Introducing Privacy Compliance from ObservePoint

January 28, 2021

Join Mike Fong, Solutions Engineer at ObservePoint, to learn how to protect your customers, their data, and your reputation with ObservePoint's newest product--Privacy Compliance.



Hi everybody,  thank you for joining our webinar today on this fine lunchtime session. I know we have some folks over from the Europe continent as well, so maybe it's one o'clock for those folks.  Today, this is ObservePoint Privacy and Compliance and my name is Mike Fong, I've been a Solutions Engineer with ObservePoint for about five years, I've been a Solutions Engineer for two of those. Today we're here to talk about privacy, so if you have any comments or questions feel free to type those in the chat window.  We'll be addressing questions at the end. Thank you very much for joining.  

In my five years at ObservePoint, we've basically seen privacy go from being a checkbox exercise in Europe, where people didn't really pay much attention or invest very much resources or time or money into it , to being an actual effective and enforced set of regulations, basically all around the globe. According to a Gauntlet report, which was published around August or September of last year, at the time of writing they stated that about 10% of the world population was covered by data privacy rules, of course mainly Europe at the time. But the report also predicted by 2023, and bear in mind these are legal rules so they take a long time to have to take force, so actually the predictions are actually very, very accurate over a three year time span. They predicted that by 2023 about 65% of the world population would actually be covered by data privacy laws. So what this really means is that every organization in the world, large or small, really has to actually meet the requirements for the relevant jurisdictions that they operate in. And in the case of digital businesses, this has often been through the adoption or partnering with a cookie consent management platform, such as OneTrust, Trust stock, or Tealium and a lot of organizations at this point in time. It's kind of taken for granted that if you invest in these and you're safe. And of course it's never that simple.  

I like to draw an analogy between implementing any kind of Martech or privacy tech with development. A business doesn't just invest in a website by investing in developers.  You also invest in a QA team, , with the relevant tools and software and processes so that the QA team can actually check the work that the developers are doing. And only that way will your development investment lead to a great final product. So the same really has to apply for Martech and privacy tech. In the Martech space, this is where ObservePoint has really been strong and it's been the core of our business, really.  But with privacy tech, we now see a huge demand for essentially a platform which customers can use to give themselves peace of mind, just like QA for the development teams. They need to have regular testing processes that our CMP investment is also giving them the peace of mind that they are actually investing in to receive.

And so that's why today I'm here to talk you through and to give a little presentation on ObservePoint's Privacy and Compliance. So Privacy and Compliance is opposite of points, latest product, and it will allow customers to check their cookies, the geo location of storage and processing of data, the effectiveness of their CMP, and coming some time mid of this year also automatic PII detection.  So for unencrypted PII, we will be able to detect if that data is stored in cookies,  sent to any Martech vendors, or sent to any other data end points, which are not Martech vendors, but definitely your organization needs to know about. So we're really proud to have this addition to our class-leading Martech QA platform. And today I'd like to talk you through how you should actually be thinking about checking and providing QA for your CMP.

And we've come up with a list of six principles first checks, and hopefully today you'll walk away and think, "ah, I kinda took that for granted until I attended this webinar." So if you walk away and learn at least something new from one of these six points, then I'll be glad that I've done my job. Take a moment just to have a look at this page and kind of follow this. Going from one to six, this is roughly a chronological, or maybe more of a thought process, or logical order of things to check. (1) Make sure you know what technologies you have. (2) Making sure technologies are delivered through your tag management system. Tag management systems pretty much are the main method to get tagging done these days, it wasn't always the case in the past.  (3) Don't take for granted your CMP is on every page. (4) Ensure your cookie notice is pretty accurate, or is completely accurate, pretty accurate isn't good enough. Show that different kinds of practices are actually respected, I will go into that in more detail. I'd also (5) check that your PII is staying within the correct boundaries. These are six checkpoints that roughly are corresponding obligations in all of the different regulatory concerns. So let's go through these actually one by one. 

Firstly, you should be, really as a large organization with a digital presence, it's likely that you have a lot of Martech on your website. What DPOs and risk officers and marketing leaders need to know is that actually Martech is a complicated technology stack to manage. I'm sure everyone knows that, but when it comes to a privacy point of view, data security, you also need to know that every Martech represents a risk.  you know, there should be a benefit, a cost and a risk for every single one of these Martechs that you implement on your website. And so somebody in your organization should be able to pull out an up-to-date inventory of all the Martechs. 

Let's just take one example. Imagine a third-party vendor, and I'm going to pick on Medallia just because they're on top of this screenshot. Imagine one day Medallia reports to their data authority that they've had an unfortunate data loss events. Organizations that know they use Medallia will have a head-start, and organizations that have no idea what they Martech stack consists of will immediately be behind. And so just knowing what you've invested in, in terms of Martech is a really, really simple first step. You shouldn't really be considering investing in an expensive, shiny new consent management platform if you don't even know what third party is you already have on your website. And so ObservePoint has always provided the functionality, which allows you to scan your websites and gets, very quickly, a full inventory of technologies. 

Moving onto the second point, ensuring most of your Martech is delivered through your tag management system. Consent management platforms work by partnering with your tech management system. In most cases, the CMP will integrate with your TMS via an API call or some kind of local storage variable and it'll basically tell, so in this case Google Tag Manager on this screenshot,  the signal would tell Google tag manager to turn off the relevant tags. In the case of the screenshot in front of you, what we can see is actually on this website, technology is implemented, but actually the tags themselves are not delivered through Google Tag Manager. And what that means is it's going to be very, very hard for any consent management platform to communicate effectively and to block each of these tags. And again, ObservePoint as you can see, the screenshot provides you with a really, really strong visual evidence and reporting to show you if tags are delivered for your TMS and if they're hard coded to the page. So that's point two, don't take for granted. You have to check that your tags are delivered through a tag management system.

Moving on to the next point to check then. So put yourself in a situation where you are confident that your tags are linked to your tag management system,  put yourself in a situation where you've completed your, or imagine at least, that your consent management platform has actually been effectively connected to your tag management system as well, so you should have a full chain of control there. One thing many organizations have taken for granted is they just assume that a CMP has on every page. The GDPR States that data subjects must be given the choice to deny or accept cookies when they land on your website. It doesn't say when they land on your homepage, it doesn't say when they land on your campaign landing pages, it doesn't say when they land on any of the pages that are immediately obvious to you.

So what that means implicitly is that a customer can land in theory, on any page. They might do an obscure Google search, or they might have added a certain page to their favorites. So your CMP must be on every page. ObservePoint can be configured to actually scrape your website on a regular basis to actually check that the cookie modal or to CMP is delivered to your customers. And in this case,  what we found is that on a 66 out of the 999 pages that our engine scanned actually 66, the pages did not contain the cookie modal. So if a customer were to land as a first time,  to start the session on any of the 66 pages, they wouldn't be shown that cookie modal and you would unfortunately be in breach of your GDPR obligations. So this is a very important thing to check. 

This is more of an obvious one. We've always known about this for the last since maybe 2012 when the cookie laws came into effect, but it's never really been enforced; is your cookie notice accurate?  Your cookie notification to your customers,  there are some that are more detailed or some that are less detailed. It really depends on your interpretation of the regulations and also on the regulation to applies to your jurisdiction and your customers and also your business or location. So it's a very complicated, but fundamentally, if you are claiming that you are notifying your customers about all the cookies that can be on their website, then you need to be sure if you need to check on a regular basis that it's accurate. So ObservePoint can do in this situation for you is, again, run a huge scan. Every scan will contain this basic information, and ObservePoint will report to you, which cookies have been found. And then a very simple side by side comparison of your cookie notification against your cookie report on ObservePoint. 

And it's worth thinking and bearing in mind going back to that consent management platform linkage with the tag management system,  there are some CMPs which will automatically update your cookie notice, and that will be based on the integration with your tech management system in most cases. So if you have third party technologies that are implemented outside of your tag management system, those will be potentially dropping cookies and they may potentially actually be outside the watchful eye of your CMP systems inbuilt cookie inventory. So by partnering with ObservePoint as essentially a third party, non-implemented cookie scraper in essence, it really gives you the full list of what your customer's browser could be experience rather than what your CMP, internal to its own implementation, is able to experience. That's another thing to not take for granted, don't assume that your CMP has complete coverage of everything it's supposed to be covering. It's kind of like proofreading your own work. It's very hard.  

Now this one is a very serious one, are cookie consent preferences actually respected?  So ObservePoint is capable of running audits under many different situations. So for example, we can tell our system to allow and accepts all cookies, and then run a scan under those conditions. And of course you'd expect to see your normal full flats cookies and your full flat Martech and analytics implementations. But ObservePoint can also be configured to actually deny all the cookies. And in this situation, you expect to see a completely different set of results. If I, as a customer, denied all cookies on a website I would expect to see no marketing, no analytics, and only the necessary cookies. That is what GDPR would expect of you. 

So under this situation, ObservePoint can alert you if you're breaking those obligations again. On the screenshot you can see here, what we did is we ran a 'deny all cookies' audit for a website, and actually we still found all of these technologies. So what this tells us is actually the, despite denying cookies, all the tags showed up and all the cookies showed up. And in some ways this is even worse than not giving the customers the choice at all. Because if you've not given customers a choice, you can tell your data governance authority that you're working on it, or it's a work in progress, or you're waiting for a new financial year, or there are any number of things which might cause a project to be delayed, but if you are offering a customers the choice, and actually we can see on the list of tasks here that on the left hand side, OneTrust has actually been implemented on this website, but it's been done incorrectly. If you're actually offering your customers the choice and they decline all cookies and you still track them and you still market your products to them. What you're basically doing is explicitly disrespecting the customer's choice. And that's even more of a slap in the face than accidentally not giving them the choice. 

This is not rare. In the last year, I've seen this on four different websites and we're not talking about small businesses. We're talking about large major businesses. ObservePoint, we work everything from small, medium enterprises all the way up to Global clients. We work with footsie 100 clients.  you know, we've got lots of large clients in auto and petrochemicals, so it's not like these are small industries or small clients who are getting this wrong. Lots of people are getting this wrong. Which reinforces the point why it's important to have something that checks your CMP investment. 

I think this is sixth point of the six, check that PII is staying with incorrect boundaries. Again, this is a very obvious one. Under GDPR, it says that PII must not be processed or stored outside of Europe. So in response to this specific regulation, ObservePoint actually a, geo location report, this tells you exactly where the domains, or the IP addresses of all the network traffic going to inform your customer's browser will resolve. And this, in essence, once we release our PII detection engine in middle of 2021, this will in fact, give you a really, really accurate smoking gun for if and when PII is going outside of Europe. So really looking forward to this. So what's the message here? Again, this is, just to unlock these a webinar best practices guides, they tell you to make it actionable.

So this is the final slide of the presentation, and we will have time to come to some of the questions I can see popping the chat.  I won't go through the list, but the goal here is to give you something to work from, something that you can build your own process around. This is not an exclusive list, or it's not a perfect list for every regulation, maybe CCPA or GDPR, but I like to think of this as a first principles thing. But the most important principle is don't take your CMP for granted. Don't assume that works very well. 

And we've had lots of feedback from our customers that actually it was quite a complicated process, and quite error prone process to implement CMPs for the first time. And that's true, not through the fault of the CMP vendors, or it's just simply something that's been done for the very first time, in response to a brand new regulation, so it's perfectly understandable that mistakes are made. That is even more why it makes sense that you actually need a kind of a different team, right? Like you've got your developers, you've got your development team, and then your QA team are quite separate. You don't let your developers check their own work in most cases. In the same sense, you do want an outside third party to be kind of checking and auditing your Martech and your CMP. 

After this presentation, the recording will be sent up so there's no need to like scribble notes, or it take screenshots. The full presentation will be available online. And I'm just looking for the chat now. So we do have a few questions, but feel free to sort of send in any more questions on the chat window. And if you can't find that chat window,  there should be a red tab on the side of your screen.  If you open that up and the third option down should be CHAT so feel free to type your questions there. And now I will address some of the questions.  

Prushant Mishra has asked, "is there any legal counsel here?" So ObservePoint does not provide legal counsel. I am a solutions engineer.  We provide the software to support your automation of your checks, all the checks that I've shown you today, that can be run on a daily basis or a weekly basis. And, but most important is to run both actually on a regular basis on your live products, so your live website or your live application. But also any time you release a change to your product. We know that Martech can break when your ITT make a change. We know Martech can break when your take management team make a change, by the same logic, your consent management platform can break anytime somebody makes a change. So thank you for the question, Prushant. 

We have another question from Sean, and the question is, "Will you be able to identify the exemption modes available in some European countries for analytics cookies?" I'm not sure what you mean by exemption modes, Sean.  But as far as I know, and this was probably about six months ago, maybe in August, 2020, at least in the UK, the ICO clarified that analytics cookies did not count as necessary, so they are not exempt. Oh, I see. Yes. So I understand your question now, Sean. So I think you were referring to, if I just go back to maybe the relevance slide. As I mentioned, we are able to specify that ObservePoint can run audits on the a fully accepted cookies scenario, and also in a deny or cookies scenario. We can also take all permutations in the middle so we can maybe accept marketing cookies only, or we can accept analytics cookies only. So yes, ObservePoint will be able to,  cover all the different scenarios on a very granular level. 

So I'll just wait a few more seconds, to see if any more questions pop through, but otherwise,  thank you for your time. I know it's it's been quite a quick one. And so I hope you've enjoyed listening. I hope you've learned something all the resources will be available after the webinar. Thank you very much, everybody have a nice day.

Previous Video
Privacy: The New Normal
Privacy: The New Normal

Join Chris O’Neill, Solutions Architect at ObservePoint, for a discussion on privacy best practices to make...

Next Video
Perfecting Release Validation: How to Catch Errors Before They Destroy Your Data
Perfecting Release Validation: How to Catch Errors Before They Destroy Your Data

Learn how to catch errors in pre-production using test automation in this MarTech Conference 2020 session w...

Get a free 14-day trial with ObservePoint

Start Your Trial