Privacy Impact Review
Mitigating Privacy Risks of AdTech and Session Replay on Public-Facing Websites
Breakwater’s Privacy Impact Review
As an increasing number of organizations become potential targets for these types of allegations, it is critical for organizations to take proactive measures to understand what user information they and their vendors collect during interactions with their websites. Breakwater experts are regularly engaged in performing an in-depth technical review of the currently deployed advertising technology on an organization’s website and preparing a formal report. Our Privacy Impact Review Report documents findings such as characterization and use of information collected, areas of potential risk or exposure, and recommended solutions to mitigate any identified privacy risks. For organizations entering litigation, Breakwater experts will perform a comprehensive privacy impact review of an organization’s website, conduct analyses of log files and other data, provide technical advisory support related to the privacy impact review and findings, deliver consulting services related to class certification and substantive allegations, and testify as 30(b)(6) experts.
Breakwater’s AdTech Data Transfer Expertise
Breakwater experts have the tools and expertise to perform a holistic review of the advertising technology deployed on an organization’s website by evaluating data transfers as a typical user during a session on the site. The team closely examines web pages where user interaction poses a heightened risk that sensitive information could be communicated to parties outside of the organization.
These potentially risky web pages and activities include:
- Forms fields, such as demographic information used to build a profile,
- Ordering pages where financial transactions occur,
- Appointment scheduling forms for any appointment or virtual visit,
- Searches on sensitive subject matters, such as specialty doctors, divorce attorneys, or funeral homes,
- Login pages for customers and clients,
- Secure websites and portals after entering credentialed logins, and
- Pages that use validation systems, such as Google reCAPTCHA.
The Breakwater team will also review key settings to mitigate potential data sharing risks within marketing and advertising management platforms and analytics platforms leveraging data gathered during web browser sessions. For example, we:
- Assess anonymization settings for data points like IP addresses to ensure appropriate levels of security for personal information and other sensitive data,
- Review analytics settings to confirm versions and toggles that are available and intended to protect privacy, and
- Analyze data segmentation, partition, and storage to disable internal analyses that link to specific individuals, when applicable.
Breakwater’s Session Replay Privacy Review
Breakwater experts similarly support emerging areas of data privacy and website technology, such as the implication of pervasive session replay technology that captures user interactions with a webpage such as keystrokes and mouse clicks. These lawsuits allege unlawful interception of sensitive personal information through various analytics tools used on an organization’s website, including personally identifiable information (PII), personal health information (PHI), and payment card industry data (PCI). Breakwater will review the session replay tools deployed across an organization’s public-facing website and assess the data privacy risk levels associated with the technologies. Breakwater experts will advise on change management related to these risks while reducing the impact to business reliance on the output from these tools.
Result: Alignment of Legal, Compliance, and Marketing
A holistic review of the advertising technology deployed on an organization’s website enables general counsel, privacy and risk officers, and other stakeholders to understand privacy risks related to website activities, marketing programs, and direct marketing. Management of privacy risks aligns an organization’s marketing efforts with legal and compliance requirements, enables safeguards to prevent inadvertent disclosure of PII, PHI, and other sensitive data, and establishes improved processes and technology to track, audit, and defend the use of third-party advertising technology so that ongoing business decisions are in line with an organization’s risk tolerance and compliance requirements.