Guide to Digital Tracking Governance: Prevent Non-Compliant Data Sharing

What is digital tracking governance?

Digital tracking governance is responsibly managing personal data shared with marketing partners by honoring user consent. Marketing partners like Meta and Google collect personal data via pixels (also known as trackers or tags), cookies, tag managers, SDKs, and APIs to measure campaign performance, retarget users, and target similar users.

The goal of digital tracking governance is to ensure that user-level data shared with marketing partners or any other third parties is compliant with all applicable regulations and internal privacy policies. 

Recent privacy enforcements in the US are making digital tracking governance critical for most any company running digital advertising. Since enforcement began for the California Privacy Rights Act (CPRA) amendment to CCPA in 2024, Todd Snyder, Honda, and Tilting Point have received major privacy fines for sharing personal data without proper consent from websites and apps. Additionally, thousands of companies since 2022 have received threats of a lawsuit for violating the California Invasion of Privacy Act (CIPA).

This presents a huge challenge for websites and apps that are often covered with pixels and SDKs from marketing partners collecting user data on every visit. Even if cookie consent banners are implemented, web events may still send data to pixels without consent. Full visibility and governance of how pixels, tag managers, and SDKs actually collect personal data is needed to ensure compliance.  

To address this challenge, companies need to implement digital tracking governance, which is comprised of four key activities: 

• Cataloging marketing partners: Create an inventory of all marketing and advertising third party integrations on your digital properties - web and mobile. These third parties can be integrated via pixels, SDKs, APIs, tags, beacons, etc.
• Monitoring data flows: Continuously monitor all personal data elements sent to marketing partners and verify them against user consent preferences and your privacy policy
• Honoring consent: Design workflows to capture consent and share data according to user preferences and compliant with each state or country’s regulations 
• Implementing controls: Put guardrails in the development process for websites, apps, and backend systems to prevent non-compliant data sharing

In addition to CCPA and CIPA, digital tracking governance is critical for complying with the FTC, HIPAA, and other state laws in the US and GDPR in the EU. To address the complexity of maintaining compliance, best-in-class technology solutions are needed, most notably product privacy management and consent management platforms. 

Why digital tracking governance is so important

CIPA (California Invasion of Privacy Act)

The California Invasion of Privacy Act (CIPA) was enacted all the way back in 1967 to prevent wiretapping or eavesdropping on telephones. Even though CIPA was not designed to regulate online privacy, lawyers have argued that the use of web and app tracking technologies without consent is equivalent to the wiretapping that CIPA prohibits.

This decades-old law is now responsible for at least 1,641 online privacy lawsuits since 2022. Since many of these claims are being filed in private arbitration and are resolved without any publicly filed lawsuits, the law firm Fisher Phillips estimates that the number of businesses affected since 2022 is closer to 5,000. You might be wondering: why are lawyers suing under the obscure CIPA law instead of the new CPRA?

CPRA does not provide a private right of action for privacy violations. Only the California Attorney General’s Office can take action against companies violating CPRA’s “Do Not Sell or Share” rule.  

CIPA on the other hand does provide a private right of action, and lawyers are currently looking to get as many quick CIPA settlements as possible. To make a claim, Fisher Phillips law firm reports that law firms often pay a “tester” to use websites and apps and document the personal data shared to third parties when the user opts out, opts in, or takes no action. With this information, law firms are threatening companies with large class action lawsuits in an effort oftentimes to reach a quick settlement.

For the nearly 1,700 CIPA online privacy lawsuits that have been filed publicly since 2022, the courts are still litigating how CIPA should be applied to online privacy. Regardless, more US companies than ever are now at risk of expensive privacy lawsuits.

CPRA and CCPA: “Do Not Sell or Share”

The US is now quickly catching up to GDPR with various privacy laws recently going into effect. Most notably, enforcement for the California Privacy Rights Act (CPRA) began in February 2024. 

CPRA is a pivotal amendment to the already groundbreaking California Consumer Privacy Act (CCPA), which in 2018 was the first data privacy law passed in the US similar to GDPR. CPRA applies to companies doing business in the US state of California or processing data of individuals in California, and CPRA section 1798.120 requires companies to give users the option to opt out of the selling or sharing of their personal data. Under CCPA, opt-out consent was only required if companies were selling personal data. Compared to GDPR, CPRA allows users to be opted into data collection by default and allows first party cookies even if users opt out of data sharing. 

Under CPRA, any website or mobile app sharing personal data with third parties, including marketing partners like Meta, must give users the option to opt out of data sharing. This represents a significant challenge for US companies because it’s not uncommon for any given website to have 25 such third party pixels, especially if the company operating the site runs digital advertising. Marketing partner pixels place third party cookies, which attach an ID to the user, and collect all relevant personal data that may help measure advertising and improve retargeting performance. Meta’s pixel for example is estimated to be on 30% of the 80,000 most popular websites in the US. 

Although no CPRA fines have occurred yet, companies such as Sephora have been fined for CCPA violations. Sephora was fined because they did not disclose to users that they sell personal data and their consent banners did not honor Global Privacy Control (GPC). GPC is a browser setting that users can turn on to notify all websites of their privacy preferences. Websites must be set up to honor every user’s GPC settings to be compliant with CCPA/CPRA. 

More fines are now likely to come with the CPRA’s establishment of a new privacy enforcement arm called the California Privacy Protection Agency (CPPA). Part of the CPPA’s stated mission is to “vigorously enforce the law against businesses that violate consumers’ privacy rights”, which includes levying fines. 

MHMDA (My Health My Data Act) 

In 2024, the state of Washington in the US set a new standard for protecting personal health data. On March 31, 2024, enforcement began for Washington’s My Health My Data Act (MHMDA). The MHMDA is arguably the most robust privacy law in the US and could completely change how some providers of health-related products operate. As it relates to digital tracking governance, the MHMDA requires opt-in consent before any company even collects personal health data, much less shares it. In that sense, the MHMDA is comparable with GDPR but just for personal health data. Also, the MHMDA applies strictly to companies operating in the state of Washington or targeting customers in Washington. 

When compared to the FTC, the MHMDA prohibits even the collection of personal health data without consent, whereas the FTC only limits the sharing of personal data without consent. Additionally, the MHMDA is a comprehensive law with a broader scope, targeting any company processing personal health data. Lastly, the MHMDA has the teeth to generate large financial penalties; it provides a clear and extensive definition for consumer health data and allows for enforcement via private lawsuits or fines imposed by the Washington attorney general. 

Amazon received the first lawsuit for allegedly violating MHMDA in February 2025. The suit alleges that Amazon’s Ads SDK used by thousands of mobile apps collected users’ location and health data without explicit consent. 

VPPA

The Video Privacy Protection Act (VPPA) is a federal law passed in 1988 to prevent what it refers to as "wrongful disclosure of video tape rental or sale records". VPPA prohibits the disclosure of consumers’ video rental history containing personally identifiable information (PII) without explicit consumer consent, and the lawsuit allows for the private right to legal action. 

Similar to CIPA, there has been a large wave of VPPA lawsuits since 2023 targeting online video companies who share video viewing history tied to PII with marketing partners via websites, mobile apps, and connected TV apps. 

In April 2025, Roku was sued because its connected TV apps and websites allegedly violated VPPA by sharing customers’ PII with video viewing data to third parties such as Google, New Relic, Meta, LinkedIn, Nextdoor, and Innovid without obtaining explicit consent from customers. 

The FTC

The Federal Trade Commission (FTC) is a US government agency that enforces antitrust and consumer protection laws. In regards to privacy, the FTC enforces illegal sharing of personal health, financial, and location data.

In 2021, the FTC hardened its stance on personal health data sharing outside of the healthcare industry. Section 5 of the FTC’s Health Breach Notification Rule (HBNR) regulates any company processing US citizen health data, meaning it covers companies outside of the healthcare industry that would not be regulated by HIPAA. The HBNR was originally designed to protect against security breaches of health data, but the 2021 FTC statement expanded the rule to restrict any sharing of personal health data without consent, specifically targeting companies with health applications or services. 

In response to the momentous Supreme Court ruling overturning Roe v. Wade in 2022, the FTC increased its scrutiny over personal health data sharing even further. The FTC was explicitly directed to protect consumers’ reproductive health information in the July 2022 Executive Order on Protecting Access to Reproductive Healthcare Services by President Joe Biden. Within a few days, the FTC issued a statement emphasizing their commitment to enforce illegal sharing of personal health and location data. The statement highlights how location data can reveal a lot of unwanted private information, especially personal reproductive matters. 

Following up on this commitment, the FTC issued three major fines in 2023 and two more in April 2024. BetterHelp, GoodRx, Easy Healthcare (Premom app), Monument, and Cerebral were all fined for violating the expanded HBNR by sharing personal health data to marketing partners without consent. None of these companies are considered part of the healthcare industry by HIPAA standards, but they process health data for millions of customers through their websites and mobile apps.

On April 26, 2024, the FTC announced amendments to the HBNR that further clarify what is considered non-compliant data sharing and put additional requirements for notifying consumers and the FTC when a breach occurs. The revised rule makes it clear that it covers any entity processing personal health data, including through “online services and mobile applications”. Updates to the HBNR will likely go into effect in the summer of 2024.

In the case of BetterHelp, an online counseling service, they were fined $7.8M for sharing personal health data with Meta, Snapchat, Criteo, and Pinterest via pixels on their website and SDKs in their app. For example, these pixels were placed on their initial questionnaire page that asked health-related questions like “have you previously been to therapy?” and asked users to submit their name, email, and birth date. Not only did the digital trackers automatically collect this data when user submissions triggered web and app events; BetterHelp instructed Meta to create an audience of people similar to those who previously went to therapy and target them with ads.  

HIPAA

Long before the FTC got involved, HIPAA (the Health Insurance Portability and Accountability Act) has been protecting personal health data managed by healthcare and health insurance companies since 1996. In 2003, the HIPAA Privacy Rule went into effect, requiring healthcare-related companies to obtain patient consent before sharing protected health information with any third party not related to delivering the requisite health services. This means healthcare-related companies must have patients opt in before any personal health data can be shared with any company not related to the patient’s healthcare. 

Over the last few years, several healthcare systems have had to pay millions for violating the HIPAA Privacy Rule due to poor digital tracking governance. Three healthcare systems in particular, Mass General Brigham, Novant Health, and New York Presbyterian Hospital, all paid fines or settlements for the same reason; they shared thousands of patients’ personal health data with Meta via pixels on their patient-facing websites. Mass General Brigham paid the most out of the three, settling for $18.4M in 2022.

In addition to illegally sharing data with Meta, the investigation into New York Presbyterian Hospital (NYP) found non-compliant pixels sending data to Bing, Google, iHeartMedia, TikTok, The Trade Desk, and Twitter. The Meta, Google, and the Trade Desk pixels were set up to retarget visitors with targeted ads based on the page categories they had visited. For example, the investigation found that individuals who visited pages related to prostate cancer were then served ads on other websites related to prostate cancer. 

The digital tracking governance problem in healthcare is much bigger than just three healthcare systems. The investigative news publication, The Markup, found that out of the top 100 healthcare systems websites they tested, 33% had non-compliant pixels sending data to Meta when visitors clicked the button to schedule a doctor’s appointment. To understand the magnitude of this finding, these 33 healthcare systems reported more than 26M patient appointments in 2020. When The Markup alerted the 33 non-compliant healthcare systems of this issue, seven removed the Meta pixel from their appointment booking pages. 

GDPR

The EU led the way when it enacted the General Data Protection Regulation (GDPR) in 2018. Despite the recent regulations in the US, GDPR still imposes stricter digital tracking governance restrictions for companies doing business in the EU or processing data of individuals in the EU. Article 4 and Article 6 of GDPR require companies to obtain user consent before collecting, processing, or sharing any personal data. A key outcome of these articles is users must opt-in before companies can place first or third party cookies on their web browser, and users have to be opted out of data collection by default. 

In January 2025, the UK’s ICO announced its plans to assess and ensure compliance among the top 1,000 UK websites using automated monitoring, and in September 2024, France’s CNIL announced a 2025 investigation campaign into mobile apps that do not comply with its new recommendations for GDPR compliance. 

The EU also has led the way in levying large fines on companies that break data privacy laws. Total annual GDPR fines have grown steadily from $77.5M in 2019 to $2.2B in 2023. Meta alone has been fined seven times for GDPR violations and was hit with the largest ever GDPR fine in 2023, a whopping $1.3B. 

How digital tracking works

Digital tracking methods

Marketing partners like Meta and Google collect personal and other marketing-related data to measure campaign performance, retarget users, and target similar users. There are several different methods used to collect and share this data:

• Pixels (also known as tags)
• Third-party scripts
• Cookies
• Tag managers
• Mobile SDKs 
• APIs
• Customer data platforms (CDPs)

It is important to understand how methods work at a high-level to see how easy it is to accidentally share non-compliant data and what needs to be done to prevent it. 

Pixels, scripts, tag managers, & mobile SDKs

Pixels and tag managers are snippets of code from marketing partners used for digital tracking on websites. SDKs, or software development kits, are software packages used in mobile apps for a number of things including digital tracking for marketing partners. 

To implement pixels, tag managers, or SDKs, your developers must deploy them in the website’s or app’s codebase. Once this is done, the marketing partner automatically receives the majority of data needed to measure campaigns, including some personal data such as cookie IDs and advertising IDs. 

The key difference between pixels and tag managers is: pixels send data to one marketing partner and tag managers can send data to many marketing partners. Once the developer deploys a tag manager, the marketing team can then set up the tag manager to send data to any marketing partner without developer support. Since tag managers control what data is sent to other marketing partners, direct integrations with tag managers are needed to track data flows from tag managers to each marketing partner.

Developers can deploy pixels and tag managers on specific web pages or to every page of a website domain. SDKs are deployed across an entire app, but developers can configure them to limit tracking. 

Generally, marketing teams and marketing partners want pixels and tag managers deployed on all web pages to give them the option to collect more data for performance optimization. Once pixels and tag managers are deployed, Marketing teams can configure them to exclude tracking on certain pages. For web pages that collect sensitive data like a medical appointment booking page, developers should exclude deploying pixels and tag managers on those pages to prevent any possible sharing with marketing partners.  

Each time a user visits a website or app with a marketing pixel, tag manager, or SDK, the tracker will automatically try to collect a user ID and attribute the user to an ad the user may have clicked or viewed. Pixels and tag managers identify users on web by placing a cookie in their browser; this enables the marketing partner to identify that user on other websites with their ads and trackers. Mobile SDKs on the other hand, collect what’s known as a device ID by default, and as you may have guessed, this user ID is tied to the mobile device itself.

APIs

Pixels and SDKs can send data to marketing partners directly or via APIs. APIs (Application Programming Interfaces) are used to improve data collection quality and send data to more destinations. APIs must also be deployed by developers in the website’s or app’s codebase. 

Customer data platforms (CDPs)

The last common method for sending data to marketing partners is through customer data platforms or CDPs. CDPs are a centralized database solution for managing customer data from all touch points and systems. They serve a number of purposes including sharing select customer data to marketing partners to improve campaign performance. 

Like the methods previously mentioned, CDPs must first be deployed by developers in a website’s or app’s codebase. Then they are configured to send select data to select destinations based on the team’s needs. Since CDPs, like tag managers, control what data is sent to other marketing partners, direct integrations with CDPs are needed to track data flows from CDPs to each marketing partner.

Events and data flows

As mentioned above, pixels, tag managers, and SDKs collect personal data each time a user visits a web page or an app. When a web page or app loads, these trackers attempt to collect a user ID and several other types of data. On web, they collect all data in the URL, which includes the page name and typically what link or ad the user clicked to get to that page. They collect a standard set of data from the browser and the device like the type of device, IP address, location, time, etc. They also collect critical data from what are called events. 

Events are standard signals created in the codebase to record activity on websites or apps, and they are used for many purposes, not just marketing. Events can be set up for any action on a website or app, and they are critical for tracking how a user moves through a website or app. Websites and apps may trigger an event on every click or at a minimum, every time a user adds a product to cart, makes a purchase, or completes any other kind of conversion.    

Marketing teams and marketing partners want to collect this event data to measure how many conversions their campaigns drive and create retargeting audiences off of who triggered certain events. Sharing event data on its own such as purchase volume is not a privacy risk. Event data tied to a specific user can be a privacy risk though, and that is what trackers do. Once developers deploy pixels, tag managers, or SDKs, standard event data can be sent to marketing partners without developer support.

By default, most mobile SDKs automatically collect app installs, app opens, and in-app purchases. For other standard events like page visits, form fills, add to cart, etc., the marketing team can configure the trackers collect the event result (yes/no) and the event value, which includes things like the form fill values (e.g., home address), product name, purchase value, etc. 

For non-standard or atypical events, the marketing team needs developers to make changes in the codebase. This includes events that trackers are not designed to pick up or that the dev team has not yet created in the codebase. For everything else, marketing teams and sometimes their marketing agencies can determine what event data to collect and where to send it. 

Why Easy Healthcare and Monument were fined

With Meta’s pixel automatically collecting personal data from 30% of the 80,000 most popular websites in the US, it’s easy to see how non-compliant data could get shared accidentally.

Easy Healthcare Fine: Mobile SDKs

In the case of the FTC’s $100K fine on Easy Healthcare in 2023, it’s possible that its non-compliant data sharing was accidental. Easy Healthcare was fined strictly for sharing users’ device ID, IP address, and location to marketing partners through SDKs in their pregnancy tracking app, Premom.

Although Easy Healthcare didn’t explicitly send sensitive personal health data, the FTC considers any personal data coming from their pregnancy app as sensitive personal health data. Just by association with the app, third parties would know these users are tracking their pregnancy. 

According to the FTC, Easy Healthcare did not share this personal data for retargeting purposes; they simply shared personal identifiers with partners like Google and AppsFlyer. All it would take is to deploy their mobile SDKs with the default settings, and this personal data would automatically get sent to those marketing partners, no event configuration necessary. No marketing campaigns even need to be run.  

Monument Fine: Pixels and APIs

In the case of Monument, their non-compliant sharing was much more explicit. Monument is a New York-based alcohol addiction treatment service, and they were fined $2.5M by the FTC in 2024 for sharing personal health data against its privacy promises. According to the complaint, Monument’s website and other communications claimed they were HIPAA compliant and their users’ personal data would not be shared with any third parties. 

The FTC claims Monument sent sensitive health data to marketing partners to retarget customers and target new users. The data was allegedly shared via pixels and APIs after Monument set up standard and custom events on their website. The FTC says Monument gave the custom events titles that revealed sensitive details about its users such as “Paid: Weekly Therapy” or “Paid: Med Management,” when a user signed up for a service. To rest its case, the FTC states that Monument shared this event data tied to users’ personal identifiers such as email address and IP address. 

Key takeaways

In both cases, the marketing team is trying to use the right tools to measure and improve marketing, but they are not taking into account the privacy ramifications. For privacy teams, both incidents likely represent obvious privacy violations, but privacy teams typically don’t have the visibility to take action. They don’t get alerted when new trackers are added to websites and apps or new personal data is shared. This is why we need new solutions to bridge this visibility gap between privacy and the business. 

Digital tracking governance solutions

Consent management platforms are needed to collect, act on, and record consent. Data discovery solutions build a comprehensive inventory of all data in storage but cannot accurately map personal data sharing. Product privacy management enables full personal data sharing visibility and continuous governance to prevent non-compliant data sharing. Below, we will describe each solution’s capabilities, benefits, and limitations. 

Consent management platforms

What is a consent management platform?

Consent management platforms (CMPs) collect, act on, and record user consent for websites and mobile apps. On the surface, these tools offer customizable cookie banners that allow users to opt in or out of data sharing. On the backend, consent management tools act on user preferences by limiting data sent to third parties and internal systems. 

Consent management may not seem like a big deal for companies that don’t share any user data with advertisers. These companies will likely build their own cookie banner for their website and implement internal data collection and sharing workflows without a consent management tool. 

For most companies running digital advertising, consent management platforms are critical for ensuring compliance with the complex web of privacy regulations mentioned in this article: CCPA, CPRA, CIPA, VPPA, MHMDA, the FTC, HIPAA, and GDPR. To achieve this goal, consent management platforms should include the following key features. 

Consent collection

• Customizable consent/cookie banners and pop-ups for web and mobile app
• User experiences responsive to regulations in user’s location and device/channel
• Consent settings based on regulations and policies by location

Data flow configuration

• Catalog of all cookies, pixels/tags/trackers, tag managers, and SDKs on websites and mobile apps via the CMP’s cookie scan, web SDK / script tag, and mobile SDK
• Workflows that limit data sharing according to user consent choices by destination and based on sharing purpose; this includes sharing from backend systems via integrations and APIs 

Consent reporting 

• Audit logs for proof of consent 
• Consent preference analytics for compliance tracking 

Key benefits

• Manages the complexity of compliance at scale: Universally manage consent collection and configure data sharing across all devices and locations in one solution
• Enhances brand and customer trust: Openly demonstrate compliance and tailor the user experience to your business by location =
• Improves advertising effectiveness and user insights: Collect and share more data in a compliant manner; due to the complexity of changing data flows based on consent, location, the type of data, and the use of data, many companies will unnecessarily block all data collecting and sharing 

Key limitations

• Lacks full visibility into data collection and sharing: CMPs can only provide a surface-level view of what pixels, cookies, tag managers, or SDKs are deployed on a website or app. Without looking at website’s or app’s code and backend data pipelines, it’s not possible to see every personal data element that is actually sent to which third parties. This is particularly true for data shared on the backend. Privacy teams would need to regularly review all workflows setup in the consent management platform and request engineering support in situations of doubt.
• Relies on continual manual configuration to maintain compliance: If consent policies or data flows are not configured correctly for every device/channel, location, type of data, or third party, there are no alerts or safeguards to prevent non-compliant data sharing. Additionally, non-compliance can occur if the consent management platform is not updated when changes are made to the website or app by the engineering or marketing team. 
• Reactive issue resolution: Non-compliant cookies, pixels, tag managers or SDKs can only be discovered after they are live; the same goes for non-compliant data flows. These solutions cannot proactively prevent issues in the software development process. 

Product privacy management

What is product privacy management?

Product privacy management is the practice of monitoring software products to mitigate privacy risk. Because software products control how data is processed in today’s tech-driven world, product privacy management can enable complete data visibility and continuous privacy governance at scale across an organization. By monitoring how websites, mobile apps, connected TV apps, backend software, and third-party applications process personal data, organizations can create complete data maps, proactively remediate privacy risks, and generate accurate compliance reporting. 

Product privacy management is essential for digital tracking governance because it enables real-time tracking of user consent and personal data flows to third parties.

Product privacy management is also valuable for any B2C or B2B company processing large amounts of personal data on their websites, mobile apps, or other software products. Companies running digital ads in financial or health related industries are typically most at risk of privacy lawsuits, but companies in any industry processing personal data without proper consent are still at risk. 

The current approaches to product privacy management

• Privacy code scanning analyzes the code running any user-facing or backend software product to mitigate privacy risk during software development and after products are live
• Live product scanning provides additional risk mitigation for user-facing products such as websites and mobile apps. By simulating user behavior, live product scanning can monitor data flows based on user consent actions and identify additional data flows not specified in the code. 
• Manual assessments. Because most privacy solutions today don’t monitor software products, most companies rely on manual privacy risk assessments.

Best-in-class product privacy management solutions that scan code and live products enable true Privacy-by-Design and compliance at scale by integrating evidence-based privacy controls across the product development lifecycle from planning through development and maintenance.

With best-in-class product privacy management, privacy teams can eliminate the manual assessments that were missing most privacy risks and slowing down the business. By proactively mitigating privacy risk, product privacy management can also turn privacy teams into business-enablers instead of blockers.

To implement best-in-class digital tracking governance, product privacy management solutions should have the following capabilities.

Personal data visibility 

• Inventory of all personal data collected, stored, or shared 
• Sensitive data tags for CPRA, GDPR, VPPA, MHMDA, etc. 
• Inventory of all data destinations: third parties and internal systems receiving personal data via pixels, scripts, cookies, tag managers, SDKs, customer data platforms (CDPs), APIs, etc. 
• Identify hosting location for each third party to flag cross-border data transfers
• Catalog all active cookies by third party, category, and lifespan
• Record third party and cookie activity by consent action: accept, reject, no action
• Data flows showing every third party and internal data destination for each data element and for each possible consent action

Privacy governance

• Consent monitoring: By simulating user behavior on websites and apps, live product scanning can monitor whether CMPs honor consent and data sharing requirements in each applicable location
• Risk discovery: Run checks for consent banner visibility, opt-out consent compliance, opt-in consent compliance, sensitive data sharing, and cross-border transfers to generate alerts for potential violations to internal policies and regulations like CCPA, CPRA, CIPA, VPPA, GDPR, MHMDA, and HIPAA
• Risk prevention: Workflows to block non-compliant code, pixels, or SDKs during the dev release cycle
• Assessment automation: Pre-filled, self-updating RoPAs, PIAs, DPIAs, etc. 

Developer enablement

• Privacy risk alerts embedded in dev tools 
• Root cause identification: Flag exact code causing risk

Key benefits

• Unlocks comprehensive real-time personal data sharing visibility: Live product scanning and privacy code scanning are the only solutions that can continually monitor exactly what personal data is shared to third parties from your company’s digital products, i.e., website, apps, and backend software 
• Eliminates manual and time-intensive data mapping activities: Fully automate data mapping in days instead waiting months for data store scanning and/or developer teams to complete imprecise questionnaires ‍
• Identify data sharing risks as they appear in the codebase: Get alerted even before any unapproved personal is shared with a third party. By integrating with your company’s source code management tool, privacy code scans can run each time new code is submitted for review. Privacy teams can be notified each time live code or code in review may violate privacy policies; alerts can also be sent each time a new data element is shared or a new third party is receiving data. ‍
• Prevent non-compliant data sharing in the dev process: Development teams can integrate privacy code scanning into their deployment process so that non-compliant code, pixels, or SDKs are blocked from going live‍
• Ensure adherence to consent policies and regulations: Create workflows that send alerts and block code for any data shared without consent; these workflows complement scanning live websites and apps that continually monitors whether consent collection, cookie, pixel, and SDK deployments are compliant.‍
• Enable developers to be privacy professionals: Educate developers as they code by automatically delivering privacy guidance when a risk is identified in the dev process 

Key limitations

• Needs to be paired with consent management platform to collect, act on, and record consent
• Data shared in bulk via CSVs or cloud storage buckets will not be fully visible, e.g., any personal data manually uploaded to advertising platforms for remarketing audiences should be controlled by internal processes 

Data discovery solutions

What are data discovery solutions? 

Data discovery solutions help companies build an inventory of all data they have in storage; this includes personal data and any other data relevant to the business. 

Although these solutions are effective at building data inventories, they offer no coverage for digital tracking governance. This is because data sharing occurs in the code of a website, app, or backend system. 

Data discovery solutions inventory data by scanning structured and unstructured data across data stores and select third party applications. Data discovery tools can scan column names and the actual data, using ML/AI techniques to discover and classify data.

Key benefits

Companies use data discovery solutions to build a data inventory for a number of reasons, depending on their needs.

• Discover structured and unstructured data
• Identify sensitive data
• Help fulfill data subject access requests (DSARs)
• Evaluate risk of breach
• Lock down high risk data and control access
• Execute data retention policies
• Accelerate audits for regulators or M&A
• Minimize data footprint for security, cost, and compliance

Key limitations

• Lacks visibility into data collection and sharing: Data discovery solutions are good at determining what data is being stored; however, they cannot see how the data was collected, what it was used for, or where it was shared.
• Requires extensive time and resources: As companies grow and acquire other companies, the amount of data and number of data stores a company has can quickly get out of control. For data discovery solutions to even scan a representative sample of all data stores, classify and deduplicate all data elements, it will often take 6-12 months to complete an implementation while expending significant internal and external resources. 
• Relies on questionnaires and interviews to complete data maps and assessments: Because privacy teams can’t see how personal data was collected, used, or shared, they must ask product and engineering teams to fill in the gaps via questionnaires and/or interviews. This process takes up significant time from valuable technical resources and yields imprecise answers. As a result, data maps, RoPAs, PIAs, and DPIAs will be inaccurate and take months to complete. 
• Quickly becomes out-of-date: With most product teams releasing software updates monthly if not weekly, data maps built from lengthy and manual data discovery processes become outdated as soon as the next software update collects, stores, or shares new data. 
• Lacks privacy governance: Due to poor data sharing visibility, data discovery solutions cannot effectively implement controls to stop non-compliant data sharing.

Key takeaways

• Digital tracking governance is the practice of responsibly managing personal data shared with marketing partners by honoring user preferences. The goal is to ensure that user-level data shared to marketing partners or any other third parties is compliant with all applicable regulations and internal privacy policies. 
• The influx of recent privacy regulation in the US and the EU’s GDPR makes digital tracking governance increasingly important for almost any company running digital advertising. 
• US privacy laws regulating digital tracking will only get stricter. Nearly every state without a privacy law in effect is currently in the process of implementing one.    
• Product privacy management solutions should be used in conjunction with a consent management platform to implement best-in-class digital tracking governance
• Consent management platforms are critical for collecting, acting on, and recording consent, but they lack the full visibility and governance to ensure personal data doesn’t improperly leak to marketing partners
• Product privacy management enables the complete and continuous visibility and governance needed to ensure compliance with today’s complex web of privacy regulations