Navigating the Risks of Website Tracking Technologies

Transcript

Alitia Faccone:

Welcome to Jackson Lewis's podcast, We Get Work. Focused solely on workplace issues, it is our job to help employers develop proactive strategies, strong policies, and business-oriented solutions to cultivate an engaged, stable, and inclusive workforce. Our podcast identifies issues that influence and impact the workplace, and its continuing evolution and helps answer the question on every employer's mind. How will my business be impacted? While website tracking technologies can provide value to organizations including product optimization, generating leads, understanding growth metrics and targeting ads, the use of these technologies carry significant litigation and regulatory risks. To manage these risks, businesses need to wrap their heads around what trackers are used on their websites, what data those trackers collect, and how that data is used. On this episode of We Get Work, the first of our six-part privacy data and cybersecurity podcast series, we discuss the intricacies of website tracking technologies, why they're used and practical steps organizations can take to manage and minimize risk.

Our host today are Damon Silver, principle in the New York City office of Jackson Lewis, and Dirk Shaw, CMO and Co-founder of Second Site. Damon works with clients to develop strategies that enable them to pursue their business objectives without assuming unacceptable data privacy and security risks. Dirk thrives on re-imagining businesses and driving digital innovation through the convergence of operations, technology, commerce, and culture, and is held executive positions at large digital agencies. Damon and Dirk, the question on everyone's mind today is, how can organizations safely leverage the benefits of website tracking technologies and how does that impact my business?

Damon Silver:

Hey everyone, thanks for joining us. My name is Damon Silver and I'm a principle in Jackson Lewis's New York City office and a member of the firm's Privacy Data and cybersecurity group. I'm joined today by Dirk Shaw, who's CMO and Co-founder of Second Site. Our topic today is website tracking technologies, in particular, what they are, why they're used, what risks they pose, and what steps organizations can take to mitigate those risks. To get us started, Dirk, perhaps you can talk a little bit about your background in marketing and then give our listeners an overview of what website tracking technologies are commonly run on business websites and why and how those technologies are used.

Dirk Shaw:

Sure.Thanks Damon. Yeah, Dirk Shaw, chief marketing officer of Second Site. Prior to joining Second Site, I spent the last couple of decades working at large digital agencies building digital products and websites for companies like Ford, Marriott, Intel, Cisco, to name a few. Tracking technologies are used for a variety of reasons, and what's been really fun about this project with Damon and his team is it's kind of like educating me on the flip side of the risk that I've been creating as a marketer for the last couple of decades, and I think that has been enlightening. What I'll do is share that perspective of marketers and the technologies that are put in place. On the risk side, it's easy to just say, let's shut those things down because they're creating risk. As a marketer who's been responsible for P & L, growth metrics, lead gen, I can tell you categorically, that you can't just turn things off because they play a really intricate role in how digital is utilized and how effective it is.

The megapixel and a lot of where we'll focus on the legal side has largely been, I guess, centered on things that would tie to advertising, retargeting and targeting of ads, but it's much more than that. At Second Site in particular, we use the technologies to help drive optimization of our products. If we can understand that people are spending a lot of time on a particular page and they're leaving that page, we're not doing anything other than feeding that back into our product team to say people are being stuck here. Tracking technologies work across a variety of use cases from advertising, lead generation, to product optimization.

Damon Silver:

Thanks, Dirk. That's really helpful. There's certainly no disputing that these tracking technologies can benefit organizations in a variety of ways. I guess my role here, certainly not to say no, don't use them, take them all down. I know that's not practical, but I do think businesses that are using these types of technologies do need to be mindful of the risks, and I wanted to run through what some of those risks look like and then a little bit later, maybe we can talk about ways to continue getting the benefits from this technologies while also, managing some of these risks in a way that is consistent with the company's objectives and risk tolerance. On the risk side, probably the most notable development we've seen in the last 18 months or so is that well over 100 lawsuits have been filed alleging that the use of various website tracking technologies violates wiretap and video privacy laws or otherwise, violates website user privacy.

The heaviest concentration of these lawsuits has been against organizations in the healthcare space, but the plaintiff's bar has also targeted organizations in various other industries, including retail, insurance, real estate and tax preparation, along with airlines and car companies. Website tracking technologies have also garnered regulatory attention, in particular from the FTC and the Department of Health and Human Services, each of which has issued guidance on the privacy concerns that these technologies present.

Organizations also need to be mindful of how their use of website tracking technologies is going to impact their compliance with the comprehensive privacy laws that have taken or will soon take effect across the US. California CCPA, leading the charge as well as for those clients that have operations abroad considerations under other privacy frameworks like the GDPR and the EU and UK. Some of the things when it comes to complying with these laws that could be implicated here is ensuring that the use of website tracking technologies is adequately disclosed in privacy policies and notices, ensuring that when there are vendors, other parties involved in the collection and processing of this data, that the agreements with those parties include appropriate data protection provisions, and then preparing for requests from data subjects to exercise their rights under these various privacy laws such as the right to request deletion or to opt out of the sale or to limit how this information is being used.

That's sort of the landscape of the risk that we're looking at here, and we recognize that for a lot of companies, it's hard to even figure out where to start. It's a little bit overwhelming, and to help clients deal with these new challenges, something that Dirk and I and our respective teams have been working on for months now is collaborating on a website compliance assessment. The goal of which is to enable our clients to more clearly understand what tracking technologies are in use on their sites, what value those trackers are currently providing to the extent they are, and how the client can mitigate the risks those technologies pose while continuing to enjoy some of the benefits that Dirk was discussing earlier. The first step in that process is helping clients wrap their heads around what technologies are in use on their websites. Dirk, maybe you can talk a bit about second site's privacy, exposure scan, how it works, and some of the insights that it provides.

Dirk Shaw:

Yeah, and Damon, thanks, so basically what I heard you say is everyone is at risk who has a website. I think maybe when we think about what we've built together as part of this process, Damon, it's the design philosophy, if you will, was really to help non-marketers, if you will, non-digital marketers understand what's being collected. We look across things like the Facebook Megapixel, to Google Analytics, to third party cookies, to session recorders, and there are roughly six to seven different categories of analytics, but those analytics by themselves are fairly meaningless to anyone. I can look at them and understand intuitively what they are. Since I've deployed these in my career, I understand what the types of applications and analytical use cases are. Compliance officer, chief legal counsel, or any roles in an organization would look at it at its baseline and not understand how does this matter? Why does this matter?

What we've really been focused on is like me as a marketer, if I were building a report to be able to go and have a conversation with my counterparts on that side, how would I distill what I'm doing to have a really clear ledger, if you will, of what technologies have been put in place so that way I can have a common vocabulary to discuss the risk and trade-offs with the people who have to manage the risk on the other side of the business. I think that's been the process that's been really helpful for me in working with you, Damon, through this process is like, okay, well, if I have to explain what is going on and what I'm tracking, how do I do that in a way that needs to be almost like an executive summary for someone else to be able to look at, so I can have a conversation with them and chief legal counsel or privacy officer or whoever the other responsible party is, can have a conversation with the marketer?

That's been our kind of design principle is really to just distill things down to understand what's being tagged, why does it matter, what is the purpose? That's the kind of high level view of the report. We'd also designed this in a way that's frictionless. Through our partnership with Jackson Lewis, it's really just a matter of going to the URL that's part of the program, entering some basic information, and the URL or URLs, because we realized that some people have an ecosystem of digital properties, and so entering those in and then the scans just trigger and do their work and generate the analysis independent. That goes obviously over to you guys, Damon, for your review. Once you get through the review cycle, we then turn on always on monitoring for a year so we can begin to track and observe any changes over time. That kind of in a high level summary of that is we try to make it easy for folks on both sides of the coin to understand what's going on and make it easy to get started and to be able to watch the technology landscape, if you will, as it relates to any of these trackers change over time.

Damon Silver:

Yeah, thanks Dirk. That's great. Yeah, so I mean the whole idea here is to sort of decode what is going on a client's website so that they can start to gain an understanding of what information they're collecting, where it's coming from, where it's going, how it's being used, and the scanning tool that Second Site has developed is a critical component of that because it really, does to Dirk's point, it lays everything out in a very user-friendly manner, basically as an executive summary, then backed up with all the granular details. Once that comes in to Jackson Lewis that the next step that we take, once we take over the ball from Second Site, is to help our clients sort of place that information, which is now presented in a clear format in the context of the relevant legal landscape.

We get the report from Second Site, we see what technologies are in use. We also take a look at the website itself because there are other risk factors that could be at play there, such as the client's use of chat bots or web forms, other ways of collecting information aside from the website trackers. We look at whether video content is being shown because there is a video privacy law that has been the basis for a number of lawsuits. We also take a look at the client's privacy policy just to get a sense for whether it is compliant with some of the recent changes in the law and also, what its disclosures look like around all of the tracking technologies that we now know it is using. Once we have done that review, we then sort of package everything together into a memo, that from a high level it is designed to summarize the findings that Second Site made through its scan, our findings at Jackson Lewis through our review. What that means in terms of legal risks, what types of potential violations are generated by the combination of the data being collected and disclosures that are or are not currently there, and then what should the client do about it?

What are some of the action items they can take to better manage this risk and how should they think about triaging which of those actions to take for a second and third? We present that memo to the client and then have a meeting with the client's team that is tasked with handling this issue to sort of talk through first, of course, any questions that the client has, but also to really focus on those action items. What will the plan be going forward to take this very helpful data and turn it into something that is actionable for the client as part of their risk management strategy.

Dirk, just switching gears a little bit as we near the finish line here, from what organizations can be doing in the present to address this website tracking and just website and app-related risk, to what this area may look like in the future, which I know is a topic you and I have gone back and forth on a little bit. We've seen a lot of discussion recently about decisions Apple, Google Meta, and some of the other big players in the space have made around the use of tracking technologies on their platforms and their devices. Putting on your marketing hat, what are you expecting in terms of the use of these technologies and the types of technologies that are used if we fast forward 2, 3, 4, or five years?

Dirk Shaw:

Well, I mean, think we're, even if we zoom in to next year, this year, and folks who aren't close to marketing might not have been paying attention for the last several years, but there's been this concept of cookie-less world, right? Getting rid of third party cookies for enrichment of first party data. What's going to happen is that is going to create, I would imagine if we look across our seven categories of analytics, we're going to see a dip in certain types of technologies that might be in the third party cookies or the ad trackers, but what will happen is other things will start to grow and we don't know what those things are just yet, but I can tell you as a marketer, we will be looking for new ways and new solutions so that way our cost of acquisition, our revenue from our website, all of the metrics that matter to us as marketers and using digital platforms still matter.

I think what we'll end up seeing is there's going to be a whole new category of technologies that emerge from some of the more recent, it's not really recent, we've been talking about this as marketers for a couple of years now, is cookie-less marketing. What Google is doing with their Google Analytics for is going to cause an impact on traffic, on the data that we can capture. There'll be new technologies and that's kind of like, I mean you've worked with us long enough to know, Damon, we're constantly scanning the edge of what's next and looking for new signals, if you will. Technically speaking, we're looking for those new signals. I think when it relates to just trackers and the pixel landscape, there will be new players that merge. This was exchange you and I had recently also, was just on AI.

I mean, AI is being deployed on websites and there's some disclosures that are happening where it's like, hey, we saw the snafu with Zoom and when they said they're going to start capturing and using all your information to train, and then two days later their head of product says, "Well, maybe not," so that was user backlash, but that's what I would call you opting in to your data being collected that's text or video. There's a lot of other ways where AI is capturing you behaviorally. If you click on something, so the reinforcement learning that's happening on AI platforms and AI will start to become so transparent in the user interactions.

Right now it's pretty obvious I'm going to ChatGPT and there's a chat bot, but once it starts to become much more transparent to the users, I think that is a great method for data collection as a marketer because you're looking at signals and now I can process volumes of signals because I have AI in the background to do it, but the user might not realize they're participating in training models. I think that this will start to, it's like pixel tracking and all this stuff is fairly defined space, but this next horizon that exists with AI is probably going to be the next topic you and I start to unpack for what is that balance between creating good experiences that help drive growth but is also compliant, if you will.

Damon Silver:

Yeah, lots of interesting ways this could all go, and I think we likely will have to have another round to just tackle AI itself because a lot to unpack there for sure.

Dirk Shaw:

Not to interrupt you, Damon, but I want to turn the table on you maybe as a final question.

Damon Silver:

Sure.

Dirk Shaw:

If you were to, and I've learned a lot in our interactions, but for all of your customers who are going to talk potentially with their marketing counterparts, what advice would you give them to be able to have the conversation from their perspective with a legal, a risk hat on? What would you advise them to do to say, to interact so it's a collaborative session? It's not one because I've had it where, "Hey, you need to do this." I think it has to be collaborative, so what advice would you give?

Damon Silver:

Yeah, I mean, I think that last point you made is a really key one, Dirk, which is basically setting the table for it to be a collaboration. Someone in legal, someone in compliance who is trying to figure out how best to mitigate the risk imposed by all of these tracking technologies and the use of data in various different ways for the business benefit of the organization. Going to the marketing people and saying right upfront, I recognize there are a lot of benefits to these technologies, to this data. I'm not here to put constraints on the way we're doing things if they're working, but I do need to understand what it is we're doing so that we together can figure out the best way for us to do this without getting in a whole bunch of legal trouble without harming our brand reputation. I think there is a way, and I think the law allows you a way to continue to do a lot of this business beneficial activity, but at the same time be transparent, give data subjects some rights over how their data is being used, and just not having it be a sort of black box where a lot of stuff is happening.

We only find out about it when one of the really big players in the space is hit with a whole bunch of lawsuits, have it be more of an open forum where people understand, and I think a lot of people are okay with it. They see the benefit to the fact that when they show up at a website, it knows they were there before. It knows their preferences. It can show them new products they might be interested in based on their past search and purchasing history. That's not necessarily something people are against, but people don't like to feel like this is happening with without their knowledge or in ways that is taking advantage of them. I think from a purely business standpoint, it's beneficial, of course, not to put people, not to put your customers in that mindset.

I think that is the type of discussion that could be really productive where everyone is working towards the same goal and needs to understand, the marketer needs to understand the legal implications, the attorney needs to understand what is happening and why it's beneficial from a marketing perspective, and then there's some type of consensus reached around how to balance things.

Dirk Shaw:

Yeah, that's good. I think the headline could be, privacy is a brand differentiator for there to be a healthy collaboration for marketers to really understand the nuances of privacy, and that's not just adding the okay to all cookies to a website. It's like really understanding it and thinking about how do I make that part of my communication so my customers have complete trust and it helps support brand reputation? That's good.

Damon Silver:

Yeah, 100%, I agree, and Dirk, really appreciate you making the time today and sharing all your insights. I think this has been certainly really helpful for me and hopefully for our listeners as well. Also, of course, want to thank everyone who tuned in to listen to this, and I did want to note that this episode is part of a series that Jackson Lewis is doing on various data privacy and security topics. We're also covering cyber insurance, incident response plans, vendor data risk among other areas. If any of those other topics are of interest, please check out the rest of the series.

Alitia Faccone:

Thank you for joining us on We Get Work. Please tune into our next program where we will continue to tell you not only what's legal, but what is effective. We get Work is available to stream and subscribe on Apple Podcasts, Google Podcasts, Libsyn, Pandora, SoundCloud, Spotify, Stitcher, and YouTube. For more information on today's topic, our presenters and other Jackson Lewis resources, visit jacksonlewis.com. As a reminder, this material is provided for informational purposes only. It is not intended to constitute legal advice, nor does it create a client lawyer relationship between Jackson Lewis and any recipient.