Meta is no stranger to bad press, but the latest headlines about Meta’s tracking pixel are (for once) not entirely its fault. Rather, companies are unintentionally yet inappropriately sharing users’ data with Meta and other third parties, such as data brokers and mobile attribution vendors. This includes the federal student financial aid program FAFSA sending Meta applicants’ information, multiple hospitals who sent Meta patients’ protected health information (which, just to be crystal clear, is illegal without patients’ consent), daycare apps sending event data to Facebook and Branch, and remote learning tools used by school districts nationwide collecting student data and in turn sharing it with marketers and data brokers.
The Risks Of Marketing And Security Staying In Their Lane
Firms need to evaluate what data they’re sharing and with whom — and while that may sound like an obvious statement, the examples above show far too many companies are skipping this critical assessment. Why? Marketers or digital teams frequently make decisions to add trackers or pixels to a company’s website – often in the name of customer understanding or personalization. These trackers provide marketers with the rich data they crave, such as usage analytics, ad conversions, and the promise of better ad targeting. The process of assessing privacy and security of third-party relationships (and code) is the domain of security and risk (S&R) teams. If marketers don’t understand the risk implications of data collection and sharing, they wouldn’t think to involve their S&R colleagues; and if S&R doesn’t understand what data is being collected or how it’s used, they wouldn’t think to assess the risk before deploying marketing technologies and tools.
Technically, dropping a Meta tracking pixel or incorporating a mobile partner’s SDK is really easy, but the onus of gating dataflows and ensuring you aren’t sharing legally protected data falls on brands. When marketing and security don’t work together, it’s the organization that bears the risk.
An Unlikely Partnership To Build Customer Trust
Marketing and risk share a common goal: building customer trust. By partnering rather than working around each other, marketers and S&R pros can use the growing momentum around consumer privacy, which has culminated in a draft federal privacy bill, to engender customer trust.
Now is the time for marketing and S&R to work together to assess data sharing practices, because regardless of the federal bill’s status, reputational harm and loss of customer trust is a risk today. The first step is to reevaluate the code you have on your apps and websites by answering these three questions:
- Are we getting sufficient benefits from this level of personalization, and is it something customers reasonably expect?
- Do we know what personally identifiable information is being collected, and does it align with our policies?
- What third-party technologies or providers are we sharing this data with, and have they been assessed for security and privacy risks?
If the answer to any of the above questions is “no” or “I don’t know,” do some digging stat! And pull risky trackers off your website before you get burned by an investigative journalist or a privacy-savvy customer.