’m not mistaken, this happened just last week. But this is a big market, where before there's was a lot of hopping and puffing by the Attorney General over there in California. Now he has actually come out and said, no, we're going to start lending fines and in this case, its  a seven figure fine. So I think this is just the signal of more things to come. 

We are going to see more of this enforcement happening, and especially as we move into next year, where the adjusted rules around CCPA to CRPA updates. We talked about the difference between, for example, do not sell or do not share and a number of other things. I think you're going to start seeing that really gains steam. I don't know wherever you get to that same list that you had Mike. as far as GDPR and all the massive lines you guys are seeing over there. But remember, this is just California's law. There are now five State laws, if I can remember them off the top of my head. California, Colorado, Connecticut, Virginia, and here, in my own State, Utah. All those have their own inactive regulations that go into enforcement at various points in the coming quarters. So you’re going to want to be buttoned up because enforcement isn’t just coming, it's now here and Sephora is the first to bear the brunt of that. 

 

Mike Fong:

Does it feel like a kind of unofficial soft grace period has ended?  Because that's what we had with GDPR. I think it was May the twenty fifth.  two thousand eighteen, where that was the line in the sand, and then it was kind of quiet for a bit when everyone was running around like headless chickens. And then suddenly, it was right. Enforcement is happening now. You guys have had long enough to figure this out among yourselves. Do you feel like that's the mood in this kind of CCPA Enforcement Authorities now? 

 

Cameron Cowan:

Absolutely. That's exactly what we're feeling. I think they kept encouraging, in fact, we had people that were speaking at public conferences, like the IAPP conference in the spring, saying this is coming. You're already in the time frame in which we could enforce. We're not. Get your act together. And I think that the grace period is run out. 

In fact, just to get a sense of this, I ran a quick audit on Sephora’s public website, just to see what's actually happening there. I looked for the privacy policy and the do not sell. Back to out list, just those first two basic things. Now the good news is, for privacy policy, it was there.  500 pages, 499 , one page didn't vote properly. So 100% of the pages that were scanned for that privacy policy did have them. Unfortunately, and we saw this in the press releases, part of what they were being dinged for is the way the do not sell the existed, where it existed, what browsers it worked on. And a quick scan of those 500 pages shows me that 14 of the 500 or 499 did not have that do not sell value on it. So whether it's there and not working or not, there at all, these are all things that lead to, in this case, a seven figure fine. So if you want to avoid that, you want to validate as much at the very beginning. Test before you launch to make sure the right things are there, but also continue to validate after the fact just to make sure as things get updated and changed you don’t have these type of gaps on your website. 

 

Mike Fong:

It's interesting you say that. I didn't even know browser differences was still an issue. I thought we'd move beyond those days. I thought Chrome and Firefox and Safari, and even Edge, had modernized to the point where they were all kind of reading from the same handbook.

Cameron Cowan: You would think so. But and in fact, for those of you that were paying attention, I actually demo out of safari because I like to use our tool in the non-standard browser. So I can find any problems or issues. And so I'm just getting in the habit of using a different browser and even in our own tool of technology, we recognize that there's minor differences when you're in Safari versus Chrome versus Firefox. So that's the case for our application. Sure enough it's going be the case on a lot of websites. You don't just want to test in one place, you know, trial on a couple of different experiences so you have a comprehensive view.

 

Mike Fong:

And that just reinforces the need for time and cost-efficient automated regression testing right? No one's got the time to test in the four main browsers plus ten minor browsers that Cameron you seem to use.

 

Cameron Cowan:

I don't know that Safari is a minor browser, but it's certainly not got the market share that Chrome does. 

All right. Any other questions that we see over in the chat Mike?

 

Mike Fong:

We have one more question from Tyrone Battle. What are your thoughts regarding the use of the GPC settings in Firefox browsers? 

 

Cameron Cowan:

GPC… I'm sure I've heard of this. I'm just spacing on what GPC stands for. 

 

Mike Fong:

I believe that is to do, Tyrone do correct me if I'm wrong, Global Privacy Control. So is that regarding the query parameters stuff in Firefox?

 

Cameron Cowan:

That may be part of it, but I'm going to have to brush up on my GPC. Maybe we’ll save that for the next DataChat LIVE! And we’ll actually bring it up and walk through the settings. I know that a few of our customers have brought it to our attention and talked about it, and how it affects the browsing experience, just the way the website functions. So we'll take a look at that and maybe make it a focus for our next DataChat LIVE!

 

Mike Fong:

Cool. Tyrone, we'll get back to you. Thank you very much everyone. 

 

Cameron Cowan:

All right. Thanks everyone for joining. Thank you, Mike, as always for participating, and we look forward to seeing everybody on next month's DataChat LIVE!

 

Mike Fong:

Thank you very much, Bye.


 

No Previous Videos

Next Video
Episode 9: Best Practices for Building & Maintaining a Digital Governance System
Episode 9: Best Practices for Building & Maintaining a Digital Governance System

Special guest Jenn Kunz, Consultant at 33 Sticks, joins the conversation on how to build and maintain a dig...