Guest Post: Automate compliance or risk getting caught in the data privacy trap

Travel brands must let go of their addiction to third party tracking and surveillance adtech or risk being caught with their hand in the cookie jar, warns Compliant chief executive Jamie Barnard  

Jamie Barnard  

The South Indian monkey trap is a clever device for capturing troublesome monkeys. The trap comprises a hollowed-out coconut attached to a stake and filled with rice that's accessible via a small hole.

Although the monkey's open hand fits easily through the hole, its clenched, rice-filled fist remains stuck. The monkey will stay this way, refusing to drop its prized rice, until it is caught.

The marketing industry is in a similar predicament. Addicted to the reach, scale, and personalisation provided by third-party tracking cookies and surveillance-based adtech, and without a silver bullet to replace them, marketers are unwilling to let go.

But privacy concerns are making these tools dangerous, and brands that refuse to drop them risk being caught by the regulators. As we shall see, this is a particular risk for brands operating in the travel industry.

The compliance risk

In today’s model, advertisers work with a wide range of intermediaries and vendors to track, profile and target consumers with relevant and often personalised content.

This model creates a complex marketplace where hundreds of companies share personal data about millions of people in thousandths of a second.

Unfortunately, much of the machinery that makes this possible, and the corresponding collection and use of data, is in conflict with people’s expectations of privacy and in breach of data protection regulation.

The digital advertising industry must adapt or accept the consequences of these compliance failures.

As regulatory scrutiny intensifies, keeping hold of the rice feels increasingly risky. And it is intensifying: since 2018, more than €1.7 billion in GDPR (General Data Protection Regulation) fines have been handed out, with enforcement activity increasing by 40% in 2020/21.

Having already levied huge fines against big tech and ad tech companies, regulators are turning their sights on advertisers. This includes companies in the travel industry such as BA, Marriott, and Saga, which have received severe fines.

We know that more will follow because the compliance failures that lead to these fines are not unique to those who have been punished – they are commonplace across the demand and supply sides of the marketing industry.

Consent is not compliance

A serious blind spot for brands is caused by consent models. Many organisations assume that obtaining consent from users to collect and process their data ensures compliance.

In reality, consent does not equal compliance. Many brands operate under an illusion of compliance, when, in fact, they are routinely leaking personal data across their media supply chain and tolerating the unlawful collection and sharing of data by unauthorised third parties.

New research from Compliant reveals that for travel brands in Europe one of the biggest challenges relates to ‘piggybacking’, where unauthorised cookies and tags collect data from brand websites without the advertiser’s permission.

Piggybacking results in unconsented data being shared far and wide across the adtech ecosystem. The research reveals that businesses in the travel sector are highly vulnerable to piggybacking, with an average travel site containing no fewer than 16 tags.

With every additional tag on a site, the risk of unconsented personal data being unlawfully shared with third parties increases, as does the corresponding liability of the website owner.

Significantly, the European Data Protection Board has indicated that advertisers could be jointly liable for the wrongful collection and use of data by connected third parties.

Another risk stems from data resellers that collect, organise and sell data to advertisers and publishers.

Our research reveals that although 91% of all EU brands now employ Consent Management Platforms (CMPs) on their owned and operated sites, 88% of these have consent irregularities resulting in data being passed before consent is received.

It’s therefore highly likely that data resellers attached to publisher and/or advertiser sites have the same problem and therefore represent a significant data leakage risk.

Our study indicates that while European publishers have made important efforts to reduce the number of data resellers within their sites since GDPR was enacted, on average travel sites still host multiple unauthorised data resellers.

Combined, these three challenges present a real privacy compliance risk for travel sector businesses. For instance, on one major hotel chain’s site we found a CMP passing use data before consent was given.

Upon closer inspection, the website has 39 vendor tags piggybacked into the site and five data sellers. These are some of the highest numbers we’ve seen across all industries.

Protecting consumers

In the context of digital media and ecommerce, it can be easy to forget why privacy is such a big deal. While avoiding fines and brand damage are high priorities for travel firms, privacy is ultimately about protecting people.

The more we digitise our lives, the more data we share about ourselves; the more data we share, the more it can be weaponised against us, and the more vulnerable we become to abuse.

The more exposed we are, the more we depend on privacy law and data ethics to protect us from real harm – extortion, persecution, discrimination, identity theft, and so on.

So, as we consider privacy risks in digital media, we must always consider the unintended consequences of data collection, particularly in the travel sector which routinely collects highly sensitive data such as payment card details, addresses, and passport numbers.

Three ways to enhance compliance

While privacy compliance in digital media is a significant challenge for advertisers in the travel sector, there are positive actions that companies can take immediately:

1. Embed always-on compliance monitoring. Take advantage of automated tools that continuously monitor, measure and benchmark risk across your media supply chain.        This allows you to respond rapidly to risk, and informs your ongoing strategic priorities.

2. Understand your media supply chain. Real-time risk reporting requires full transparency of your media supply chain – who has access to data, what they use it for, who they share it with and what they do with it. Use this information to take decisive action to increase discipline and reduce compliance risk.

3. Experiment with a portfolio of privacy-safe solutions. It's time to let go of the rice in the coconut and make do with available alternatives such as first-party data IDs, publisher provided IDs, contextual advertising, data cleanrooms, etc.

Companies that search for solutions that serve the interests and expectations of their consumers are less likely to bet on the wrong horse in the long run.  

And building discipline, transparency and resilience into their media ecosystem will accelerate decision-making, reduce the time taken to innovate and, paradoxically, encourage risk-taking.

Companies that invest in always-on, automated privacy compliance will soon become the ones to beat.

The first marketers to let go, will be the first to discover and adapt to new models. Lagards will still have their fist in the coconut when the hunter returns. The race is on.