Expanding data sharing visibility: Monitor data flows from tag managers & CDPs

As data sharing restrictions continue to increase, Privado continues to expand its data sharing visibility.

We’re excited to announce Privado’s new capability to monitor personal data flows from tag managers and customer data platforms (CDPs). 

Previously, Privado mapped data to all third parties, including tag managers and CDPs, but it lacked coverage for data sent from those tools to other third parties.

Tag managers and CDPs are designed to collect all kinds of personal data from websites and apps, and marketing teams commonly use these tools to send select data to marketing partners to measure and improve performance. 

With Privado’s additional layer of visibility, privacy teams can now proactively prevent all non-compliant data sharing from tag managers and CDPs that they previously could not fully monitor. Instead of just showing which tag managers and CDPs are receiving what data, Privado now identifies all third parties receiving data from tag managers and CDPs and which data elements are shared. 

Data sharing restrictions are increasing

Full personal data sharing visibility and digital tracking governance are needed to stay compliant with the influx of new privacy regulations, particularly in the US. 

With the enforcement for the CPRA amendment to CCPA going live in February 2024, companies with users in California must now follow the “do not sell or share” rule. To comply, companies cannot sell or share personal data unless they disclose this information to the user and give them the option to opt-out. 

In Washington state, enforcement began for its My Health My Data Act (MHMDA) in March 2024, which requires opt-in consent before any company even collects personal health data, much less shares it. In addition, the US federal government has cracked down on personal health data sharing by issuing over eight fines since 2022 for FTC and HIPAA violations.

GDPR remains the most strict data sharing regulation. Under GDPR, companies must obtain user consent before even collecting any kind of personal data. 

To maintain compliance, it is critical for privacy teams to continuously monitor all personal data shared to third parties from pixels and tag managers on websites and apps as well as backend systems like CDPs.

Why additional tag manager visibility is needed

Tag managers are designed to help marketing teams measure and improve web and app marketing performance for multiple marketing partners. Tag managers provide huge efficiencies and increase data granularity for teams running ads with many partners. 

Without tag managers, marketing teams would have to ask their engineering team to implement a pixel (also known as a tag, script, or tracker) on their website and an SDK in their app for each partner they want to use; otherwise, marketing performance could not be measured. To measure marketing performance, tag managers, pixels, and SDKs automatically collect personal data such as cookie IDs, device IDs, advertising IDs, emails, IP addresses, geolocation, etc. 

After one request for the engineering team to implement a tag manager, the marketing team can then configure the tag manager to send marketing performance data to whichever partner they want to work with, without additional engineering requests. 

Since most marketing teams use at least five partners at a time and regularly switch partners based on performance, tag managers enable marketing teams to quickly optimize their marketing partner strategy. 

In addition to determining which partners to send data to, marketing teams can configure what event data to send. Events can be set up to track almost any user activity on a website or app such as form fill or a purchase. Without controls in place, sensitive data can be shared through events such as the medical or financial product name a user purchased or a user’s answer to a question about medical history.

By implementing privacy code scanning that integrates with tag managers, non-compliant data sharing can automatically be flagged as soon as tag manager changes are made.   

Why additional customer data platform visibility is needed

Customer data platforms (CDPs) are a centralized database solution for managing customer data from all touch points and systems. They serve a number of purposes including sharing select customer data to marketing partners to improve campaign performance. 

Like tag managers, CDPs must first be deployed by developers in a website’s or app’s codebase. Then they are configured to send select data to select destinations based on the team’s needs. 

Although it is less common for teams to send data to marketing partners via CDPs, sharing visibility from CDPs is more critical for privacy teams. The primary purpose of a CDP is to collect, organize, and share personal data internally. Therefore, flagging personal data sent to a CDP would be expected and not seen as a risk. Whereas if any personal data is sent to a tag manager, it can be assumed that the data will be shared with marketing partners. 

In the cases where CDPs send personal data to marketing partners to build segmented audiences, privacy teams must have backend data sharing coverage. Without direct oversight of a CDP, there is typically no way to monitor what data marketing and analytics teams send to marketing partners. Furthermore, sending data for retargeting purposes represents a larger privacy risk and larger potential fine. 

How Privado enables full governance for tag managers and CDPs

Privado’s core privacy code scanning technology builds data maps by scanning the code that operates your websites, apps, and backend systems. Because tag managers and CDPs are implemented in the code of a website or app, Privado has previously identified these tools as third parties and tracked which data elements they receive.

To provide backend data sharing coverage, Privado has built integrations to scan tag managers like Google Tag Manager and CDPs like Segment and Hightouch. Since outward data flows are entirely controlled within tag managers and CDPs, this information cannot be obtained by scanning the code of a website or app; therefore, direct connections must be built with these tools. 

On the flipside, just scanning tag managers or CDPs is not enough to provide full visibility and governance. Privacy code scanning is needed to complete the picture. 

Since tag managers are designed to share data with marketing partners, tag managers should not receive any sensitive data or data from users who opt out. The only way to stop non-compliant data from reaching tag managers is to scan the code that sends data from websites and apps to tag managers and implement guardrails.  

For governing data shared externally from CDPs, code scanning is required to identify exactly what personal data elements are shared. Scanning the CDP alone identifies the 3rd parties receiving data and identifies what web or app events are shared. Scanning the code that sends data to CDPs is required to identify all data elements shared within an event. 

For example, if a CDP shares an “add to cart” event from a mobile app, scanning the CDP can identify that an event named “add to cart” was shared with a third party. Scanning the mobile app’s code is needed to identify that the add to cart event is sharing personal data like email or potentially sensitive data like the product name added or the user’s search history.   

Once the integrations are enabled, all outward data flows from tag managers and CDPs are synced with Privado. This means all additional third parties will be added to Privado’s data inventory, and all data flows will be updated. Each data element identified will show the full lineage from code to tag manager/CDP to the eventual third party. Additionally, the data from tag manager and CDP integrations will update privacy assessments and trigger privacy issues based on your policy workflows. 

By enabling full visibility of tag managers and CDPs, Privado can help scale privacy governance across the engineering and marketing teams that control these data flows.  

Getting started

Integrate Privado with your tag manager and CDP and start improving your data sharing visibility and governance. To learn about integration setup, please reach out to your Privado customer success manager.