Since the passage of California’s Consumer Privacy Act (CCPA) in 2018, businesses serving California-based customers have been required to maintain security controls that protect sensitive consumer information. Unsurprisingly, there has been some debate regarding the exact meaning of “reasonable security,” as well as “sensitive consumer information.” Simply put, it is best to err on the side of caution.
Now, because Proposition 24 passed into law during the 2020 elections, CCPA compliance is more important than ever before: not only does it establish a new agency to enforce California’s consumer privacy law, but it also removes the grace period that businesses were previously granted to fix violations before being penalized.
Even more concerning is this: many businesses do not realize they are in violation of CCPA to begin with. In order to comply with the legislation, many have turned to consent management platforms (CMPs) that acquire permission before collecting information from online customers. But evidence is mounting that CMPs will not be able to face the challenge of increased CCPA enforcement.
“In Europe, the same mechanism for acquiring consent is codified by the IAB Europe Transparency and Consent Framework (TCF),” says Chris Olson of the Digital Ecosystem Authority. “A Belgian court has ruled against the IAB TCF, because it isn’t transparent enough – users click ‘okay’ without knowing what they’re consenting to.”
Since American privacy laws have followed European legislation closely, it’s likely that opt-in buttons on websites will not protect businesses from fines and lawsuits following the passage of Proposition 24. And if that’s not enough, there are even more reasons why U.S businesses should rethink their dependence on CMPs.
So-far, CMPs have been the most popular automated solution to protect the privacy of online users from unwanted data collection and invasive third-party trackers. As the name implies, CMPs deal with the control of user consent on websites regarding the collection and handling of all personal information.
More importantly, as the name also suggests, it is a platform rather than a universal protocol, so there are actually many different CMPs that must be used for a website to obtain compliance with various data privacy laws – each of which may require different technology for managing user consent.
For this reason, industry analyst Charles King of Pund-IT warns: “it is not a one-size-fits-all solution, mainly because of how variable requirements can be from region to region.” Although he notes that “as long as businesses shop carefully, they should be able to find a solution that fits their needs,” he goes onto argue: “ the potential liabilities for failing to follow the rules makes it important for companies to work with vendors that know what they're doing."
One of a CMP’s main selling points should be to help companies comply with regulatory obligations while tracking both user consent and approved vendors who have access to their data. A CMP should also provide consumers with clear options regarding how their data is collected and used.
To this end, it is imperative that a CMP can capture, store and signal user consent and preferences to downstream vendors. This may not sound difficult, but very few CMPs can rise to the challenge.
“In theory,” says Olson, “CMPs are supposed to handle all the heavy lifting of data privacy compliance: they seek permission from users to track their data or share it. They also allow users to opt-out, communicate their preferences with third-parties, and learn how their data is being used."
But in fact, CMPs cannot control everything that takes place on a website. In particular, they cannot force third-parties to respect user preferences. This is a major concern when third-parties provide 80 – 95% of the code across consumer-facing websites, encompassing advanced functionality like digital advertising, content recommendation and other advanced functionality.
"A CMP is a very one-dimensional piece of code,” Olson explains “It doesn’t process anything with a great deal of intelligence – it simply reacts against what it has been trained to recognize, which also makes it a 'petri dish' of experimentation that criminals use to find new vulnerabilities and weaknesses.”
Ultimately, while CMPs are good at gathering minimal user consent, they cannot prevent malicious actors from working in the background to bypass security controls and steal the information a business stores on its customers. In the end, this leads to data breaches and lawsuits.
"If you don't do all of your homework, which means tracking every single vendor running on your website and having the stamina to hold them accountable,” says Olson, “you will find yourself in trouble the second you finish your analysis of what the CMP should know.”
In essence, a CMP is a just block of code placed on a webpage that is intended to enable compliance and raise security. To a limited degree, CMPs are useful for meeting a small range of security and data compliance objectives, like acquiring consent and regulating the way known source code can run on a page.
However, tag managers like CMPs and JS-blocking code cannot comprehensively know what is happening across a website, and this allows malicious actors to slip through easily. “Since Proposition 24 was passed, we’ve had customers calling us in a panic,” says Olson. “They have well-configured CMPs, but only now are they realizing that’s not enough.”
Ultimately, businesses who wish to comply with CCPA cannot depend on CMPs alone: they must commit to knowing and continually monitoring their third-party partners while enforcing their data compliance and security protocols. Not only does this strategy hold digital vendors accountable, but it also provides high-quality data to make their CMPs more effective.
“It’s completely legitimate for businesses to leverage third-party vendors to make the consumer experience better by understanding their preferences,” says Olson. “However,” he adds, “placing the burden of ‘opting out’ on the customer is insufficient, and also misleading. It is time for businesses to take responsibility for their actions - don't push consumers to make decisions about things you aren’t even aware of.”
by PETER SUCUI
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.