State privacy laws, such as the California Consumer Privacy Act (CCPA), require companies to implement opt-out solutions and honor applicable privacy requests. But if you have implemented an opt-out, how do you know it actually works?
Is it configured properly? How do you validate that your opt-outs work as intended? Even more fundamentally, what are the technical criteria you need to apply to make that determination?
Implementing opt-outs is easy. Implementing them to do what you want, however, is hard.
This is because most websites and mobile apps contain an abundance of SDKs and JavaScript libraries for a wide range of purposes: targeted/cross-context behavioral advertising, analytics, joint-promotions, graphics, authentication, social sharing, the list goes on. Knowing what is in-scope for opt-outs involves a careful analysis of the law, together with a basic understanding of the technology – specifically, what data is shared with whom and for what purpose.
Implementing opt-outs is almost impossible to do correctly the first time. Opt-out buttons or forms may visually display an opted-out state to users, but the backend technology driving the opt-out is entirely different from the frontend technology users experience. This requires deep, targeted assessment.
To make things even more difficult, the only way to know whether your opt-out works is to either use specially-instrumented devices or network traffic analysis and perform before-and-after tests. In our view, none of the automated “cookie-scanning” solutions and similar tools available on the market even comes close to performing reliable validation/testing of opt-outs.
The time to test and validate your opt-outs is now.
Regulators are taking notice and not only relying on a business’s public-facing disclosures (e.g., privacy policy and opt-out pages), but also focusing on whether or not the opt-outs work as intended. If it turns out that your opt-out doesn’t function as intended, you will need time to allow your developers, engineers and third-party service providers to remediate and deploy.
We test and validate opt-outs using Norton Rose Fulbright’s in-house technical testing tool, NT Analyzer. NT Analyzer is a practical tool suite that relies on network traffic analysis for managing privacy compliance for mobile apps, websites and IoT. The tool detects and tracks the full range of data, including personally identifiable information, that is collected and shared.
Businesses can only determine the effectiveness of their opt-outs by analyzing the full-range of transmitted data.
Request a demo of the tool here to talk mobile and website testing, state privacy law compliance or video privacy.
Special thanks to Rahul Kapoor for his assistance on this post.