The Top 4 Web Privacy Challenges for Retailers

With the widespread use of web trackers like TikTok, the Meta pixel, and web monitoring tools capturing session data, protecting customer data and ensuring compliance has never been more crucial. Additionally, rapidly evolving state and federal privacy laws have made web privacy compliance quite complicated. This article explores the top four web privacy challenges facing retail companies, drawing insights from LOKKER's Online Data Privacy Report to guide retailers in navigating these complexities.

Challenge No. 1: With a rapidly expanding patchwork of state and federal laws accompanied by a surge in regulatory actions and lawsuits, compliance has become increasingly complex.

Currently, 16 state privacy laws have been signed, with five already enacted (California, Colorado, Virginia, Connecticut, and Utah). Two healthcare-specific laws in Nevada and Washington took effect on March 31, 2024, and three more states will enact laws on July 31, 2024, followed by Montana on Oct. 1, 2024. A new draft federal privacy bill, the American Privacy Rights Act of 2024 (APRA), aims to establish the first comprehensive data privacy and security regulation in the United States.

All that to say, retailers operating across multiple states face a complex regulatory landscape. Compliance hinges on preventing unauthorized data sharing at the source, and this source is mostly third-party software providers that serve data directly to your website users. This requires ongoing monitoring of your third-party vendors, the data they're collecting, and from what geography. Protecting your customers’ privacy with real-time blocking of unauthorized data collection through cookies and trackers is essential.

Challenge No. 2: Unauthorized data is collected and shared via web trackers and pixels (and potentially ends up with foreign adversaries).

Let's start with a topic recently dominating the news: TikTok. Our research found that nearly 25 percent of all retail sites have the TikTok pixel. This pixel allows companies to share events on a company's website with TikTok, typically done to optimize ad campaigns, attract new customers, and measure web traffic. The concern grows when TikTok's data collection from web events is combined with other information it gathers, forming a detailed profile of an individual. For instance, a TikTok pixel has no need to collect information around an individual searching for healthcare-related information. Tools like TikTok's pixel contribute to a broader data broker ecosystem where such data can be sold. This has drawn the attention of the White House and Congress, which are concerned about the potential misuse of this immense amount of data by foreign entities.

TikTok is just one example; this data proliferation happens with many common trackers. We also found that 58 percent of retail websites use the Meta Pixel, which has faced legal challenges around unauthorized data collection. On average, retail sites use 24 trackers.

While these practices pose risks to individuals, companies must also be cautious due to emerging laws against unauthorized data sharing. They must ensure they're not sharing data without user consent, especially for sensitive products like healthcare-related items (which we'll get into more in challenge 4), which can put them at risk of privacy violations and subsequent regulatory fines or lawsuits.

Static web scans aren't enough. These scans need to happen at least weekly, and enforcement of your policies need to be in real time at a session level.

Challenge No. 3: More companies are implementing tools like consent management, but they often are misconfigured and leave companies and their customers vulnerable.

Though companies are trying to secure data with consent banners and tools, our report found some issues. While 67 percent of retail sites use cookie consent banners, 98 percent load cookies before displaying the banner. This means that optional cookies load before users can accept or reject them. We've also observed that the “reject all” status for consent often doesn’t work correctly — i.e., it's not blocking all optional cookies, trackers, pixels and beacons.

The reason for this is that a tremendous amount of manual work goes into implementing and maintaining these tools. Common issues include:

• cookies are loaded before the banner loads;
• banners are missing entirely on some pages;
• incorrect cookie classification;
• failure to update the consent banner when new ad tech is added to the site; and
• other issues as well.

Regular testing of consent tools is crucial to ensure proper functionality.

The best way to fix this is to regularly analyze proper implementation of your consent tool by testing if it's working correctly in the "accept all," "reject all" and no interaction states.

Challenge No. 4: Retailers with health-related businesses face new state and federal regulations, and there’s a great deal of uncertainty about exactly how to comply.

With laws like Washington's My Health, My Data, the definition of private health information has expanded, and the private lawsuits will likely be defined by how much. This will undoubtedly affect many retailers that sell health-related products. As a result, retailers need to rethink where they serve ad tech according to the context. And in the case of health-related products, they need to be vigilant about obtaining explicit opt-in consent from consumers. This is especially important for health and wellness products and services, as they may be subject to these new laws.

In conclusion, the evolving landscape of web privacy and compliance presents significant challenges for retailers. As consumer data becomes increasingly valuable and sensitive, the responsibility to protect it grows and the consequences of not doing so are increasingly severe. Retailers must prioritize transparency, consent management, and proactive compliance strategies to navigate these complexities successfully. As the digital marketplace continues to evolve, staying ahead of these challenges will be crucial for maintaining competitive advantage while upholding ethical and legal standards.

As CEO and founder of LOKKER, Ian Cohen is dedicated to providing solutions that empower companies to take control of their privacy obligations.