FLoCs, VCDPA, and endless data privacy noise: focus on this instead

For companies trying to protect their customers’ data privacy, responding to every new data privacy law and development is a game of whack-of-mole that they can’t win.

This is a point I’ve made previously, including in this October 2020 blog post, in which I talked about the Schrems II decision and other then-current developments in data privacy.

Now, as predicted, the data privacy world has moved onto new developments, including: 

• Google’s announcement that it will stop using tracking cookies on its Chrome browser by 2022 and  
• the new data privacy law enacted in Virginia.

In other words, if you had ignored my advice back in October 2020, any relief you might have gained from complying with the privacy developments at that time would have been short lived. And now you’d have to sort out how to comply with the Virginia law and figure out the implications of Google’s planned change.

But there’s a better, evergreen approach to achieving data privacy. And it doesn’t involve parsing through the latest data privacy law and comparing it to the existing patchwork of local, national, and international consumer privacy laws. 

Nor does it require understanding what Google’s proposed use of Federated Learning of Cohorts (FLoCs) means for your data policy. (In essence, though, a FLoC is a group of users large enough that each individual member is theoretically anonymous, but the group together has shared characteristics or interests that enable adtech to serve the right ads to them.)  

Unlike these bits of arcana, my recommended strategy for data privacy involves just a few straightforward principles: 

• Be proactive.
• Expand your focus beyond consent.
• Know what’s on your site.
• Establish data privacy practices that promote consumer trust.

Operationalizing these principles is simple too.

Be proactive.

In both matters of health and data privacy, an ounce of prevention is worth a pound of cure. Rather than waiting on data privacy laws for guidance, establish data privacy practices that go above and beyond what current laws require. In that way, you future-proof your data policy.

Establishing an approach to data privacy that does much more than the bare minimum requires that you first —

Expand your focus beyond consent.

Given the cookie consent banners one sees on every website these days, it would be reasonable to infer that data privacy requires little more than receiving a user’s consent to cookie collection.

But, in fact, asking for consent for data collection from your site visitors isn’t enough. While it’s true that some data privacy laws require user consent to data collection, these laws also grant rights to consumers regarding their data, including the right to access it, to correct it, or delete it, as well as the right to opt out of the processing or sale of their data.

That’s why a thorough approach to data privacy requires that you —

Know what’s on your site.

Protecting the data privacy of your website visitors in a comprehensive way requires first knowing what third parties are on your site and accessing your visitors’ data. 

Google’s announcement that Chrome will stop using tracking cookies doesn’t mean that third parties will stop collecting your website users’ data. 

Cookies are only one mechanism for capturing this information. As my colleague William Broadhead, Senior Director of Engineering at Crownpeak, says, “Who cares if the cookie disappears? Companies can easily track you via fingerprinting, pixels, and other little markers. And they will continue to do so.”

For this reason, knowing what technology is on your site capturing and processing user information is critical:

“As a website owner or publisher, you have the responsibility of understanding what's happening on your website, what data is being trafficked, where it’s going, and what partners or third parties you’ve allowed onto your site to gather user information,” explains William. “Existing data privacy laws grant a right to users to ask you not to sell or share their data, which means you need to know what's happening on your website.” 

This responsibility extends to any company in the U.S., even if it’s only operating domestically.  

As my colleague Jeff Wheeler, Senior Product Development Manager at Crownpeak, explains: 

“In the past, American companies with operations in Europe were the only ones focused on data privacy because of their need to comply with the European Union’s General Data Protection Regulation (GDPR). But now with the California Consumer Privacy Act in 2018 and the Virginia Consumer Data Protection Act in 2021, any U.S. company must have visibility into what's going on in their site. It's an absolute requirement at this point.”

So, how can you know what’s on your site? Crownpeak’s tag monitoring solution can do that for you.

“We provide tools that give you frontline perimeter visibility into what is happening on your site as well as the ability to control it,” William explains. 

Establish data privacy practices that promote consumer trust.

Knowing what’s on your site is the first step to making intentional choices about what data collection and sharing to allow and how to support your visitors’ data privacy. 

Crownpeak privacy analysts can help you lay that foundation of knowledge and then assist you in building an overall data privacy strategy that promotes consumer confidence and goodwill. And as the privacy market evolves, so too do Crownpeak’s tools, helping you maintain compliance and keep in step with new regulations.

So, put down that whack-a-mole mallet. When it comes to data privacy, Crownpeak can help you win. Speak to an expert, today.