Considering Consumer Privacy: How Third-Party Services Create Risks for Today’s Websites (Part 2)
December 3, 2019
by Tirtza Giles
Nearly all major websites rely on embedded third-party services today, and for good reason. As we explained in a recent blog post, these services give companies an efficient way to offer enhanced customer experiences, while also making sure that their websites are built to achieve their business goals. And these services allow them to accomplish these goals using readily available technology, rather than needing to develop websites entirely from scratch.
However, relying on third-party services requires a company to relinquish some control over its own website. This can be a risky proposition, and the risk is increasing.
In part, that is because the methods used by bad actors (such as hackers) are getting more sophisticated. At the same time, the risk is getting more acute for businesses because of the changing legal landscape surrounding issues of consumer privacy.
Most of all, these risks stem from the way third-party services can access information from websites: Whenever a third-party service is embedded into a certain webpage, by default the provider of that service has access to any data from that page. Depending on the website, the accessible data could contain a user’s personally identifiable information (PII) – personal details such as their name, birthdate, or even credit card number.
Because it is common for these service providers to update their code frequently – in many cases, three or four times per month – it can be difficult for a company to know exactly what information a service is collecting and how it is using that information at any given time. Moreover, a third-party vendor could make significant changes affecting end users’ privacy without informing either the companies that rely on its services or their end users.
In addition to concerns about consumer privacy, a third-party service could increase the risk of a company suffering a major data breach – even if the service provider itself has no ulterior motive for collecting consumer details. One of the most serious threats comes from Magecart, a series of loosely affiliated groups of hackers that over the past several years have frequently exploited third-party services to steal individuals’ credit card numbers. In one particularly costly attack, Magecart hackers skimmed credit card numbers from the British Airways website – resulting in the airline being fined $229 million.
Compounding these risk factors, in many cases a third-party service will itself rely on an external service provider. In these situations, an end user’s browser may send information about that user to a third-party vendor, which in turn passes it on to a fourth-party vendor. As a result, information gathered by a company’s website could be transmitted to a company that even the company’s developers are not familiar with.
Meanwhile, the risk that embedded third-party services pose to companies is on the rise due to international legislative trends.
How are new laws raising the stakes for companies?
At the heart of the legal risks created by third-party services are the European Union’s General Data Protection Regulation (GDPR, which went into effect in 2018) and the California Consumer Privacy Act (CCPA, most of which is slated to go into effect at the beginning of 2020). While there are significant differences between the laws, they both share the general goal of expanding individuals’ rights regarding their personal information – and they both regulate companies that meet certain criteria, regardless of where those companies are located.
Perhaps the most important similarity between these laws is that companies found to violate them risk potentially devastating penalties. In the case of the GDPR, a business that commits an especially serious infraction could be fined up to 4% of annual turnover or 20 million euros – whichever is higher. Following the British Airways data breach, the GDPR was the law that resulted in the company’s $229 million fine.
Under the CCPA, fines could be far less predictable: While the law will only require violators to pay up to $7,500 for an intentional infraction or $2,500 for an unintentional one, it will also allow consumers to file either individual or class-action lawsuits, for which businesses could be required to pay between $100 and $750 for each individual violation.
Because of these laws’ requirements and many websites’ reliance on a wide variety of dynamic third- and fourth-party services, ensuring legal compliance is an ongoing process for today’s companies. Not only must they first receive consent from individuals in order to gather and maintain their personal information, but these businesses must continually verify that they are only allowing this information to be used in the specific ways that users have consented to.
Adapting to new developments
While there are good reasons that nearly all companies’ websites take advantage of third-party services, this model of web development creates some significant vulnerabilities for these businesses. Making the risk particularly concerning are unprecedentedly strict consumer privacy laws, the widespread sharing of information with fourth-party services, and increasingly sophisticated methods used by hackers.
But while bad actors continue to innovate and refine their methods of compromising consumers’ privacy via third-party online services, the technology that can reduce the risk for companies likewise continues to progress. Today, companies can address these risk factors by using AI-powered technology such as Namogoo’s end-to-end Customer Privacy Protection (CPP) solution.
This way, businesses can protect both their customers’ privacy and their own brand reputations, while also mitigating their own legal exposure. Most importantly, they can enjoy all the benefits of using third-party services, without running the risk of falling victim to a major consumer privacy violation or data breach due to a lack of visibility into these services’ activities.
Why do many companies choose to embed third-party services into their websites, what are the risk factors they need to watch out for, and how can innovative technology mitigate these risks? To learn more, download our free eBook Online Privacy in a World of Third-Party Services: How to Protect Your Customers and Your Business.