Six months after it went into effect at the start of 2020, legal enforcement of the California Consumer Privacy Act (CCPA) finally began on the first of July. Since then, large businesses including social media platform TikTok and CRM-powerhouse Salesforce have already been subjected to lawsuits under the CCPA, which gives consumers the right to know how businesses use and sell their personal data, along with the right to opt-out of data collection practices entirely.
Although it is technically limited in jurisdiction to businesses serving residents of California, the CCPA is impactful and far reaching. Like the GDPR before it, the CCPA has a global scope which will affect a majority of large business-to-consumer entities with an online presence, whether they operate in another state or even another country. It will especially impact publishers, including organizations in media and entertainment, alongside eCommerce sites and digital retailers.
For these businesses, the rights outlined by the CCPA translate to concrete obligations, and financial ramifications if those obligations are breached. The most obvious obligations include: informing customers about data practices, providing an opt-out mechanism as well as processes for data deletion requests, and a process to inform partners when these requests are received.
Above all, the CCPA implies a requirement to protect data and prevent it from falling into the wrong hands. But when it comes to providing this protection, publishers, retailers and other brands across multiple industries are about to face serious challenges from their third-party partners and digital assets.
Web developers and business executives are most familiar with third-party code (3PC) in the context of GitHub, and other code libraries that are used to speed up the cycle of web development. But today, the use of 3PC supports a far more extensive set of business functionality, with digital third-parties providing up to 90% of the code across consumer-facing websites.
On the positive side, 3PC provides consumers with rich features including content recommendation, media galleries, shopping carts and more. Most importantly, 3PC powers monetization features like programmatic advertising, allowing publishers to profit from content without the use of paywalls or subscription features.
Unfortunately, 3PC also lies outside the control of host organizations who – in many cases – are not even aware of its existence. This systemic lack of oversight allows a minority of malicious third-parties to work behind the scenes, gain access to visitors, scrape their personal data, and even launch malware attacks. For years, this problem has gone unchecked, but with the arrival of CCPA, failure to vet third-parties will have serious consequences.
Under the new legislation, publishers are required to provide users with the ability to opt-out of tracking cookies and enter into contracts with third-parties that guarantee their wishes will be respected. But without any means to enforce compliance, rogue third-parties will drop tracking code with or without the permission of publishers. In many cases, these cookies persist for absurd lengths of time: 32% of cookies across top Alexa 500 ranked Banking, Healthcare and Media websites last longer than 12 months, with the longest cookie lifespan exceeding 7,000 years.
Even when browsers drop support for third-party cookies in the future, malicious 3PC will continue to collect data on visitors through advanced techniques like browser and device fingerprinting, ultrasonic beacons, and malicious java script. Malware like IcePick-3PC will siphon users’ IP addresses for use in future attacks, while malicious redirects like Stegoware-3PC will prompt users to enter sensitive data including credit card and social security numbers.
None of these examples are hypothetical: 2-3% of the world’s largest websites by Alexa 500 rankings are already impacted and constitute a risk to Internet users. With the incidence of scams, data breaches and other malware events rising every year, the businesses who allow it to happen will soon be accountable for violating the CCPA’s “reasonable security” requirement. To avoid running afoul of the legislation, the time has come for publishers to ask themselves: “do I know what’s happening on my website?”
1. Do you have systems in place to find and manage digital third-party code?
In many cases, simply eliminating third-parties with a suspicious origin will dramatically reduce risk to your online visitors. According to research, the average news and entertainment site can make over 100 calls to external domains over a single web session, and on average 12% of those domains will change from month-to-month. Without the ability to reliably track which domains are operating on your site, distinguishing between benign and malicious partners is not possible.
2. Do you have protocols to communicate with third-parties regarding CCPA compliance?
It is not enough to know which third-party vendors are operating on your website: you must also communicate with them to find out whether they have reasonable, CCPA-compliant policies for handling consumer data that respect user consent. When a new vendor appears on your site, can you quickly confirm whether they have such policies in place? This is a crucial question for any viable CCPA compliance strategy.
3. Do you have systems or tools to prevent malware attacks targeting your visitors?
The most dangerous form of 3PC goes beyond cookies or phishing attacks: it can drop malicious payloads on a user’s device that may log their keystrokes, steal money from their digital wallets, or exploit device features to collect sensitive data in the background. Without systems to detect and mitigate malware attacks, organizations leave their visitors defenseless and risk severe compliance violations of the CCPA. According to a recent report by IBM, 80% of security breaches expose customers’ personally identifiable information (PII), and malicious 3PC increases the risk of a data breach considerably.
4. Can you ensure that existing protections against third-party code are working correctly?
Many organizations employ a consent management platform (CMP) to help users opt-out of tracking cookies and the sale of their personal information. These systems are usually configured to share user-requests with one or more third-parties. However, third-parties may or may not respect those requests, and organizations rarely have any way to validate whether their user consent systems are effective. When a business cannot determine whether users are still being tracked after they have opted out, then CMPs and similar platforms are only a partial solution at best and may constitute a more serious violation of the CCPA at worst.
To Stay Compliant With CCPA, Know Your Partners
In the age of CCPA, ignoring or neglecting third-parties is not an option. Publishers, digital retailers and any other business that depends on its website for revenue must develop communication channels to inform their partners when users place opt-out requests. They must invest in solutions to detect and remediate malicious activity on their web domains, and -above all - they must diligently vet every asset they allow on their websites while enforcing a strict standard for mutual security and trust.
by CHRIS OLSON
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.