The definitive guide to digital tracking governance: Prevent non-compliant data sharing to marketing partners

What is digital tracking governance?

Digital tracking governance is responsibly managing personal data shared with marketing partners by honoring user preferences. Marketing partners like Meta and Google collect personal data via pixels (also known as trackers or tags), cookies, tag managers, SDKs, and APIs to measure campaign performance, retarget users, and target similar users.

The goal of digital tracking governance is to ensure that user-level data shared with marketing partners or any other third parties is compliant with all applicable regulations and internal privacy policies. 

Recent privacy regulations in the US are making digital tracking governance critical for most any company running digital advertising. As of March 2024, enforcement is live for two groundbreaking data privacy regulations: the California Privacy Rights Act (CPRA) and Washington state’s My Health My Data Act (MHMDA). Both regulations put more onus on companies to collect, track and uphold consent before sharing user data. 

This presents a huge challenge for websites and apps that are often covered with pixels and SDKs from marketing partners collecting user data on every visit. Even if cookie consent banners are implemented, web events may still send data to pixels without consent. Full visibility and governance of how pixels, tag managers, and SDKs actually collect personal data is needed to ensure compliance.  

To address this challenge, companies need to implement digital tracking governance, which is comprised of four key activities: 

• Cataloging marketing partners: Create an inventory of all marketing and advertising third party integrations on your digital properties - web and mobile. These third parties can be integrated via pixels, SDKs, APIs, tags, beacons, etc.
• Monitoring data flows: Continuously monitor all personal data elements sent to marketing partners and verify them against user consent preferences and your privacy policy
• Honoring consent: Design workflows to capture consent and share data according to user preferences and compliant with each state or country’s regulations 
• Implementing controls: Put guardrails in the development process for websites, apps, and backend systems to prevent non-compliant data sharing

In addition to CPRA and MHMDA, digital tracking governance is critical for complying with CCPA, the FTC, and HIPAA in the US and GDPR in the EU. To address the complexity of maintaining compliance, best-in-class technology solutions are needed, most notably privacy code scanning and consent management platforms. 

Why digital tracking governance is so important

Digital tracking governance is becoming increasingly more important for businesses to remain compliant. New regulations continue to be enacted that increase restrictions on companies collecting personal data and increase the ability of regulators to impose large fines on non-compliant companies. As of April 2024, 71% of all countries have enacted modern privacy regulations governing personal data. Just since the beginning of 2023, three countries (Switzerland, South Korea, and Saudi Arabia) and five U.S. states have put new privacy regulations into effect. 

CPRA and CCPA: “Do Not Sell or Share”

The US is now quickly catching up to GDPR with various privacy laws recently going into effect. Most notably, enforcement for the California Privacy Rights Act (CPRA) began in February 2024. 

CPRA is a pivotal amendment to the already groundbreaking California Consumer Privacy Act (CCPA), which in 2018 was the first data privacy law passed in the US similar to GDPR. CPRA applies to companies doing business in the US state of California or processing data of individuals in California, and CPRA section 1798.120 requires companies to give users the option to opt out of the selling or sharing of their personal data. Under CCPA, opt-out consent was only required if companies were selling personal data. Compared to GDPR, CPRA allows users to be opted into data collection by default and allows first party cookies even if users opt out of data sharing. 

Under CPRA, any website or mobile app sharing personal data with third parties, including marketing partners like Meta, must give users the option to opt out of data sharing. This represents a significant challenge for US companies because it’s not uncommon for any given website to have 25 such third party pixels, especially if the company operating the site runs digital advertising. Marketing partner pixels place third party cookies, which attach an ID to the user, and collect all relevant personal data that may help measure advertising and improve retargeting performance. Meta’s pixel for example is estimated to be on 30% of the 80,000 most popular websites in the US. 

Although no CPRA fines have occurred yet, companies such as Sephora have been fined for CCPA violations. Sephora was fined because they did not disclose to users that they sell personal data and their consent banners did not honor Global Privacy Control (GPC). GPC is a browser setting that users can turn on to notify all websites of their privacy preferences. Websites must be set up to honor every user’s GPC settings to be compliant with CCPA/CPRA. 

More fines are now likely to come with the CPRA’s establishment of a new privacy enforcement arm called the California Privacy Protection Agency (CPPA). Part of the CPPA’s stated mission is to “vigorously enforce the law against businesses that violate consumers’ privacy rights”, which includes levying fines. 

MHMDA (My Health My Data Act) 

In 2024, the state of Washington in the US set a new standard for protecting personal health data. On March 31, 2024, enforcement began for Washington’s My Health My Data Act (MHMDA). The MHMDA is arguably the most robust privacy law in the US and could completely change how some providers of health-related products operate. As it relates to digital tracking governance, the MHMDA requires opt-in consent before any company even collects personal health data, much less shares it. In that sense, the MHMDA is comparable with GDPR but just for personal health data. Also, the MHMDA applies strictly to companies operating in the state of Washington or targeting customers in Washington. 

When compared to the FTC, the MHMDA prohibits even the collection of personal health data without consent, whereas the FTC only limits the sharing of personal data without consent. Additionally, the MHMDA is a comprehensive law with a broader scope, targeting any company processing personal health data. Lastly, the MHMDA has the teeth to generate large financial penalties; it provides a clear and extensive definition for consumer health data and allows for enforcement via private lawsuits or fines imposed by the Washington attorney general. 

The FTC

The Federal Trade Commission (FTC) is a US government agency that enforces antitrust and consumer protection laws. In regards to privacy, the FTC enforces illegal sharing of personal health, financial, and location data.

In 2021, the FTC hardened its stance on personal health data sharing outside of the healthcare industry. Section 5 of the FTC’s Health Breach Notification Rule (HBNR) regulates any company processing US citizen health data, meaning it covers companies outside of the healthcare industry that would not be regulated by HIPAA. The HBNR was originally designed to protect against security breaches of health data, but the 2021 FTC statement expanded the rule to restrict any sharing of personal health data without consent, specifically targeting companies with health applications or services. 

In response to the momentous Supreme Court ruling overturning Roe v. Wade in 2022, the FTC increased its scrutiny over personal health data sharing even further. The FTC was explicitly directed to protect consumers’ reproductive health information in the July 2022 Executive Order on Protecting Access to Reproductive Healthcare Services by President Joe Biden. Within a few days, the FTC issued a statement emphasizing their commitment to enforce illegal sharing of personal health and location data. The statement highlights how location data can reveal a lot of unwanted private information, especially personal reproductive matters. 

Following up on this commitment, the FTC issued three major fines in 2023 and two more in April 2024. BetterHelp, GoodRx, Easy Healthcare (Premom app), Monument, and Cerebral were all fined for violating the expanded HBNR by sharing personal health data to marketing partners without consent. None of these companies are considered part of the healthcare industry by HIPAA standards, but they process health data for millions of customers through their websites and mobile apps.

On April 26, 2024, the FTC announced amendments to the HBNR that further clarify what is considered non-compliant data sharing and put additional requirements for notifying consumers and the FTC when a breach occurs. The revised rule makes it clear that it covers any entity processing personal health data, including through “online services and mobile applications”. Updates to the HBNR will likely go into effect in the summer of 2024.

In the case of BetterHelp, an online counseling service, they were fined $7.8M for sharing personal health data with Meta, Snapchat, Criteo, and Pinterest via pixels on their website and SDKs in their app. For example, these pixels were placed on their initial questionnaire page that asked health-related questions like “have you previously been to therapy?” and asked users to submit their name, email, and birth date. Not only did the digital trackers automatically collect this data when user submissions triggered web and app events; BetterHelp instructed Meta to create an audience of people similar to those who previously went to therapy and target them with ads.  

HIPAA

Long before the FTC got involved, HIPAA (the Health Insurance Portability and Accountability Act) has been protecting personal health data managed by healthcare and health insurance companies since 1996. In 2003, the HIPAA Privacy Rule went into effect, requiring healthcare-related companies to obtain patient consent before sharing protected health information with any third party not related to delivering the requisite health services. This means healthcare-related companies must have patients opt in before any personal health data can be shared with any company not related to the patient’s healthcare. 

Over the last few years, several healthcare systems have had to pay millions for violating the HIPAA Privacy Rule due to poor digital tracking governance. Three healthcare systems in particular, Mass General Brigham, Novant Health, and New York Presbyterian Hospital, all paid fines or settlements for the same reason; they shared thousands of patients’ personal health data with Meta via pixels on their patient-facing websites. Mass General Brigham paid the most out of the three, settling for $18.4M in 2022.

In addition to illegally sharing data with Meta, the investigation into New York Presbyterian Hospital (NYP) found non-compliant pixels sending data to Bing, Google, iHeartMedia, TikTok, The Trade Desk, and Twitter. The Meta, Google, and the Trade Desk pixels were set up to retarget visitors with targeted ads based on the page categories they had visited. For example, the investigation found that individuals who visited pages related to prostate cancer were then served ads on other websites related to prostate cancer. 

The digital tracking governance problem in healthcare is much bigger than just three healthcare systems. The investigative news publication, The Markup, found that out of the top 100 healthcare systems websites they tested, 33% had non-compliant pixels sending data to Meta when visitors clicked the button to schedule a doctor’s appointment. To understand the magnitude of this finding, these 33 healthcare systems reported more than 26M patient appointments in 2020. When The Markup alerted the 33 non-compliant healthcare systems of this issue, seven removed the Meta pixel from their appointment booking pages. 

GDPR

The EU led the way when it enacted the General Data Protection Regulation (GDPR) in 2018. Despite the recent regulations in the US, GDPR still imposes stricter digital tracking governance restrictions for companies doing business in the EU or processing data of individuals in the EU. Article 4 and Article 6 of GDPR require companies to obtain user consent before collecting, processing, or sharing any personal data. A key outcome of these articles is users must opt-in before companies can place first or third party cookies on their web browser, and users have to be opted out of data collection by default. 

The EU also has led the way in levying large fines on companies that break data privacy laws. Total annual GDPR fines have grown steadily from $77.5M in 2019 to $2.2B in 2023. Meta alone has been fined seven times for GDPR violations and was hit with the largest ever GDPR fine in 2023, a whopping $1.3B. 

How digital tracking works

Digital tracking methods

Marketing partners like Meta and Google collect personal and other marketing-related data to measure campaign performance, retarget users, and target similar users. There are several different methods used to collect and share this data:

1. Pixels (also known as tags)
2. Third-party scripts
3. Cookies
4. Tag managers
5. Mobile SDKs 
6. APIs
7. Customer data platforms (CDPs)

It is important to understand how methods work at a high-level to see how easy it is to accidentally share non-compliant data and what needs to be done to prevent it. 

Pixels, scripts, tag managers, & mobile SDKs

Pixels and tag managers are snippets of code from marketing partners used for digital tracking on websites. SDKs, or software development kits, are software packages used in mobile apps for a number of things including digital tracking for marketing partners. 

To implement pixels, tag managers, or SDKs, your developers must deploy them in the website’s or app’s codebase. Once this is done, the marketing partner automatically receives the majority of data needed to measure campaigns, including some personal data such as cookie IDs and advertising IDs. 

The key difference between pixels and tag managers is: pixels send data to one marketing partner and tag managers can send data to many marketing partners. Once the developer deploys a tag manager, the marketing team can then set up the tag manager to send data to any marketing partner without developer support. Since tag managers control what data is sent to other marketing partners, direct integrations with tag managers are needed to track data flows from tag managers to each marketing partner.

Developers can deploy pixels and tag managers on specific web pages or to every page of a website domain. SDKs are deployed across an entire app, but developers can configure them to limit tracking. 

Generally, marketing teams and marketing partners want pixels and tag managers deployed on all web pages to give them the option to collect more data for performance optimization. Once pixels and tag managers are deployed, Marketing teams can configure them to exclude tracking on certain pages. For web pages that collect sensitive data like a medical appointment booking page, developers should exclude deploying pixels and tag managers on those pages to prevent any possible sharing with marketing partners.  

Each time a user visits a website or app with a marketing pixel, tag manager, or SDK, the tracker will automatically try to collect a user ID and attribute the user to an ad the user may have clicked or viewed. Pixels and tag managers identify users on web by placing a cookie in their browser; this enables the marketing partner to identify that user on other websites with their ads and trackers. Mobile SDKs on the other hand, collect what’s known as a device ID by default, and as you may have guessed, this user ID is tied to the mobile device itself.

APIs

Pixels and SDKs can send data to marketing partners directly or via APIs. APIs (Application Programming Interfaces) are used to improve data collection quality and send data to more destinations. APIs must also be deployed by developers in the website’s or app’s codebase. 

Customer data platforms (CDPs)

The last common method for sending data to marketing partners is through customer data platforms or CDPs. CDPs are a centralized database solution for managing customer data from all touch points and systems. They serve a number of purposes including sharing select customer data to marketing partners to improve campaign performance. 

Like the methods previously mentioned, CDPs must first be deployed by developers in a website’s or app’s codebase. Then they are configured to send select data to select destinations based on the team’s needs. Since CDPs, like tag managers, control what data is sent to other marketing partners, direct integrations with CDPs are needed to track data flows from CDPs to each marketing partner.

Events and data flows

As mentioned above, pixels, tag managers, and SDKs collect personal data each time a user visits a web page or an app. When a web page or app loads, these trackers attempt to collect a user ID and several other types of data. On web, they collect all data in the URL, which includes the page name and typically what link or ad the user clicked to get to that page. They collect a standard set of data from the browser and the device like the type of device, IP address, location, time, etc. They also collect critical data from what are called events. 

Events are standard signals created in the codebase to record activity on websites or apps, and they are used for many purposes, not just marketing. Events can be set up for any action on a website or app, and they are critical for tracking how a user moves through a website or app. Websites and apps may trigger an event on every click or at a minimum, every time a user adds a product to cart, makes a purchase, or completes any other kind of conversion.    

Marketing teams and marketing partners want to collect this event data to measure how many conversions their campaigns drive and create retargeting audiences off of who triggered certain events. Sharing event data on its own such as purchase volume is not a privacy risk. Event data tied to a specific user can be a privacy risk though, and that is what trackers do. Once developers deploy pixels, tag managers, or SDKs, standard event data can be sent to marketing partners without developer support.

By default, most mobile SDKs automatically collect app installs, app opens, and in-app purchases. For other standard events like page visits, form fills, add to cart, etc., the marketing team can configure the trackers collect the event result (yes/no) and the event value, which includes things like the form fill values (e.g., home address), product name, purchase value, etc. 

For non-standard or atypical events, the marketing team needs developers to make changes in the codebase. This includes events that trackers are not designed to pick up or that the dev team has not yet created in the codebase. For everything else, marketing teams and sometimes their marketing agencies can determine what event data to collect and where to send it. 

Why Easy Healthcare and Monument were fined

With Meta’s pixel automatically collecting personal data from 30% of the 80,000 most popular websites in the US, it’s easy to see how non-compliant data could get shared accidentally.

Easy Healthcare Fine: Mobile SDKs

In the case of the FTC’s $100K fine on Easy Healthcare in 2023, it’s possible that its non-compliant data sharing was accidental. Easy Healthcare was fined strictly for sharing users’ device ID, IP address, and location to marketing partners through SDKs in their pregnancy tracking app, Premom.

Although Easy Healthcare didn’t explicitly send sensitive personal health data, the FTC considers any personal data coming from their pregnancy app as sensitive personal health data. Just by association with the app, third parties would know these users are tracking their pregnancy. 

According to the FTC, Easy Healthcare did not share this personal data for retargeting purposes; they simply shared personal identifiers with partners like Google and AppsFlyer. All it would take is to deploy their mobile SDKs with the default settings, and this personal data would automatically get sent to those marketing partners, no event configuration necessary. No marketing campaigns even need to be run.  

Monument Fine: Pixels and APIs

In the case of Monument, their non-compliant sharing was much more explicit. Monument is a New York-based alcohol addiction treatment service, and they were fined $2.5M by the FTC in 2024 for sharing personal health data against its privacy promises. According to the complaint, Monument’s website and other communications claimed they were HIPAA compliant and their users’ personal data would not be shared with any third parties. 

The FTC claims Monument sent sensitive health data to marketing partners to retarget customers and target new users. The data was allegedly shared via pixels and APIs after Monument set up standard and custom events on their website. The FTC says Monument gave the custom events titles that revealed sensitive details about its users such as “Paid: Weekly Therapy” or “Paid: Med Management,” when a user signed up for a service. To rest its case, the FTC states that Monument shared this event data tied to users’ personal identifiers such as email address and IP address. 

Key takeaways

In both cases, the marketing team is trying to use the right tools to measure and improve marketing, but they are not taking into account the privacy ramifications. For privacy teams, both incidents likely represent obvious privacy violations, but privacy teams typically don’t have the visibility to take action. They don’t get alerted when new trackers are added to websites and apps or new personal data is shared. This is why we need new solutions to bridge this visibility gap between privacy and the business. 

Digital tracking governance solutions

Consent management platforms are needed to collect, act on, and record consent. Data discovery solutions build a comprehensive inventory of all data in storage but cannot accurately map personal data sharing. Privacy code scanning enables full personal data sharing visibility and continuous governance to prevent non-compliant data sharing. Below, we will describe each solution’s capabilities, benefits, and limitations. 

Consent management platforms

What is a consent management platform?

Consent management platforms (CMP) collect, act on, and record user consent for websites and mobile apps. On the surface, these tools offer customizable cookie banners that allow users to opt in or out of data sharing. On the backend, consent management tools act on user preferences by limiting data sent to third parties and internal systems. 

Consent management may not seem like a big deal for companies that don’t share any user data with advertisers. These companies will likely build their own cookie banner for their website and implement internal data collection and sharing workflows without a consent management tool. 

For most companies running digital advertising, consent management platforms are critical for ensuring compliance with the complex web of privacy regulations mentioned in this article: CCPA, CPRA, MHMDA, the FTC, HIPAA, and GDPR. To achieve this goal, consent management platforms should include the following key features. 

Consent collection

• Customizable consent/cookie banners and pop-ups for web and mobile app
• User experiences responsive to regulations in user’s location and device/channel
• Consent settings based on regulations and policies by location

Data flow configuration

• Catalog of all cookies, pixels/tags/trackers, tag managers, and SDKs on websites and mobile apps via the CMP’s cookie scan, web SDK / script tag, and mobile SDK
• Workflows that limit data sharing according to user consent choices by destination and based on sharing purpose; this includes sharing from backend systems via integrations and APIs 

Consent reporting 

• Audit logs for proof of consent 
• Consent preference analytics for compliance tracking 

Key benefits

• Manages the complexity of compliance at scale: Universally manage consent collection and configure data sharing across all devices and locations in one solution
• Enhances brand and customer trust: Openly demonstrate compliance and tailor the user experience to your business by location ‍
• Improves advertising effectiveness and user insights: Collect and share more data in a compliant manner; due to the complexity of changing data flows based on consent, location, the type of data, and the use of data, many companies will unnecessarily block all data collecting and sharing 

Key limitations

• Lacks full visibility into data collection and sharing: CMPs can only provide a surface-level view of what pixels, cookies, tag managers, or SDKs are deployed on a website or app. Without looking at website’s or app’s code and backend data pipelines, it’s not possible to see every personal data element that is actually sent to which third parties. This is particularly true for data shared on the backend. Privacy teams would need to regularly review all workflows setup in the consent management platform and request engineering support in situations of doubt.
• Relies on continual manual configuration to maintain compliance: If consent policies or data flows are not configured correctly for every device/channel, location, type of data, or third party, there are no alerts or safeguards to prevent non-compliant data sharing. Additionally, non-compliance can occur if the consent management platform is not updated when changes are made to the website or app by the engineering or marketing team. 
• Reactive issue resolution: Non-compliant cookies, pixels, tag managers or SDKs can only be discovered after they are live; the same goes for non-compliant data flows. These solutions cannot proactively prevent issues in the software development process. 

Data discovery solutions

What are data discovery solutions? 

Data discovery solutions help companies build an inventory of all data they have in storage; this includes personal data and any other data relevant to the business. 

Although these solutions are effective at building data inventories, they offer no coverage for digital tracking governance. This is because data sharing occurs in the code of a website, app, or backend system. 

Data discovery solutions inventory data by scanning structured and unstructured data across data stores and select third party applications. Data discovery tools can scan column names and the actual data, using ML/AI techniques to discover and classify data.

Key benefits

Companies use data discovery solutions to build a data inventory for a number of reasons, depending on their needs.

• Discover structured and unstructured data
• Identify sensitive data
• Help fulfill data subject access requests (DSARs)
• Evaluate risk of breach
• Lock down high risk data and control access
• Execute data retention policies
• Accelerate audits for regulators or M&A
• Minimize data footprint for security, cost, and compliance

Key limitations

• Lacks visibility into data collection and sharing: Data discovery solutions are good at determining what data is being stored; however, they cannot see how the data was collected, what it was used for, or where it was shared.
• Requires extensive time and resources: As companies grow and acquire other companies, the amount of data and number of data stores a company has can quickly get out of control. For data discovery solutions to even scan a representative sample of all data stores, classify and deduplicate all data elements, it will often take 6-12 months to complete an implementation while expending significant internal and external resources. 
• Relies on questionnaires and interviews to complete data maps and assessments: Because privacy teams can’t see how personal data was collected, used, or shared, they must ask product and engineering teams to fill in the gaps via questionnaires and/or interviews. This process takes up significant time from valuable technical resources and yields imprecise answers. As a result, data maps, RoPAs, PIAs, and DPIAs will be inaccurate and take months to complete. 
• Quickly becomes out-of-date: With most product teams releasing software updates monthly if not weekly, data maps built from lengthy and manual data discovery processes become outdated as soon as the next software update collects, stores, or shares new data. 
• Lacks privacy governance: Due to poor data sharing visibility, data discovery solutions cannot effectively implement controls to stop non-compliant data sharing.

Privacy code scanning

What is privacy code scanning?

Privacy code scanning solutions create full lifecycle data maps and implement programmatic privacy governance. They accomplish this by continuously scanning the code of the software built by a company’s product and engineering teams. For software-driven companies, the code on their website and in their user-facing and backend applications contains the logic that collects, uses, stores, and shares personal data. 

By scanning the codebase, privacy code scanning solutions can automatically identify and classify all personal data by using a combination of algorithms and AI/machine-learning models. This is a much more efficient process than scanning data stores because a company’s entire codebase lives in typically one, maybe two, source code management tools and only the code has to be scanned, not the enormous amount of data itself. 

In addition, privacy code scanning can automatically determine the context of personal data usage. Each instance can be linked to the exact code within an application, and that code indicates exactly how the data is used and shared.

With this level of real-time visibility, privacy code scanning solutions can implement privacy by design workflows to automatically flag and even block non-compliant data sharing before it happens. These workflows can be set up to track and enforce digital tracking governance for internal policies and privacy regulations like CCPA, CPRA, MHMDA, the FTC, HIPAA, and GDPR. Because privacy code scanning can be integrated into the dev process, non-compliant code can be flagged and fixed before it ever goes live. 

To implement best-in-class digital tracking governance, privacy code scanning solutions should include the following key features.

Personal data visibility 

• Inventory of all personal data collected, stored, or shared 
• Sensitive data tags for CPRA, GDPR, MHMDA, etc. 
• Inventory of all data destinations: third parties and internal systems receiving personal data via pixels, cookies, tag managers, SDKs, customer data platforms (CDPs), APIs, etc. 
• Data flows showing every third party and internal data destination for each data element

Privacy governance

• Risk discovery: Workflows to generate alerts for potential violations to internal policies and regulations like CCPA, CPRA, GDPR, MHMDA, and HIPAA
• Risk prevention: Workflows to block non-compliant code, pixels, or SDKs during the dev release cycle
• Assessment automation: Pre-filled, self-updating RoPAs, PIAs, DPIAs, etc. 

Developer enablement

• Privacy risk alerts embedded in dev tools 
• Root cause identification: Flag exact code causing risk

Key benefits

• Unlocks comprehensive real-time personal data sharing visibility: Privacy code scanning is the only solution that can continually monitor exactly what personal data is shared to third parties from your company’s software, i.e., website, apps, and backend systems ‍
• Eliminates manual and time-intensive data mapping activities: Fully automate data mapping in days instead waiting months for data store scanning and/or developer teams to complete imprecise questionnaires ‍
• Identify data sharing risks as they appear in the codebase: Get alerted even before any unapproved personal is shared with a third party. By integrating with your company’s source code management tool, privacy code scans can run each time new code is submitted for review. Privacy teams can be notified each time live code or code in review may violate privacy policies; alerts can also be sent each time a new data element is shared or a new third party is receiving data. ‍
• Prevent non-compliant data sharing in the dev process: Development teams can integrate privacy code scanning into their deployment process so that non-compliant code, pixels, or SDKs are blocked from going live‍
• Ensure adherence to consent policies and regulations: Create workflows that send alerts and block code for any data shared without consent; these workflows complement cookie scanning and mobile app SDK scanning that continually monitors whether consent collection, cookie, pixel, and SDK deployments are compliant.‍
• Enable developers to be privacy professionals: Educate developers as they code by automatically delivering privacy guidance when a risk is identified in the dev process 

Key limitations

• Needs to be paired with consent management platform to collect, act on, and record consent
• Most valuable to software-driven companies with developers 
• Data shared in bulk via CSVs or cloud storage buckets will not be fully visible, e.g., any personal data manually uploaded to advertising platforms for remarketing audiences should be controlled by internally processes 

Key takeaways

• Digital tracking governance is the practice of responsibly managing personal data shared with marketing partners by honoring user preferences. The goal is to ensure that user-level data shared to marketing partners or any other third parties is compliant with all applicable regulations and internal privacy policies. 
• The influx of recent privacy regulation in the US and the EU’s GDPR makes digital tracking governance increasingly important for almost any company running digital advertising. As of March 2024, US companies must be compliant with the CPRA and MHMDA in addition to HIPAA and the FTC’s HBNR.
• US privacy laws regulating digital tracking will only get stricter. Nearly every state without a privacy law in effect is currently in the process of implementing one.    
• Privacy code scanning should be used in conjunction with a consent management platform to implement best-in-class digital tracking governance
• Consent management platforms are critical for collecting, acting on, and recording consent, but they lack the full visibility and governance to ensure personal data doesn’t improperly leak to marketing partners
• Privacy code scanning enables the complete and continuous visibility and governance needed to ensure compliance with today’s complex web of privacy regulations