In today’s digital world, collecting and analyzing large amounts of customer data has become a common tactic for companies to better understand, engage and market to their customers. But with that increased data collection and retention comes the challenge of securing the data and protecting customer privacy.
An often-overlooked source of data is the data collected from visitors to company websites. In fact, we conducted a study and found on average, the homepage of a Fortune 1,000 website has 135 third parties making requests for data via trackers and Javascript that lead to unauthorized data sharing. These aren’t just cookies. These are clever, hidden scripts that you can only detect from the web browser, and they can contain privacy threats that you can only block from the browser through better technology.
So, we set out to determine:
● With whom is the data being shared?
● Do these third parties have permission to collect data from your customers?
● Are the third parties requesting this data keeping it safe?
● Are companies able to properly disclose what data is being collected and shared with their visitors?
● How far downstream do these branching scripts go (4th-party, 5th-party, Nth-party)?
This article explores what’s going on behind the scenes of typical websites when it comes to data collection and sharing with today’s modern web architecture and data-driven marketing tactics, and how companies can protect themselves and their customers in an online environment that’s been directed to collect as much data as possible.
Modern Marketing and Web Development Encourage Data Sharing
In an effort to reach the right audience, increase engagement, and optimize online performance, data collection by customer-facing teams has soared, and the “measure everything” mentality is encouraged in an attempt to meet quarterly revenue targets.
Modern website architecture relies heavily on third-party cloud services. These include essential functionality like forms and dynamic content generation, shopping carts and more. They also include trackers, cookies, session recorders and more. The issue companies are facing is that many of these trackers are installed “downstream,” meaning the company hasn't directly installed these trackers and isn’t getting or controlling the data from them. And these “downstream” trackers share with other trackers, and so on. The result is data propagating to data brokers exponentially.
Data Sharing Is Happening at A Rate Higher Than You Might Think
The diagram below further illustrates what's happening behind the scenes of a typical website. The website is represented by the green dot - the ‘1st Party’. Each of the blue dots represents a third-party vendor with which the website shares data (like the form and analytics tools mentioned above). You can see that many of the third parties are also sharing data with other partners, and the chain goes on layers deep. Downstream partners that had nothing to do with the third parties originally evaluated by the company and used to build the website are now receiving data from the 1st party website.
Most of this data is shared directly between third parties and end-users’ browsers. As a result, most companies have zero visibility or control over where the data goes once it leaves their website and the third parties that are in their tag managers.
Many companies complete third-party risk assessments for their vendors, but that merely represents how secure and safe that third party was at the time of the assessment. New third parties appear and change constantly. Keeping up with all of these in real time is exceedingly difficult, and companies are getting in trouble for privacy risks that they often can’t even see.
Without the right tools, it’s nearly impossible to answer confidently:
● What is the complete list of third parties at a given point in time?
● Are they following the rules?
● Is the third party keeping the data safe?
● Is the third-party sharing data with others - intentionally or unintentionally?
● What cookies are getting dropped from different locations?
Once it’s out of your hands and into theirs, it’s out of your control.
The Consequences of Unchecked Data Sharing
1.) Consent Management Platform (CMP) Enforcement: Confirming that your CMP is being enforced on the client side. Many privacy regulations require visitor consent before collecting and sharing user data, including the CCPA and GDPR. It’s very difficult to add information to a privacy policy and obtain consent without full visibility of what’s being collected and where it is going. This is a real threat that we’ve seen come up in several class action lawsuits recently, including those related to the Meta tracking pixel and session recording tools.
2.) A larger surface area for attacks like piggybacking: The more places your customers’ data ends up, the more places it needs to be protected. Some common ways we’ve seen third parties get compromised:
a.) e-Skimming and data harvesting - there are multiple words for it, but this type of attack happens when data inputted on web forms or during an eCommerce transaction is stolen. The attacker injects code into the form that directs the information from the form to be shared with the attacker, for them to use however they wish.
b.) Malicious script injection - the attacker can inject code on a website to do many different things, like steal the user’s cookies to impersonate them, redirect broken links on a website to a malicious website, or force the user to take certain actions when logged into an authenticated website.
c.) Spam and scams - if attackers are able to get ahold of even basic information like a phone number or email address, they can target individuals with call and text scams, and email spam.
There are all sorts of ways that customer data can become compromised, and the financial penalties are severe, not to mention the reputational damage for the company.
How to Identify Risks on Your Website and Deliver Safer Online Experiences
To identify risks on your website, it’s best to keep an ongoing inventory of all the third parties on your website. The easiest way to do this is to use software that can do real-time scans and inventory all the third parties and their dependents (4th, 5th, 6th, and nth parties) that they are sharing data with. This will help website owners better protect their customers and reputations.
There are also tools that can prevent the unauthorized sharing of data. These privacy tools can block certain scripts from running on the website, without breaking the functionality of the website. This is a great option for companies who want to take advantage of the benefits that third parties bring and don't want to compromise on security.
The bottom line: You can’t protect what you can’t see. Getting visibility and control over JavaScript and third-party sharing is necessary for companies to protect their customers and themselves.
