Companies Sought Help From Privacy Vendors. They Still Got Fined

Companies have relied on compliance vendors to help them navigate new privacy laws and stay out of trouble. That hasn’t quite worked out.

Vendors operating with little oversight and at times outdated tech have left businesses with consumer-facing websites open to fines and other enforcement actions.

Regulators are now signaling that companies “can’t just slap a compliance program in place and then never look at it again,” said Jami Vibbert, chair of Arnold & Porter’s privacy, cybersecurity, and data strategy group.

For example, Healthline Media LLC was hit July 1 with a $1.55 million fine under the California Consumer Privacy Act, the largest penalty to date under the state’s privacy law and the third this year to call out misconfigured privacy tools. Healthline’s compliance vendor, which wasn’t named in the complaint, didn’t block website trackers it was supposed to, the media company told the regulator.

California has fined media, retail, and automotive companies this year, putting businesses with public sites on alert to keep a closer eye on compliance vendors and the tools meant to help them meet legal requirements. Such oversight will be increasingly critical as state and international privacy statutes grow and more tech-savvy regulators look closer at companies’ data privacy practices.

The scrutiny will likely spread outside of California to states like Colorado or Texas, Vibbert added, increasing the need for companies to adapt how they audit their compliance partners.

Vendor ‘Gold Rush’

Companies offering privacy-compliance solutions like consent management tools or automated data maps have multiplied in the last decade, in part boosted by enactment in 2018 of the EU’s flagship privacy law, the General Data Protection Regulation.

This marked the start of a “big gold rush” of vendors entering the privacy compliance market, said Ryan O’Leary, research director in the Security and Trust research program at IDC, a market research and consulting firm.

Since then, the rise of comprehensive state data privacy laws in the US—now at 20—has fueled the need for tools that can help companies comply with growing legal obligations.

The IAPP, an industry group of data governance professionals, lists hundreds of companies in the US alone that offer privacy compliance services ranging from consulting to technology solutions.

Vendors including BigID, DataGrail, OneTrust LLC, and TrustArc have raised millions in funding, according to an IAPP 2022 vendor tech report, with OneTrust alone securing rounds of funding worth a combined $500 million in 2020.

Compliance vendors are working with some of the best-known Fortune 100 companies.

OneTrust, which was named in aMarch CPPA enforcement action against American Honda Motor Co. Inc., was founded in 2016. The Atlanta-based company has more than 14,000 customers including Adobe Systems Inc., Pfizer Inc., Walgreens, Aetna Inc., The World Bank, and Samsung, according to its website. It says it serves 75 of the Fortune 100 companies.

OneTrust declined to comment.

State Laws Outpace Tech

As the privacy compliance industry grows and more companies sign up for their services, some of their tools haven’t kept up with newer, more stringent privacy laws, attorneys and vendors told Bloomberg Law.

The technology used by “most vendors in this space hasn’t changed” since before the enactment of the GDPR, said one compliance provider who spoke on condition of anonymity.

“Rigid, ossified, legacy technology isn’t setting up businesses to succeed,” the same provider added.

For example, giving consumers the option to disable cookies may not turn off all of a company’s tracking technology. So consumer data could still be automatically sent to a third party for advertising.

Vendors cannot just repurpose tools meant to comply with EU’s data protection law for California’s rules, said Daniel M. Goldberg, chair of the data strategy, privacy & security group at Frankfurt Kurnit Klein & Selz PC.

“Many solutions are solutions that are built for one purpose,” Goldberg said, adding that some vendors’ “default configurations often aren’t drafted in a way that is sufficient to address US privacy law.”

Buying Compliance?

The gap between technology and customer rights is now on regulators’ radar.

In May, the California Privacy Protection Agency found that clothing retailer Todd Snyder Inc. relied on “third-party privacy management tools without knowing their limitations or validating their operation.”

Meanwhile, Honda’s use of compliance vendor OneTrust failed to provide users with a symmetrical choice to opt-out of a sale or sharing of their information, or to give consent.

Honda said it started changing the way consumers can submit requests, enhancing its cookie management tools, and updating contract management processes, the company told Bloomberg Law. Honda didn’t answer further questions about whether they’re using different cookie management tools or vendors following the fine.

Still, the responsibility for honoring consumers’ privacy rights ultimately falls on companies who have a duty to check that their tools follow through on users’ data rights requests.

“I fear that we’re still in the 2018 stage of, ‘If I just write a check to a data privacy vendor and can prove my receipt to the governing body, regulatory body, then they’ll know that I’m making an effort to comply these laws,’ ” IDC’s O’Leary said.

These tools can require constant oversight as any tweak to a business website, for instance, can make the solutions no longer effective. Most products rely on downstream teams, like web design or marketing, to also oversee that they’re integrated and working properly.

Vendors are technical partners “and should be treated that way by the businesses,” the compliance vendor said.

Out-of-the-box compliance, the same provider added, “just doesn’t work.”