When we collect, store and use data on a daily basis, there are a number of regulatory requirements that we are meant to comply with. This includes:

1. Ensuring informed consent from users is obtained.

2. Privacy notices on websites are up to date and easy to understand.

3. Appropriate security measures are in place for the data collected, and

4. DSARs are handled efficiently and in a timely manner, etc.

Complying with these requirements isn’t always straightforward. Since most companies deal with multiple third parties (which can be service providers, vendors, contractors, suppliers, partners, and other external entities) we are required, by law, to ensure that these third parties are also compliant with the applicable regulatory requirements.

Third party, vendor and service provider governance are a crucial component of a strong and sustainable privacy program. In October of 2024, the Data Protection Authority in the Netherlands, imposed a €290 million fine on Uber for failing to have appropriate transfer mechanisms for personal data that it was sharing to third-party countries including its headquarters in the U.S. According to Article 44 of EU General Data Protection Regulation (GDPR), data controllers and processors must comply with the data transfer provisions laid out in Chapter V of EU GDPR when transferring personal data to a third-party based outside of the EEA. This includes the provisions of Article 46 which mandates data controllers and processors implement appropriate safeguards where transfers are to a country that has not been given an adequacy ruling by the EU. In the U.S., the Federal Trade Commission (FTC) brought action against General Motors (GM) and OnStar (owned by GM) for collecting sensitive information and sharing it with third parties without consumer’s consent.

These are just examples of companies knowingly selling and sharing data with third parties. In some cases, data is collected by third parties, through Software Development Kits (SDKs) and pixels embedded on company websites without the full and proper knowledge of the first party companies. Some websites are built using third party service providers, these third parties also collect data from website visitors without the knowledge of the first party. The AdTech ecosystem in general is a complex environment; data changes hands with so many parties that it's difficult to understand how the data gets used and which third parties are actually involved.

The CCPA and other state regulations require that businesses conduct due diligence of their service providers and third parties to avoid potential liability for acts of non-compliance on the part of these third parties. However, the Interactive Advertising Bureau’s (IAB) recent survey report provided interesting statistics, with 27% of the companies reporting that they had not yet finalized an approach to meet these third-party due diligence requirements.

In an already complex and evolving legal landscape, how do we ensure that our third-party governance is adequate?

This is where DataMapping comes in. A comprehensive and effective DataMap provides clear insights into what data is collected, its’ source, its’ storage location, the security measures in place, to which third-parties the data is shared with and how, points of contact and security measures during data transfers. A relation map within a DataMap provides an overview of different systems within the organisation and third parties to understand what data passes between them, the frequency of the transfers, security measures, etc. All this information is key in when sharing data to third parties.

It’s important to be aware of the complexities around DataMapping when it involves third parties. Often, the contracts and documentation provided by third parties will allocate a lot of responsibility on the business to ensure the data is collected and managed in a privacy compliant way. Further, when Privacy Impact Assessments (PIAs) are made, the business owners are sometimes not able to provide accurate and complete information as they themselves might not understand all the nuances of the data collected and processed by the third-party.

There is a need for automation and audits to capture detailed information about the data collected by third parties.

This information is also vital when ensuring that third parties handle Data Subject Access Requests (DSARs) and opt-out requests in a timely and efficient manner, which is a regulatory requirement. Depending on the requirement, sometimes passthrough requests are made in the case of service providers and processors, whereas sometimes we are required to disclose the third party and provide contact information. The vendor can be the same in both cases.

When there is a clear understanding of what data has been shared with which third party, DSARs and opt-out requests can be handled effectively; Whenever an opt-out request is received, or a signal is detected, the company should have the capability to automatically communicate the information of the request to the third parties involved so that they honor the request as well. A DSAR or an opt-out request is not effectively and completely honored until the third parties involved are also in compliance with the requirements of the request

The Interactive Advertising Bureau (IAB) has provided a solution to reach out to hundreds of third parties in the AdTech ecosystem. Companies can register with IAB and set up the IAB Global Privacy Platform (GPP), which informs those third parties tied with IAB of the users’ preferences.

In the case of SDK’s which are used in mobile apps and smart devices, maintaining a privacy-compliant app environment is vital. Periodic auditing of SDKs is a best practice to keep track of SDKs as they might change their policies or update their policies on privacy and data collection, especially while upgrading. The responsibility falls on developers to ensure that any SDKs to be integrated are privacy compliant and to thoroughly study the documentation provided, as the specifications for maintaining compliance are generally included here.

Appropriate security measures when data is being transferred is also necessary. Privacy enhancing technologies (PETs) can be used to anonymize or pseudonymize data so that it is not vulnerable to data breaches and bad actors during the transfer. Differential Privacy, a privacy enhancing technology used in data analytics can also be utilized. The National Institute of Standards and Technology (NIST) recently published their guidelines for evaluating differential privacy.

Finally, third parties and service providers need to be audited and assessed on a regular basis. Often, third party data handling processes are overlooked in order to focus on other matters. However, third parties need to be audited to ensure that they are complying with the requirements of their contracts and to ensure that Service Level Agreements (SLAs) and Master Service Agreements (MSAs) are met. In fact, third party, service provider and vendor contracts, first need to be assessed and audited to ensure they meet industry standards and compliance requirements.

In an environment where different companies interact with and work very closely with one another, whether it is to build websites, using SDKs, for AdTech purposes, or for additional tech support, ensuring that, the risk of facing regulatory heat for noncompliance is high. When substantial efforts are being made to guarantee that our data handling practices are compliant with regulations, we should ensure that we don’t face heat for the data handling practices of those third parties that we interact with. In fact, it is safe to say that a privacy program is not complete and sustainable until third party governance is also strong. However, there is often a lack of technical talent and expertise to handle the demands of the third-party governance in the complex AdTech ecosystem. As the IAB survey report found, 30% of the companies require internal and external assessors to fully understand the scope of what data is shared. Sustainable solutions require deep technical knowledge and skill in multiple areas. This is often not easy to find.