Camille Ley, Senior Privacy Consultant and
Lindsay Farbent, Privacy Consultant
If you are like many businesses that have implemented solutions to honor consumer do not sell/share requests in accordance with U.S. state privacy laws, you have likely placed a degree of trust on third parties that they will honor the requests they receive. While having an appropriate solution in place to deliver the request — currently in the form of delivery of the IAB Technology Laboratory’s U.S. Privacy String — is a key part of the compliance equation, a third party’s failure to act on the request may still expose your business to risk. At present, the extent to which those charged with enforcement of applicable state laws will hold businesses liable for the failure of their third parties to honor do not sell requests is not clear. What is clear, though, is that some level of diligence in this regard will be necessary.
In addition to establishing your own compliancy practices, it is vital you take affirmative steps to ensure third parties comply with do not sell requests made by consumers visiting your websites. One step that will demonstrate a requisite level of diligence is conducting periodic assessments of third parties’ fulfilment of opt-out-of-sale requests.
Laying the foundations for assessment of do-not-sell compliance
Establishing do-not-sell compliance assessments requires up-front planning. A critical component is making sure contracts with third parties setting cookies include a “right to audit” or “right to assess” clause. Without such a clause, third-party cooperation may be lacking.
It is also important to establish a program that is manageable for your internal resources. Depending on the size of your organization and the number of parties placing cookies on your online properties, you will likely not be able to assess the compliance of all parties. As such, a process should be developed to regularly identify the vendors that will be in scope for an assessment.
This “prioritization analysis” will help your organization balance the need to assess and the practicalities of conducting these assessments. The prioritization analysis should look at criteria that indicate the general risk associated with each vendor. These criteria may include:
- The volume of visitors. The number of visitors to each website on which the third party places cookies.
- Types and numbers of cookies placed. The type and volume set by a third party are key criteria, with multiple cookies being set indicating greater relative risk.
- The volume of sharing and sales. Ascertaining the volume of sales of personal data by the third party setting the cookies is crucial. Understanding whether the data is shared with one party or multiple parties is a key risk indicator.
- Sensitivity based on website type. Different website content may indicate different levels of risk. Consideration should be given to the nature of the website and potential inferences that can be drawn from the data collected. Websites dealing with health, finance or other sensitive personal information carry higher levels of inherent risk.
The results of the risk ranking analysis will facilitate the determination of the highest risk third parties for assessment during the coming period, for example over the next quarter. This supports effectively allocating internal resources while promptly addressing the most significant risks.
Assessment questions and approach
A simple multiquestion assessment delivered to the third party can be designed to meet your objectives in evaluating the fulfillment of opt-out-of-sale requests. The questionnaire should be accompanied by a request that a representative provide a signed verification of the accuracy of the responses, adding an extra layer of assurance and accountability. Examples of questions to ask the third parties include:
- Have you operationalized a process to ingest the U.S. Privacy String when delivered and to prevent the placement of cookies on the requestor’s browser?
- Do you maintain a documented procedure or other work guidance indicating the steps that must be actioned upon receipt of the U.S. Privacy String?
- Can you provide documentation or evidence of receipt of do-not-sell requests, including the number of requests received, and the actions taken in response?
- Do you have a process in place to regularly review and update your privacy practices to align with any updates or changes in the U.S. Privacy String?
The sample questions may be used as a starting point for assessing adherence to the do-not-sell compliance obligations and proper fulfillment of requests, but organizations should tailor such questions to their specific operating environment and the nature of the data being shared.
If necessary, follow-up interviews or meetings with vendors should be scheduled to clarify any ambiguities or gather additional information. This can help address any inconsistencies and clarify any gaps identified during the review process.
Response to noncompliance
If the assessment indicates a third party is not ingesting the U.S. Privacy String or taking appropriate actions upon receipt, a short remediation period during which the third party has an opportunity to implement compliant practices may be provided. Alternatively, depending on the severity of the noncompliance, consideration may need to be given to terminating the contract with the third party or restricting the right to place cookies. For vendors with compliance gaps, it is important to establish a process for following up and ongoing monitoring to ascertain whether necessary remediation measures have been implemented and maintained.
Documenting the process
The entire process should be documented as a procedure or work guidance, including the processes for prioritization analyses, assessments, and remediation efforts, to support the accountable and consistent application of the compliance monitoring initiative. Documenting each step helps establish a clear and repeatable framework for managing third-party risks associated with do-not-sell requests, facilitate knowledge sharing and support effective tracking of compliance efforts over time. In addition, documentation of the third-party responses, findings and any required remediation actions will be invaluable in demonstrating your commitment to regulatory compliance in the event of audits or legal inquiries.
Given the lack of clarity around potential regulator enforcement against publishers in instances where advertisers fail to honor opt-out-of-sale requests, periodic assessments of third-party do-not-sell compliance should be viewed as a high-priority risk management activity. This is particularly true with the Office of the California Attorney General and the California Privacy Protection Agency set to begin California Consumer Privacy Act and California Privacy Rights Act enforcement in July. Organizations with a proactive approach to risk management should consider taking immediate steps toward designing and implementing a practical do-not-sell compliance assessment program.