Regardless of your industry or sector, your company probably relies on the internet for much of its operations. But tracking technology and data privacy regulations are in direct conflict with each other, and their conflict is creating a serious business risk.
Here’s the conundrum: advertising. It’s become the lifeblood of the internet, as brands left newspapers, magazines, television and other media and flocked to the web and its limitless opportunities to connect with millions — or hundreds of millions — of people.
For over 20 years, brands have honed and refined the methods by which they advertise online, tailoring promotions to target individuals’ specific interests. Google, Facebook, and Twitter’s exponential growth happened thanks to digital ads. These search and social networking giants haven’t charged users for their services. Or rather, they haven’t asked for money. But people do pay — with personal data collected via cookies, which track people as they browse from site to site. The data itself has been monetized. Marketers purchase and use this personal data to target current and potential customers with relevant marketing campaigns.
Not All Cookies are Crumbling
Cookies are small text files a website sends to a user’s device, like a laptop, tablet, phone, or desktop, to collect data. The most widely used tracking tool out there, they’re designed to track individual user behavior and gather specific data. One-size-fits-all cookies don’t exist. Each has a particular purpose, including:
- Preference cookies, which track user preferences on a website allowing the company site to offer the same functionalities on subsequent visits.
- Advertising cookies, which track and evaluate user internet activity and then offer insights and recommendations based on those interests.
- Analytics cookies, which track user website behavior like what pages they visit, how they navigate a website, how long they spend on any one page, where they come from (how they ended up on that website) and more.
Third-party cookies, created, managed and owned by third-party vendors who’ve integrated with your website, collect a range of information about users. But it’s these cookies that will gather personal data without first getting permission to do so, and it’s the third-party cookies that Google plans to eliminate in 2023.
First-party cookies, on the other hand, also record information about website interactions — language preferences, light/dark appearance mode, and shopping cart or login information — but they’re set by the website’s web server and delivered to a user’s device without any third-party involvement.
Enter Tracking Pixels and Telemetry
Facebook offers a business pixel to its eCommerce business clients. The pixel can tell stores which pages a user visited, and then the marketing teams use that data to retarget the visitor, show additional pages with similar products in their Facebook feed, and encourage them to revisit the store. So if you find your social media feed crowded with ads for a new mattress, you’ve probably been targeted because somewhere at some point in your browsing history, you clicked on an ad for mattresses.
Legal Requirements for Website Tracking
If your company operates exclusively in the U.S., the laws are a little different. The EU’s GDPR is currently by far the strictest regulation. But that doesn’t mean you shouldn’t ensure you’re following the rules for appropriate tracking technology use, because they do infringe on online privacy. And while you’ve only got your users’ best interests in mind when you’re gathering their personal information, the advantages you gain through data collection come at the expense of privacy.
Data protection doesn’t actually concern itself with the technology used to collect information. Its primary function is to safeguard everyone’s fundamental right to privacy. It doesn’t prohibit tracking technology. It does, however, establish restrictions for data processing. You can use any website tracker if you process personal data within its set parameters.
To ensure compliance with the legal requirements for website tracking, you should identify:
- The data protection laws specific to your business
- The requirements within those laws
- The solutions you need to comply with those requirements
Automation is the only way to regulate website tracking. By implementing cookie consent solutions you are in complete control over how your website tracks visitors. Look for a solution that incorporates the legal requirements of GDPR, CCPA, LGPD and/or any other relevant laws.
Prioritizing What Data to Collect
When it comes to data collection, the best place to start is by remembering this important, basic fact: Whatever business or personal information you collect becomes both an asset — and a liability. The EU’s General Data Protection Regulation (GDPR) defines personal data as “any information related to an identified or identifiable living individual.” This incredibly broad definition ensures the protection of personal data which is regularly targeted by cybercriminals. It includes information related to healthcare and financial accounts, and much more.
No company or business can exist without its customers. Nonprofit organizations rely on donors and volunteers to deliver diverse services. Financial institutions compete with each other to attract more clients. Higher educational institutions compete to enroll the best and brightest students. Research, scientific, and healthcare institutions form collaborations to drive innovation, improve patient outcomes and more. The list goes on and on.
And every one of these organizations relies on data to help its marketing teams increase market outreach, grow brand awareness, form new partnerships, and cultivate new and retain existing customers.
The one thing they share? A need for data. Data collection’s guiding principles, however, are simple. By following these recommendations, it’s less likely you’ll run afoul of the law.
- Collect only what you need. Nobody wants to be the victim of a data breach, but if it happens and you must work with regulators, or your company is audited, you’ll need to share exactly how much and what type of personal data you’ve collected. Implementing a policy of collecting only what you absolutely need may protect you from having to pay excessive fines or penalties.
- Always ask permission. The GDPR flipped the traditional “opt out” approach to sharing data to “opt in.” That isn’t always the case here in the U.S. but you can do the same by asking website visitors’ consent for you to collect or share their data, use it for diagnostics or do telemetry.
- Uphold your end of the agreement. After you’ve collected your users’ data (with their permission), remember the core tenant of the GDPR: customer data belongs to the customer not to the entity collecting it. Don’t share or use it in any way that those users didn’t explicitly give you permission to do.
Are you a commercial real estate investor or looking for a specific property to meet your company’s needs? We invite you to talk to the professionals at CREA United: an organization of CRE professionals from 92 firms representing all disciplines within the CRE industry, from brokers to subcontractors, financial services to security systems, interior designers to architects, movers to IT, and more.