Why it’s not just about hackers anymore

Privacy and cybersecurity threats are closely intertwined. Weak cybersecurity defenses can lead to breaches compromising personal data and triggering downstream consequences like identity theft and fraud. However, privacy risks aren't limited to traditional breaches; they are far more numerous.

The privacy industry and regulatory standards are growing around state regulations and private rights of action, yet the lack of a federal privacy law still needs to be improved. The lack of clear guidance makes compliance far more difficult as each state law has its requirements, allowing for gaps in protecting sensitive information.  

Even without the traditional external breach by a bad actor, poor privacy practices expose consumer data to unauthorized parties—including highly sensitive details in some cases. While the intended use of this data often starts with advertising, nothing stops other parties, including private organizations and governments, from utilizing this data for surveillance. 

It Doesn't Take a Hacker to Share Your Information

When we think about cybersecurity, we often focus on blocking bad actors and avoiding attacks like phishing and ransomware. However, data is constantly shared without people's knowledge or consent, and until relatively recently, this practice was legal and there were very few barriers to doing so. The first comprehensive state privacy law, the California Consumer Privacy Act (CCPA), took effect in 2020, just five years ago.  

Meanwhile, the data broker industry, worth billions, has long operated with minimal regulation. (I am excluding the companies that operate in highly regulated industries like financial services and healthcare.) Data brokers collect and aggregate vast amounts of information on millions of individuals, creating detailed profiles that make targeting specific groups or individuals easy. Again, the stated use case is to target more relevant content and/or ads to individuals, but once data is shared, it’s out there in the wild. And the depth of this data can be alarming—anyone with the right tools or knowledge can track down a person or pinpoint individuals with disturbing details.

Before You Brush Aside Privacy Concerns

Brushing aside mundane privacy concerns is easy, but there’s a bigger picture here. We've heard some of the major headlines—the Cambridge Analytica scandal is a prime example of how the data we share for one purpose can be used on a large scale for another purpose, in this case, to influence major societal events.  The Wired article "How the Pentagon Learned to Use Targeted Ads to Find Its Targets—and Vladimir Putin," illustrates how advertising data is detailed enough to be used for surveillance (including real-time location tracking) and gives striking examples of how this data is essentially accessible to anyone. It’s important to realize how much data is being collected and then extrapolate that to the many different use cases: tracking by law enforcement without a warrant, being tracked by a private company, government, or criminal. 

These examples are relevant to all types of organizations because we often use pixels and trackers on our websites that feed this data back to advertisers and platforms like Facebook. This data is often accessible by several different third parties operating on a website. Our research found that 47% of websites have the Facebook Meta Pixel, 12% have the TikTok pixel, and many other less well-known ad trackers. These technologies share data about website visitors' behavior with these third parties. This is problematic when the company handles healthcare or financial data, where sharing data incorrectly becomes a reportable data breach. Still, new laws and regulatory enforcement actions put companies in almost all industries on notice.

I see two things as being true in the vast majority of cases I see:

1. The company is surprised to see the amount of data collected on its websites. They need to be made aware of many of the third-party tools that are collecting user data. 
2. If they use a consent management platform (CMP), they assume they are covered just by having the banner set up. In most cases, this assumption needs to be corrected. The technology is complicated to keep up to date and needs to be more to enforce your privacy policy in a complex ad-tech ecosystem.

By taking a privacy-first approach, organizations can do their part to protect user data in an increasingly complex data privacy environment. Below are a few practical steps to minimize privacy risks and safeguard sensitive information.

How to Strengthen Controls Over Unauthorized Data Collection

One of the most effective ways is by implementing strong controls over unauthorized data collection. Here's how to identify vulnerabilities, reduce your threat surface, and ensure your data practices align with legal standards.

•  Audit Your Website for Privacy Risks -- Identify the most vulnerable pages. Pages with interactive or embedded features—such as appointment schedulers, contact forms, live chat, or e-commerce payment systems—are common culprits for collecting personal data. Additional risks include embedded ads, search bars, or maps. Disable unnecessary third-party features or limit data sharing to only what's essential for the functionality.
• Reduce Tracking Technologies -- Minimize using trackers like Facebook or Google Analytics on sensitive pages. These tools can be very difficult to control as they interact with many other scripts on the page. Audit your website for excessive session replay tools and fingerprinting technologies and ensure that all data sharing complies with regulations and avoids countries of concern.
• Limit Third-Party Data Sharing -- Certain types of companies require some customization. Do your best to limit this data to what is essential to your bottom line. Regularly review the third parties your website interacts with and remove outdated or redundant connections. Using software to block unnecessary data sharing can simplify this process and reduce your organization's threat surface.
• Be Transparent and Obtain Consent -- Transparency and consent are essential for compliance and trust-building. Ensure you have a straightforward privacy policy expressing how your organization handles users' data in simple terms. Implement a robust CMP and verify that it is properly configured. Common issues prevent these tools from being completely effective, so it's essential to check that the consent banner loads before other website scripts, that it's on every page, and that it surfaces more tracking technologies than cookies. Regularly check that trackers are correctly classified and confirm that when users select "Reject All," it is working as expected because, more often than not, it is not. Weekly scans and updates also ensure your consent tool remains accurate and comprehensive.

By proactively auditing, reducing unnecessary tracking, limiting third-party data sharing, and prioritizing consent, your organization will be far better off than most!