The Top Four Pitfalls Found in My Privacy Compliance DA Audits

On the one hand, according to KPMG research, 40% of consumers are skeptical of companies’ ability to protect their personal data and privacy online. However, BCG and Google and IAB surveys indicate that 75% of respondents only want to see advertisements that are relevant to their preferences. This is why it is critical to have solutions in place that address these two priority needs: privacy and relevant content.

As a senior digital analytics expert and team lead, I have conducted several privacy audits over the years, and through the process have identified some pitfalls that I believe are more common than others and can jeopardize data protection. Fear not, for this article unveils these treacherous traps! Prepare to learn about the top four things to avoid when configuring privacy settings in your digital analytics deployment.

The "Track Everything" Temptation

Ah yes, the allure of “Tracking Everything” that will inevitably cross our minds: “There is no priority or business case, we want to track everything.” But wait, dear data adventurers, let us not abandon the noble principle of “privacy by design.” Casting this principle aside brings great peril to our ethical data practices.

The Track Everything temptation is frequently felt by teams with large budgets that are using multiple analytics tools to track the same data points, spending the majority of their time arguing about which tool is registering the correct numbers. They want to be able to answer any question, when what they should be focusing on is finding the right questions to ask.

This is because the Tracking Everything approach puts privacy at risk: in fact, this statement directly contradicts the principles of privacy by design. It will put the brand in the position of collecting information they don’t need, breaching the privacy of the final user. Essentially, you would be spending a lot of money to risk paying a large fine. 

Regardless of privacy concerns, this behavior is costly in other ways. It reveals some data immaturity, which can lead to difficulties in keeping your data sets tidy and cost-effective. As a result, data consumers may become skeptical of your analytics product.

This prioritization can be accomplished through a well-defined measurement strategy. To define said strategy, consider which signals you would most likely expect to see in your data set when users are engaged (or not).

As a preliminary step, I recommend hosting a workshop with all stakeholders to define priorities and leverages. Then—and only then—start collecting data. This will help you develop a reliable and trusted source of truth that includes all relevant stakeholders.

You can always add data points as you go through your analysis and come up with new intelligent questions, but tracking data simply for the sake of having it is wrong. Your stakeholders will be grateful. People who need to kill ants should not be sold bazookas. Help them grow at a pace they are ready for.

Implicit Consent by Default

I frequently see implicit consent set as the default setting, and other regulations such as GDPR applied on a regional basis. If your CMP's geolocation is blocked for any reason (yes, I've seen this happen), you run the risk of implicit consent being applied to countries where stricter regulations should be applied instead.

If the company operates primarily in a region where implicit consent is permitted, it may make sense for the DPO to accept the risk and leave it alone. However, if you want to be privacy champions, the default setting should be the safest option available—that is, the stricter regulations should be applied by default, while the more lenient regulations should be applied on a country-by-country basis. Consider that most regions that do not have a regulation are evaluating its enforcement, and it is never too early to demonstrate to your users that you care about them.

The Regional Tag Triggers

A common misconception is that marketing tags do not require blocking triggers if they only fire on region-specific sections of websites. 

Because this type of deployment is "tag specific," it will necessitate extensive maintenance and is more prone to human error. Furthermore, even if implicit consent is assumed for a specific region, it is critical to follow privacy regulations such as ePrivacy and GDPR when individuals in other regions (e.g. the EU) access an app or a website.

Instead of relying on tag management system triggers, ensure a scalable and privacy-compliant deployment by centralizing the decision on implicit or explicit consent in your CMP. Ensure that all marketing tags have the same consent set-up, regardless of where they should fire (e.g. fire only if ad_storage is set to granted). If they're marketing tags, they'll always be marketing tags, no matter where they fire!

In Google Tag Manager 360, employing a zone-based approach to group tags with the same purpose can be highly effective. This enables you to configure consent compliance only once for a specific zone (say, "marketing tags") and apply it to all tags that belong to it.

Misunderstanding the Scope of Google Analytics Tags

It is a common misconception that GA tags only set cookies for analytics purposes. However, both GA3 (Universal Analytics) and GA4 make use of features such as Google Signals and Remarketing, which require user consent to use personalization and remarketing identifiers.

Fear not, for Consent Mode arrives on the scene, championing compliance effortlessly. When properly set up, Consent Mode takes care of consent-based features automatically. Yet, if it's not in sight, we must devise an explicit setup.

When Consent Mode is not in place, you can disable Google Signals and/or the Remarketing features programmatically. All advertising personalization features can be disabled by setting the "google_signals" parameter to "false" by default and "true" only when the user consents to being identified for marketing purposes.

In short, consider these common pitfalls and proposed solutions to ensure compliance with privacy regulations when deploying privacy settings for digital data collection. Prioritizing privacy not only protects individuals' personal information, but also contributes to brand trust and, ultimately, improves your customer experience.

Finally, please keep in mind that this is not legal advice, but rather my ethical position on the subject. When making privacy-related decisions, we recommend that you consult with your DPO and legal team.