KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Hello, this section is about privacy and consent management, the challenges and trends that we see in this area. So I will start off by talking about something. I don't think that we discuss enough in industry today.
What, what does this look like from the individual side and then move into, what does that mean? These challenges for the business side, how to comply with rapidly changing regulatory landscape, and then talk about both what we see in terms of coming regulations, changes to regulations and where the technology is going.
So one of the experiences that we all have in online interactions is giving up in some way, some sort of personal information, whether you're buying something online or, you know, using email or, or social media, there's always at least some degree of personal information that has to be given up. It seems in order to make this all work in a customer friendly way, but this is facilitated as you probably know, by different kinds of first and third party tags, cookies, cookies are very well known. This is a way of tracking information about specific users.
And again, it can make for better customer or online interactions, but they're also used for marketing. Many are not necessarily against marketing itself, cuz it's a, a necessary way of doing business. Often this personal data is kind of exploited in ways that some consumers don't agree with and some consumers want more control over their data. So this is why we have seen an increase in privacy and data protection regulations around the world. GDPR is probably the best known European union's general data protection regulation. It went into effect in may of 2018.
And you know, we spent probably 18 to 24 months before that, trying to prepare for that and understand what the ramifications would be. But then there's also that has, has been a model for others around the world, including the CCPA, California, consumer privacy act, Canada PIP pita has been in existence for quite a while, already predates many of these other regulations. But now we also see similar regulations in Singapore, Brazil, Japan, Russia, India, and, and they're not all the same.
So we'll talk about that more in a minute too, but there are technical solutions that we've been hearing about called consent management platforms, privacy and consent management solutions. And these in many ways can help businesses comply with different privacy regulations. But in the end, I think it's important to remember the consent itself is not privacy. So let's take a quick look at the different tracking technologies that are out there.
Again, cookies, probably the most well known form of tracking online little text files or on browsers. How that started out HTML five, a newer standard, the local storage. It's like a cookie, except it can store more data. There's flash local shared objects.
Again, that's kind of like a cookie, but it's pertinent for Adobe flash applications. They store user preferences and track user activities, too. Pixel tags or web beacons, putting a, a pixel on a page. That's not necessarily a page that you own, but it can report back to another website. I think social media platforms are pretty well known for using pixel tags index database. It's an API for managing no sequel databases of JSON objects.
Again, some of which can be used for tracking. And then lastly, ultrasound beacons. This is a way of sort of tracking individuals and the effectiveness of advertisements and marketing activities throughout an ecosystem by having a device emit a ultrasound, which can then be picked up by other devices nearby. So you get a, the, the marketer gets a better picture of, let's say who's in a room and, and you know, what, what smart TVs or other smart home devices might be there. So it's a way for them to track effectiveness of their advertising. So how do we protect our information?
We at an individual level, you know, you can try to minimize the data that you give up, but if you're gonna buy something online at a minimum, you're gonna have to provide name, address, email address, credit card. So that's just at a bare minimum. What is needed to sort of conduct business online today? What happens to that information?
Well, unfortunately in many cases, we're kind of at the mercy of the vendors that are collecting that. So we can practice data minimization if we want to.
And I'm, I know people that take it to extremes, but still that again, sort of limits the convenience of the end user experience. There are other things like digital identity monitoring, you know, which seems to be the default offering after a data breach, you get signed up for a year's worth of account monitoring that looks for, you know, creation of suspicious accounts or unusual transactions and the ability to report on and stop that.
There's also regulatory enforcement, as we've been talking about GDPR CCPA Paeda, but you know, the engagement mechanisms for let's say filing a complaint can differ and you know, these it's not available in all locations, either. Not everywhere has a good privacy regulation that can be enforced today. And then lastly, I think something that's not often mentioned, but many endpoint security products have very good anti tracking features over and above some of the freeware solutions that are out there. And I wanted to quickly show a couple of screenshots about how that works.
So I thought I would just snapshot like here we have Spiegel and with an endpoint security product that I was running, we see that there were five trackers blocked, four were related to advertising. One is considered essential to how the site works. Next example, I looked at Lamont it, the endpoint security anti tracker found nine different trackers and blocked them three were advertising three site analytics, two for social media and another essential on the social media side, just drilling down here. We see that it's Facebook and Twitter.
And then looking at a couple of popular freeware ad blockers that are out there. We've got U block found four and ad block plus found eight. So just in this very limited anecdotal example, it appears to me that some of the endpoint security solutions do a better job at blocking some of the tracking activities at the browser level. So how do you request regulatory relief? Let's say you live in the EU or California and you want to file a complaint.
Well, how do you start? It's not as easy as it, you would think. So starting with just a simple web search, the results differ by browser and by the web search service that you're using and probably to be expected at the top, you'll find ads for vendors that have paid to have those keywords sort of under their purview. So you'll get ads at the top. You scroll by, you'll find articles with opinions about privacy laws. You gotta keep going past that. Eventually you'll find the data protection authority.
And then even when you do, the procedures are different by regulation and, and even by country, and it can be quite confusing. So I thought let's just show a couple of sh screenshots of what this looks like. Let's let's search on EU and try to make a complaint. So you find the EDPs website, the complaints wizard.
It says, you know, we're only responsible for things within EU institutions, bodies, and agencies for anything else you wanna talk to your national data protection authority. So drilling down on that blank, here's the link that you would want to use to find the national DPAs for each member state looking at first on the list here, we've got Austria, this is a really nice website. Very clear cut tells you exactly who you would need to contact. You can submit a complaint either by post or by email looking at another one UK, they have a web form. So you can find the web form.
You can submit pretty detailed information about what the nature of the complaint is. And there's the link for this page? What if you live in California, how do you engage CCPA?
Well, it was pretty easy to find on the whole, but you know, what's surprising is the amount of personal information that you have to give up to file and complaint about misuse of personal information. It was several long, long pages of information that needed to be collected in this web Porwal and, you know, see California website here shows also about 300 different data brokers that are registered in, in California too. So there's lots of different individual entry points. If you wanted to engage with the particular data broker that you think has your data.
So what a, what does all this mean for business? Well, even though it's confusing and you might think that deters consumers from filing complaints, we can see from the enforcement tracker site here that no, there's, there's plenty of complaints that are being filed. The charts on the left are accumulative view, which show a big spike in terms of the overall number of fines.
Last June, there was a, a pretty hefty fine that was levied against a UK company there, which really drove that up. We see the overall number of fines, kind of increasing linearly since July of 2018. And then looking at month to month statistics here on the left, we see that enforcement and fines started going up particularly around September or so of last year spiking before the world kind of went into COVID lockdown and then bouncing back here within September of this year. So enforcement is happening COVID is not deterring that.
And, and I think we can only expect to see more instances of complaints being filed. So if you're a business, how do you approach getting privacy compliance? Right? First of all, you have to know which jurisdictions you're operating in.
And, and knowing that if you let's say prepare for GDPR, that does not necessarily help you prepare for everything that comes under CCPA. The changes that may result from, you know, pining legislation in California, New York, Singapore, Brazil, any of these other countries. So there are different interpretations, the regulations, different terminology that needs to be normalized. Unfortunately, these consent and privacy management solutions can't help with that. You also need to know the kinds of data that you have and where it's at.
Do you have a data inventory that's surprising that can be one of the most difficult questions to answer. And it's a really good place to start is with what the, the term under GDPR became popular data, privacy, impact assessment, knowing classifications of your data, where it is, and then start thinking about, is it in the right location? Is it being stored locally? If required, can some of it be removed? Do you have a good business reason for keeping it? Do you have a legal reason for processing it? If not get rid of it, if at all possible.
And then again, these CPM solutions can help, but you know, it, it's more than a technology in searching. That's likely to be required. In many cases, corporate policies have to change. Businesses practices have to change. And data privacy is really predicated upon data security. So besides implementing some sort of consent and privacy management solution, you may have to make, you're likely to have to make improvements in your overall data security infrastructure. So three more technical things to think about, well, start with consent and privacy management.
They can help with compliance with these disparate regulations, but knowing which regulations you're subject to will help you with the overall consent and privacy management tool selection process. If you're doing business in, let's say Brazil and the CPM platform, you're considering doesn't cover that. Then of course you wanna pass and look for something that does in fact, cover the jurisdictions you need to be preparing for DPIs.
Again, that's a great step. One being able to do your data, impact privacy, impact assessment, knowing where your data is. And then also, you know, under GDPR, it's required that you're able to export the user data and give that to 'em if they request that or delete the data data. So being able to technically meet the challenges that are outlined by these regulations is a necessity. And then lastly, here at the top data subject access request, this is when a consumer wants to know, you know, one information do you have about me and what are you doing with it?
You need to be able to provide some way for them to find that out email is a common way, but, you know, I think California also says you've gotta have a, a telephone hotline. They have a web Porwal. So having a unified platform that can allow end users to submit data, subject access requests is also a necessity under multiple regulations. So what does the future look like for privacy regulation? I think at a high level, we can say there's gonna be more of it. GDPR. We're just getting started. Really GDPR made headlines.
CCPA also was much talked about, and now it's enforced, but you know, there are additional changes that may be coming for CCPA. There's an initiative on the ballot in California. That'll be voted on a November if that passes and polling shows that it's likely to pass. At this point, there are gonna be substantive changes to CCPA, even, even within, you know, a year I've been taking effect. And then the New York shield law, it's a data security act.
And again, data security and data privacy go hand in hand. In this case, it calls out the need for employers to have designated custodians of HR data. Specifically employers have to take better care of things like employee name and social security number and their penalties for not doing that.
So again, data security regulations are actually driving data privacy in this case, and they, they can work hand in hand and should work hand in hand. So what about the future of these privacy management solutions?
Well, again, we have, we are expecting additional regulation. We may see changes in regulation, and then we may see an evolution in how those regulations are interpreted. This is almost ne necessarily going to require more fine grain policy control. There may be overlaps between what regulations require between jurisdictions, but there may not be in some case too. So having a platform that allows you to implement different regulations and, and facilitate compliance is gonna require, you know, a greater degree of control at the data level.
And then to be able to produce metrics that show how well you're complying with the different regulations. I've talked a bit about how consumers submit DSRs being able to protect these communications is paramount too. It's difficult if you're somebody's mailing in something physically, but if they're using email or a web Porwal companies need to be able to protect that information as well, the channel that it, and, and the contents of the complaint.
So protecting encrypting the channel encrypting what's stored encrypting all aspects of the communication and providing access controls for that will be a paramount concern too. There's a role for emerging technology. Blockchain has a strength for creating auditable records that can be really useful for privacy and consent, but none have really gained any attraction here yet.
We do see can Tara's consent receipts, specification that's, you know, a pretty straightforward way of generating a text based receipt with, you know, a minimum number of fields that are useful for tracking whether or not somebody has consented or withdrawn their consent. So that's something that we expect to see greater uptake of in the future. And then lastly, here, future data misuse. I was hinting about that with changing interpretations. We may see things that are considered okay to do with consumer data today, but in the years ahead, interpretation of these regulations may change.
And if so, these can sit in privacy management platforms have to be responsive to not only changes in additions to regulations around privacy around the world, but again, how, how are they interpreted from interpreted from one place to another? And with that, I will conclude and thank you for attending the event.
