{"id":2121,"date":"2024-01-18T09:59:00","date_gmt":"2024-01-18T15:59:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&#038;p=2121"},"modified":"2025-05-13T13:13:45","modified_gmt":"2025-05-13T18:13:45","slug":"managing-online-tracking-ad-tech-vendors","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/managing-online-tracking-ad-tech-vendors\/","title":{"rendered":"Privacy Law Compliance: Managing Online Tracking (Ad Tech) Vendors"},"content":{"rendered":"\t\t<section id=\"block_3241333910a1076b6f86c551deab4d37\" class=\"resource-intro intro-simple\">\n\t\t\t<div class=\"container\">\n\t\t\t\t\t\t\t\t\t<strong class=\"sub-title block uppercase\">Articles<\/strong>\n\t\t\t\t\t\t\t\t\t\t<h1>Privacy Law Compliance: Managing Online Tracking (Ad Tech) Vendors<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t<section id=\"block_ead80b8094d14efb606e54c79ac3f685\" class=\"columns-content\">\n\t\t<div class=\"container\">\n\t\t\t<div class=\"left\">\n\t\t\t\t\t\t\t<\/div>\n\t\t\t<div class=\"middle\">\n\t\t\t\t<div class=\"content\">\n\t\t\t\t\t<p>Tracking technologies \u2013 and especially \u2018ad tech\u2019 \u2013 used by businesses to pinpoint customer activities and trends, are themselves under greater scrutiny as <a href=\"https:\/\/blog.trustarc.com\/2023\/12\/06\/evolution-us-state-data-privacy-laws-2023-2024\/\" target=\"_blank\" rel=\"noopener\">new and evolving privacy laws<\/a> enter enforcement.<\/p>\n<p>As we\u2019ve seen recently, high profile privacy law enforcement actions do more than bring individual businesses to account for non-compliance \u2013 they make examples of them to put countless other companies (and their vendors) on notice too.<\/p>\n<p>We recently hosted a webinar\u00a0on this very topic: Managing Online Tracking Technology Vendors: <a href=\"https:\/\/info.trustarc.com\/WB-2023-11-28-Vendor-Management-and-CPRA_RegPage.html\" target=\"_blank\" rel=\"noopener\">A Checklist for Compliance<\/a>.<\/p>\n<h2>Privacy law enforcement actions targeting online tracking<\/h2>\n<p>Arguably, the California Attorney General\u2019s <a href=\"https:\/\/blog.trustarc.com\/2022\/09\/30\/ccpa-compliance-lessons-ag-enforcement\/\" target=\"_blank\" rel=\"noopener\">August 2022 enforcement action<\/a> against personal care and beauty retailer Sephora for breaches of the <a href=\"https:\/\/blog.trustarc.com\/2020\/07\/15\/technical-brief-handling-ccpa-consumer-requests\/\" target=\"_blank\" rel=\"noopener\">California Consumer Privacy Act (CCPA)<\/a> was as much about calling out how vendors of ad tech\/online tracking technology are managed \u2013 via criticism of Sephora not having valid controls in service provider contracts \u2013 as it was about the business failing to respect consumers\u2019 opt-out rights.<\/p>\n<p><strong>In its settlement, Sephora agreed to:<\/strong><\/p>\n<ul>\n<li>Pay $1.2 million<\/li>\n<li>Clearly notify consumers of their opt-out rights<\/li>\n<li>Process opt-out requests signaled via the <a href=\"\/resource\/global-privacy-control\/\">Global Privacy Control<\/a><\/li>\n<li>Enter CCPA-compliant contracts with service providers<\/li>\n<li>Establish a two-year compliance program for vendors and other third parties.<\/li>\n<\/ul>\n<p>That last settlement term put many organizations into a spin over their ad tech vendor contracts because many of them knew they faced serious privacy law compliance risks.<\/p>\n<p>Not surprisingly, twelve months later in August 2023, the <a href=\"https:\/\/www.iab.com\/insights\/iab-state-privacy-law-survey-results\/\" target=\"_blank\" rel=\"noopener\">Interactive Advertising Bureau (IAB) reported<\/a> nearly half of all respondents to its State Privacy Law Survey <em>\u201cdo not feel prepared to comply with the vendor due diligence obligations of the laws\u201d<\/em> and there was <em>\u201cconsensus that a lack of adequate contract controls are in place\u201d.<\/em><\/p>\n<p>In our webinar, Taylor Blum highlights some other big takeaways from the IAB State Privacy Law Survey results:<\/p>\n<ol>\n<li><em>\u201cMost respondents truly believe the term \u2018sale\u2019 is a broad concept under each of these data privacy laws, and it generally captures making personal information available for sharing or targeted advertising, ad delivery and measurement activities.\u201d<\/em><\/li>\n<li><em>\u201cThe majority of respondents stated that after a user opts out, ads can be selected using publisher first-party data or contextual signals. There is still another significant percentage of the market that expressed a problematic belief that ad selection based on advertiser personal information can be leveraged, which I think is a big disconnect there \u2026 these can have liability if they fail to conduct adequate diligence on privacy compliance requirements in effectuating app campaigns.\u201d<\/em><\/li>\n<\/ol>\n<h2>What broad definitions of \u2018personal information\u2019 mean for website tracking<\/h2>\n<p>Blum notes the CCPA definition of \u2018personal information\u2019 is a good baseline for businesses to understand the privacy implications of their website tracking activities.<\/p>\n<p>Under CCPA section \u00a7 1798.140(v), \u2018personal information\u2019 is defined as:<\/p>\n<p><em>\u201c\u2026information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household\u2026.\u201d and includes \u201ca unique personal identifier, an online identifier, an Internet Protocol Address, an email, other similar identifiers, internet or other electronic network activity information, or geolocation.\u201d<\/em><\/p>\n<p>In our own experience helping businesses manage privacy law compliance, I\u2019ve found it\u2019s vital that decision makers planning to use online tracking technologies \u2013 for example in marketing \u2013 understand the legal implications of collecting personal information.<\/p>\n<p>They must also flag intended uses of these technologies with the privacy office or legal counsel. Similarly, if you\u2019re in the privacy office, ensure people in the business understand just how granular definitions of personal information have become.<\/p>\n<p>As online tracking technologies are often designed to capture one or more main categories of personal information, it\u2019s useful to understand how they\u2019re defined in subsections of the CCPA:<\/p>\n<ol>\n<li><strong>Unique identifiers<\/strong> (defined under CCPA \u00a7 1796.140(aj)) \u2013 personal information includes \u201cInternet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers or similar technology, customer number, unique pseudonym, or user alias; telephone numbers, or other forms or persistent or probabilistic identifiers that can be used to identify a particular consumer or device that is linked to a consumer or family\u201d.<\/li>\n<li><strong>Precise geolocation<\/strong> (defined under CCPA 1798.140(w)) \u2013 information about a person\u2019s location \u201cderived from a device that is used or intended to be used to locate a consumer within a geographic area that is not equal to or less than the area of a circle with a radius of 1,850 feet\u201d.<\/li>\n<li><strong>Internet or other electronic network activity information<\/strong> (defined under CCPA s 1798.140(f)) \u2013 information about a person\u2019s online activities, such as \u201cbrowsing history, search history, and information regarding a consumer\u2019s interaction with an internet website application, or advertisement\u201d.<\/li>\n<\/ol>\n<h2>Online tracking technologies that can collect personal information<\/h2>\n<p>Most people are well familiar with cookies, but as Ryan Ostendorf explains, it\u2019s also important to understand how other kinds of online tracking technologies work:<\/p>\n\t\t\t\t\t\t\t\t<blockquote class=\"w-indent\">\n\t\t\t\t\t\t\t\t\t<p>\u201cMechanisms where users are identified on the web might be based on a cache object on the browser. Maybe not as a known person but identifying them in such a way that tracking and collection of personal data are possible using the underlying technologies on the website. First-party cookies are also becoming more common, especially from your ad tech vendors, so you need to know if they \u2013 or their underlying technologies \u2013 are used to collect personal information.\u201d<\/p>\n\t\t\t\t\t\t\t\t<\/blockquote>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"wide-img\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-tracking-technologies.png\" class=\"attachment-full size-full\" alt=\"\" srcset=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-tracking-technologies.png 1598w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-tracking-technologies-300x165.png 300w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-tracking-technologies-1024x564.png 1024w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-tracking-technologies-768x423.png 768w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-tracking-technologies-1536x846.png 1536w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-tracking-technologies-1440x793.png 1440w\" sizes=\"(max-width: 1598px) 100vw, 1598px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<h2>How common online tracking technologies work<\/h2>\n<ul>\n<li><strong>Pixels<\/strong> \u2013 tiny invisible images placed in web pages or emails that load HTML code to collect information about visitors and track their activities.<\/li>\n<li><strong>Web beacons<\/strong> \u2013 images (GIFs) embedded in a web page (often by third parties) to track whether a user has accessed specific content and analyze how they navigate through content.<\/li>\n<li><strong>Software Development Kits<\/strong> \u2013 code integrated in mobile apps to connect them to third-party technologies and services, such as in-app ad displays and tools for analytics or re-engagement. SDKs are often used to track users with a device identifier, such as whether they\u2019re using Android or iOS. They can also be used to collect information such as geolocation or IP address.<\/li>\n<li><strong>Cookies<\/strong> \u2013 small data files stored in a user\u2019s web browser that allow advertisers to track their behavior and personalize their online experience, such as displaying better-targeted ads and content optimized for their location, language, and device.<\/li>\n<li><strong>Third-party libraries<\/strong> \u2013 collections of data not owned or controlled by a business, bought from third parties to help analyse potential customer audiences. Businesses are moving away from their reliance on third-party data as privacy regulations restrict sale or sharing of personal information; and updates to web browsers and mobile devices bring stronger privacy protections.<\/li>\n<li><strong>Session replay technology<\/strong> \u2013 trackers added to a user\u2019s browser to record how they navigate a website (mouse clicks and scrolling) and interact with content. Analyzing how users interact with navigation controls and content can reveal friction points which cause drop offs, and show which design elements or content types appeal most. Session replays are sometimes also used to profile users for marketing and sales purposes.<\/li>\n<\/ul>\n\t\t\t\t\t\t\t\t<blockquote class=\"w-indent\">\n\t\t\t\t\t\t\t\t\t<p>\u201cWe\u2019ve seen a variety of litigation regarding the use of session replay technology, which tries to equate them to various wiretapping laws,\u201d explains Taylor Brum. \u201cA lot of times they\u2019re used to see how users use your website. But it\u2019s important to understand what you\u2019re capturing and making sure you\u2019re not using them on pages where sensitive data is being inputted.\u201d<\/p>\n\t\t\t\t\t\t\t\t<\/blockquote>\n\t\t\t\t\t\t\t\t<h2>Market forces affecting tracking technology practices<\/h2>\n<p>In our work, we\u2019ve seen several major market forces impact privacy compliance programs. They\u2019re mostly driven by changes to privacy regulations \u2013 and so far, the biggest impact is CCPA enforcement.<\/p>\n<h3>California\u2019s enforcement of sale\/share<\/h3>\n<p>The California Attorney General\u2019s enforcement action against Sephora delivered for many a new understanding of \u2018sale\u2019 when online tracking technologies are involved:<\/p>\n<p><em>\u201c\u2026where the business discloses or makes available consumers\u2019 personal information to third parties through the use of online tracking technologies such as pixels, web beacons, software development kits, third-party libraries, and cookies, in exchange for monetary or other valuable consideration including personal information\u2026 analytics or free or discounted services.\u201d<\/em><\/p>\n<p><strong>Recommended action:<\/strong> ensure your tracking technology vendors are compliant with this new understanding of \u2018sale\u2019. If an organization is engaging in sale\/share this triggers several different enforceable obligations.<\/p>\n<h4>How to assess your ad tech vendor:<\/h4>\n<ul>\n<li>Is your organization subject to CCPA?<\/li>\n<li>Does your organization use online tracking technologies?<\/li>\n<li>Is your organization disclosing or making available California consumers\u2019 personal information to third parties?<\/li>\n<li>If there are benefits exchanged with the third party, are they monetary (direct financial payment or other financial benefits) or non-monetary (analytics or free\/discounted services)?<\/li>\n<li>Are there any exceptions to the sale?<\/li>\n<li>Is your vendor classified as a service provider or third-party? If it\u2019s a third-party, you must give consumers an opt-out.<\/li>\n<\/ul>\n<h3>Updates to state privacy regulations for consumers\u2019 rights to opt-out<\/h3>\n<p>Several states\u2019 privacy regulations now deliver stronger rights for consumers to opt-out from some forms of tracking.<\/p>\n<p>In California the CCPA delivers the right to opt-out of sharing for cross content behavioral advertising (effective January 1, 2023); while the following state regulations deliver the right to opt-out of processing for purposes of targeted advertising:<\/p>\n<ul>\n<li>Virginia Consumer Data Protection Act \u2013 effective January 1, 2023<\/li>\n<li>Colorado Privacy Act \u2013 effective July 1, 2023<\/li>\n<li>Connecticut Data Protection Act \u2013 effective July 1, 2023<\/li>\n<li>Utah Consumer Privacy Act \u2013 effective December 31, 2023<\/li>\n<\/ul>\n\t\t\t\t\t\t\t\t<blockquote class=\"w-indent\">\n\t\t\t\t\t\t\t\t\t<p>\u201cIt\u2019s important to note while all five of these laws give consumers the right to exercise controls around targeted advertising, they do preserve the ability for businesses to engage in contextual advertising,\u201d explains Taylor Blum. \u201cFor an ad to be contextual it needs to be relevant (in context) to the content of a website the user is viewing; for example, an ad for running shoes placed on a running forum.\u201d<\/p>\n\t\t\t\t\t\t\t\t<\/blockquote>\n\t\t\t\t\t\t\t\t<h3>Health privacy under HIPAA<\/h3>\n<p>The FTC has been very active in expanding the definition of consumer data through its enforcement of Health Insurance Portability and Accountability Act (<a href=\"https:\/\/blog.trustarc.com\/2022\/06\/23\/hipaa-compliance-privacy-solutions\/\" target=\"_blank\" rel=\"noopener\">HIPAA<\/a>).<\/p>\n<p>The updated definition of sensitive health data is no longer limited to personal health information under HIPAA, and now includes data that conveys information or enables inferences about a consumer\u2019s health.<\/p>\n<p>The FTC is taking a similar approach with tracking technologies used to collect or disclose sensitive personal information, which may be deemed an unauthorized disclosure under Health Breach Notification Law or breach the promises in a privacy policy if the consumer has not given consent for the collection\/disclosure.<\/p>\n<p><strong>Recommended action:<\/strong> exercise extreme caution when using online tracking technologies and ensure you\u2019re not creating inferences about a consumer\u2019s health from any data collected.<\/p>\n<h3>Health privacy under Washington My Health My Data Act<\/h3>\n<p><a href=\"https:\/\/blog.trustarc.com\/2023\/07\/14\/washington-my-health-my-data-act-implications\/\" target=\"_blank\" rel=\"noopener\">Washington My Health My Data Act<\/a> goes into effect on March 31, 2024, for large businesses and June 30, 2024, for small and medium businesses.<\/p>\n<p>It covers any business that collects, uses, discloses, or sells health data of Washington consumers and provides a private right of action for consumers reporting breaches of privacy.<\/p>\n<p>Consumer health data is very broadly defined under the Act and includes any data that could be used to reveal or infer a health condition or diagnosis.<\/p>\n<p><strong>Recommended action:<\/strong> analyze whether your business is processing health data of Washington consumers (under the very broad definition of \u2018health data\u2019); and if so, ensure compliance with data processing restrictions under the Act across your business and in contracts with third parties.<\/p>\n<h3>Litigation trends related to online tracking technologies<\/h3>\n<p>We\u2019re seeing increasing volumes of lawsuits focusing on notice, consent, and disclosure practices associated with online tracking technologies.<\/p>\n<p>And some of these actions involve plaintiffs\u2019 attorneys using non-traditional privacy laws to allege violations as these laws may make stronger remedies available, such as punitive, statutory, and treble damages.<\/p>\n<p>Legal theories we\u2019ve seen used to litigate against tracking technologies \u2013 and especially session replay technologies \u2013 include:<\/p>\n<ul>\n<li>Wiretapping laws<\/li>\n<li>Video Privacy Protection Act<\/li>\n<li>California Invasion of Privacy Act<\/li>\n<li>RICO Conspiracy<\/li>\n<li>California Penal Code 631 and 632.<\/li>\n<\/ul>\n<p><strong>Recommended action:<\/strong> while some claims may be baseless, it\u2019s important to understand the increasing risks of using online tracking technologies. You need to know what you\u2019re using, how, and why (and whether it\u2019s truly business critical). A legal counsel can help you review your use of online tracking technologies and assess business risks of continuing or discontinuing their use.<\/p>\n<h3>Tracking technologies under review for EU\/UK GDPR compliance<\/h3>\n<p>The <a href=\"https:\/\/trustarc.com\/regulations\/gdpr\/\" target=\"_blank\" rel=\"noopener\">EU GDPR<\/a> and <a href=\"https:\/\/trustarc.com\/resource\/uk-privacy-law-update-uk-gdpr\/\" target=\"_blank\" rel=\"noopener\">UK GDPR<\/a> definitions of personal information do not specifically call out tracking technologies, however their scope is broad enough to interpret trackers such as cookies as personal information.<\/p>\n<p>On December 7, 2023, the European Data Protection Board (EDPB) published an <a href=\"https:\/\/edpb.europa.eu\/news\/news\/2023\/edpb-publishes-urgent-binding-decision-regarding-meta_en\" target=\"_blank\" rel=\"noopener\">urgent binding decision<\/a> <em>\u201cimposing a ban on Meta Ireland for the processing of personal data for behavioural advertising purposes on the basis of contract and legitimate interest\u201d.<\/em><\/p>\n<p>The EDPB is also championing the European Commission\u2019s \u2018<a href=\"https:\/\/edpb.europa.eu\/news\/news\/2023\/edpb-cookie-pledge-initiative-should-help-protect-fundamental-rights-and-freedoms_en\" target=\"_blank\" rel=\"noopener\">Cookie Pledge<\/a>\u2019, an initiative designed to help protect fundamental rights and freedoms of users in the EU by giving them \u2018concrete\u2019 information on how their data is processed and the consequences of accepting different types of cookies.<\/p>\n<p>We expect more data protection authorities across Europe will join Belgium, France and Spain to issue cookie consent guidance documents.<\/p>\n<p>The European Union\u2019s data protection authorities are focussing on consent, cookie walls, and cookie banner compliance and we anticipate enforcement will ramp up in 2024\/25.<\/p>\n<p><strong>Recommended action:<\/strong> ensure compliance on EU data protection authorities\u2019 rules around cookie banners and other tracking technologies. And prepare for expanding scope of rules in 2024\/25 regarding personal information and tracking technologies.<\/p>\n<h3>Best practices and legal compliance software for managing ad tech\/tracker risk<\/h3>\n<p>1. Understand how vendors\u2019 technologies identify users<\/p>\n<p>2. Know which third-party technologies are sitting on your website \u2013 and how trackers work on a consumer\u2019s browser<\/p>\n<p>3. Implement a Tag Management System (TMS) to control how third-party code is executed on your website, including enforcement of opt-in or opt-out: the TMS will allow blocking of cookies\/trackers and other mechanisms of data collection when users have opted-out of ad tech and\/or analytics and tracking<\/p>\n<p>4. Use a <a href=\"https:\/\/trustarc.com\/resource\/consent-management-platforms-trends-and-insights\/\" target=\"_blank\" rel=\"noopener\">Consent Management Platform (CMP)<\/a> that gives users a notice and choice mechanism, which in tandem with your TMS will automate how users\u2019 choices are respected<\/p>\n<p>5. Scan your website (discovery processes) to reveal categories of trackers (i.e., functional, analytics, performance, or ad tech)<\/p>\n<p>6. Consult your Privacy Office \/ legal counsel to determine Tag Management System controls for tracker codes based on users\u2019 consent choices in the CMP and their location (e.g., automatically opting-out users located in the EU)<\/p>\n<p>7. Conduct scans of your website to validate compliance with all applicable privacy regulations:<\/p>\n<ul>\n<li>Are trackers still dropping in GDPR regions before users opt in?<\/li>\n<li>Are trackers dropping if users have opted out?<\/li>\n<li>Are advertising trackers still dropping if users under CCPA have opted out of advertising?<\/li>\n<\/ul>\n<p>8. Ensure your system is configured to prevent vendors\u2019 trackers\/ad tech from functioning and collecting personal information where users have opted out (or been automatically opted out based on location)<\/p>\n<p>9. Keep your notices updated to reflect the latest technologies on your website \u2013 and users\u2019 choices about those technologies \u2013 ensuring disclosers are accurate, transparent, and clear to consumers<\/p>\n<h4>Alternatives to tag management:<\/h4>\n<ul>\n<li>Use a tag-blocking solution in a CMP, which will attempt to auto-block requests to third-party code<\/li>\n<li>Use an API in a CMP to block your own code and only allow it to be executed if users opt-in via the CMP\u2019s notice and consent choices<\/li>\n<li>Checklist for Onboarding an Ad Tech Vendor<\/li>\n<\/ul>\n<h2>Ad tech vendor onboarding checklist<\/h2>\n\t\t\t\t\t\t\t\t<div class=\"wide-img\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-Track-Compliance-Checklist.png\" class=\"attachment-full size-full\" alt=\"flow chart for onboarding an ad tech vendor\" srcset=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-Track-Compliance-Checklist.png 1612w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-Track-Compliance-Checklist-300x163.png 300w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-Track-Compliance-Checklist-1024x558.png 1024w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-Track-Compliance-Checklist-768x418.png 768w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-Track-Compliance-Checklist-1536x837.png 1536w, https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/Online-Track-Compliance-Checklist-1440x784.png 1440w\" sizes=\"(max-width: 1612px) 100vw, 1612px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<h2>2024 privacy trends<\/h2>\n<ul>\n<li>After several delays, Google may deprecate third cookies in Chrome and move towards a \u2018privacy sandbox\u2019 \u2013 when this happens, <a href=\"\/products\/consent-consumer-rights\/consent-preference-manager\/\">Consent Management Platforms<\/a> will need new solutions<\/li>\n<li>European Data Protection Board (EDPB) will likely expand the scope of personal information and tracking technologies<\/li>\n<li>More Data Protection Authorities in the EU will harmonize cookie enforcement<\/li>\n<li><a href=\"https:\/\/www.ftc.gov\/\" target=\"_blank\" rel=\"noopener\">U.S. Federal Trade Commission (FTC)<\/a> will continue enforcement against businesses for violations involving tracking technologies<\/li>\n<li><a href=\"https:\/\/cppa.ca.gov\/\" target=\"_blank\" rel=\"noopener\">California Privacy Protection Agency (CPPA)<\/a> will focus more on what\u2019s going on \u2018behind the scenes\u2019 \u2013 CPPA is hiring technologists to develop solutions for scanning and defining session debt, tracking, mobile apps and SDK opt-outs, ensuring they function and that data flows are shut off<\/li>\n<li><a href=\"https:\/\/blog.trustarc.com\/2023\/07\/14\/washington-my-health-my-data-act-implications\/\">Washington My Health My Data Act<\/a> goes into effect \u2013 March 31, 2024, for large businesses and June 30, 2024, for small and medium businesses \u2013 providing private right of action for violations<\/li>\n<li>Litigation will continue to focus on Meta pixel use, session replay technologies and activities triggering UCL (unfair competition law) claims.<\/li>\n<\/ul>\n<p><strong>Recommended action:<\/strong> Understand how your online tracking vendors\u2019 technologies are working on your website; review contracts for compliance; understand the litigation risks and ensure due diligence to manage risks.<\/p>\n<h2>TrustArc solutions for tracking technologies and cookies<\/h2>\n<p>TrustArc helps businesses address global consent requirements for compliance with regulations on cookies, web tracking technologies, and ad tech.<\/p>\n<p><strong>Identify and monitor cookies, trackers, and website behavior to deliver a secure digital user experience.<\/strong><\/p>\n\t\t\t\t\t\t\t\t\t<div class=\"question-box-multiple\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-dark\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Consent_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Cookie Consent Manager<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400\">Effortlessly manage geo-dynamic cookie disclosures, end-to-end tracker monitoring, and compliance reporting.<\/span><\/p>\n<a href=\"https:\/\/trustarc.com\/cookie-consent-manager\/\" class=\"cta\">Learn more<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-white\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Detailed-View_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Website Monitoring Manager<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400\">Automate regular vendor tracker scans to ensure your site complies with <\/span>GDPR<span style=\"font-weight: 400\">, <\/span>CCPA<span style=\"font-weight: 400\">, and <\/span>FTC<span style=\"font-weight: 400\"> guidelines.<\/span><\/p>\n<a href=\"\/website-monitoring-manager\/\" class=\"cta\">Learn more<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box-multiple\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-white\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Mobile-Question_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Consent and Preference Manager<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400\">Centralize and sync all customer consents across your systems and ensure precise control over first-party data collection and tracker management.<\/span><\/p>\n<a href=\"https:\/\/trustarc.com\/consent-preference-manager\/\" class=\"cta\">Learn more<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-dark\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Update_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>DAA AMI Validation<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p>Validate your addressable media identifiers and demonstrate compliance with industry standards, safeguarding consumer privacy and bolstering trust with partners and customers.<\/p>\n<a href=\"https:\/\/trustarc.com\/digital-advertising-alliance-validation\/\" class=\"cta\">Get validated<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\t<div class=\"right sm\">\n\t\t\t\t<div class=\"share-it\">\n\t\t\t\t\t<strong class=\"title block uppercase\">Follow us<\/strong>\n\t\t\t\t\t<div class=\"soc-list\">\n\t\t\t\t\t\t<a href=\"https:\/\/www.linkedin.com\/company\/trustarc\/\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/li-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"\nhttps:\/\/twitter.com\/TrustArc\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/tw-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"javascript:;\" id=\"copy-url\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/link-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<span class=\"copied\" style=\"display:none;\">Link Copied!<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"key-topics\">\n\t\t\t\t\t\t<strong class=\"title block uppercase\">Key Topics<\/strong>\n\t\t\t\t\t\t<ul>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/compliance\/\" class=\"badge\">Compliance<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/vendor-management\/\" class=\"badge\">Vendor Management<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"cta-area\">\n\t\t\t\t\t<p>Get the latest resources sent to your inbox<\/p>\n\t\t\t\t\t<a href=\"\/subscription-center\/\" class=\"cta\">Subscribe<\/a>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/section>\n\t","protected":false},"excerpt":{"rendered":"<p>Privacy experts shares strategies for navigating online tracking vendor relationships under privacy laws such as CCPA\/CPRA.<\/p>\n","protected":false},"featured_media":1258,"template":"","topic-resource":[61,74],"type-resource":[6],"class_list":["post-2121","resource","type-resource","status-publish","has-post-thumbnail","hentry","topic-resource-compliance","topic-resource-vendor-management","type-resource-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Privacy Law Compliance: Managing Online Tracking (Ad Tech) Vendors | TrustArc<\/title>\n<meta name=\"description\" content=\"Privacy experts shares strategies for navigating online tracking vendor relationships under privacy laws such as CCPA\/CPRA.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustarc.com\/resource\/managing-online-tracking-ad-tech-vendors\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/managing-online-tracking-ad-tech-vendors\\\/\",\"url\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/managing-online-tracking-ad-tech-vendors\\\/\",\"name\":\"Privacy Law Compliance: Managing Online Tracking (Ad Tech) Vendors | TrustArc\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/managing-online-tracking-ad-tech-vendors\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/managing-online-tracking-ad-tech-vendors\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/res-feat-rect-pink-test.png\",\"datePublished\":\"2024-01-18T15:59:00+00:00\",\"dateModified\":\"2025-05-13T18:13:45+00:00\",\"description\":\"Privacy experts shares strategies for navigating online tracking vendor relationships under privacy laws such as CCPA\\\/CPRA.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/trustarc.com\\\/resource\\\/managing-online-tracking-ad-tech-vendors\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/managing-online-tracking-ad-tech-vendors\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/res-feat-rect-pink-test.png\",\"contentUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/res-feat-rect-pink-test.png\",\"width\":610,\"height\":152},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\",\"url\":\"https:\\\/\\\/trustarc.com\\\/\",\"name\":\"TrustArc\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/trustarc.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Privacy Law Compliance: Managing Online Tracking (Ad Tech) Vendors | TrustArc","description":"Privacy experts shares strategies for navigating online tracking vendor relationships under privacy laws such as CCPA\/CPRA.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustarc.com\/resource\/managing-online-tracking-ad-tech-vendors\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustarc.com\/resource\/managing-online-tracking-ad-tech-vendors\/","url":"https:\/\/trustarc.com\/resource\/managing-online-tracking-ad-tech-vendors\/","name":"Privacy Law Compliance: Managing Online Tracking (Ad Tech) Vendors | TrustArc","isPartOf":{"@id":"https:\/\/trustarc.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustarc.com\/resource\/managing-online-tracking-ad-tech-vendors\/#primaryimage"},"image":{"@id":"https:\/\/trustarc.com\/resource\/managing-online-tracking-ad-tech-vendors\/#primaryimage"},"thumbnailUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/01\/res-feat-rect-pink-test.png","datePublished":"2024-01-18T15:59:00+00:00","dateModified":"2025-05-13T18:13:45+00:00","description":"Privacy experts shares strategies for navigating online tracking vendor relationships under privacy laws such as CCPA\/CPRA.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustarc.com\/resource\/managing-online-tracking-ad-tech-vendors\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/trustarc.com\/resource\/managing-online-tracking-ad-tech-vendors\/#primaryimage","url":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/01\/res-feat-rect-pink-test.png","contentUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/01\/res-feat-rect-pink-test.png","width":610,"height":152},{"@type":"WebSite","@id":"https:\/\/trustarc.com\/#website","url":"https:\/\/trustarc.com\/","name":"TrustArc","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustarc.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource\/2121","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource"}],"about":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/types\/resource"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media\/1258"}],"wp:attachment":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media?parent=2121"}],"wp:term":[{"taxonomy":"topic-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/topic-resource?post=2121"},{"taxonomy":"type-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/type-resource?post=2121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}