Many of us are aware of the snafu that occurred in summer 2022, in which major organizations were unwittingly sharing sensitive user data with Meta and other third parties. 

If you're not familiar, a notable list of offenders had placed the Meta pixel on their respective sites, so sensitive field data input by website visitors was being passed to third parties.

The list included the federal student financial aid program FAFSA sending applicants’ information to Meta; multiple hospitals sending patients’ protected health information to Meta; daycare apps sending event data to Facebook and Branch; and remote learning tools, which are used by school districts nationwide, sharing student data with marketers and data brokers.

When we see the names of the entities on this list, we might ask how they could be so careless. But the likely reality is that this information was shared by marketers who perform the same tasks as any marketer does every day. Most of this information was shared by way of pixels installed on owned websites for the purposes of tracking conversion activity.

In the same way that many everyday consumers feel duped when they're tracked without their explicit knowledge, marketers are at the mercy of intricate understanding of the tools they're putting into place. It's not that the information isn't available to both consumers and marketers alike -- you can get an understanding of what's underneath the hood, but the onus to do that is on you. This is a big part of why privacy legislation is emerging to protect consumers and make them more explicitly aware of what they're opting into. 

But the burden of protecting audience information and understanding how it's shared still lies on marketers. Whether this is appropriate remains to be firmly clarified by legislation, but these are the cards we're dealt as of today. 

 So what can you do to protect your audiences -- and your organization's reputation?

Evaluate, document, and update what's on your site 

Take the time to audit the current state of your website. What tracking has been installed historically and recently, and what information are those trackers collecting? Catalog this information, distribute it to your team so others have access, and create a process for updating it quarterly. If you haven't centralized an approver for what tracking goes on your site, do that now. This should not be a function that lives with everyone.

You'll want to take stock of pixels placed, APIs you've established, and conversion tracking.

As a reminder, Meta and Google are most definitely third parties, and those trackers you dropped are sharing your audience's information. Here's what Google collects via enhanced conversions:

"With enhanced conversions for web, first-party customer data such as an email address, name, home address or phone number is captured in your conversion tracking tags, hashed, sent to Google in its hashed form and then used to match your customers to Google accounts."

While customer data is hashed when Google receives it, they review the insights so they can monetize it by informing their ad targeting at-large. And, as we see from the use cases highlighted above with FAFSA and company, Meta is just the same.

Get your legal team involved

This answer is every marketer's dream, right? We love more legal review. In reality, we really should at this moment. There's just too much complexity to go it alone right now.

If you have legal counsel -- or better yet, a security and risk team -- pull them in to help you understand the terms of service of your third parties.

Clarify who owns responsibility for what pieces of third-party review. The last thing you want is the marketing team thinking it's legal's role to set up review and vice versa. Come to terms with the fact that both teams will need to educate each other -- you're likely going to need to clarify your business case for certain tracking. Encourage treating each other as thought partners instead of barriers. 

Ask if you really need that tracking

Related to the above, you should have a sound business case for the data you're collecting and the fields that you're sharing with external parties. You need to make sure everyone involved understands what qualifies as personal identifiable information (PII) -- because that's what you're responsible for safeguarding and gaining explicit consent to collect. Weigh what's worth the risk and what's not.

These three questions recommended by Forrester are great ones to assess with your legal counsel and marketing teams:

1. Are we getting sufficient benefits from this level of personalization, and is it something customers reasonably expect? If not, that's at least a yellow flag to assess alternate options.
2. Do we know what personally identifiable information is being collected, and does it align with our policies? If you don't have a policy, you need to get one ASAP.
3. What third-party technologies or providers are we sharing this data with, and have they been assessed for security and privacy risks? Standardize a process for review each time a new partnership contract is pending.

--

The main theme in responding to data privacy change is that you need to de-silo your approach to marketing. 

 I can help you get your teams aligned.

>> Book 1:1 help to formulate your action plan or discuss a strategic objective.

>> Contact me about customized workshops for your team, ongoing support with financial projections, board relationships, blended investment planning, and more.