Network Traffic Tests Are Nimble Tools for Privacy Compliance

The expansion of privacy legislation across regions comes with numerous, and sometimes conflicting, compliance obligations. These can be challenging legally and technically.

Network traffic analysis can help companies reduce exposure to class-action lawsuits and regulatory enforcement associated with the often necessary use of consent management platforms.

CMP Privacy Risk

The technical side of privacy compliance is particularly tricky for companies—especially those that rely on the ad tech ecosystem to drive revenue or sales. CMPs are often necessary to give users legally required opt-out (and sometimes opt-in) choices on consumer-facing websites and mobile apps.

But CMPs come with their own set of privacy challenges and may fail to operate as intended. This failure can result in data shared to third parties in unexpected ways that ironically create their own litigation risk and regulatory exposure.

Some CMPs operating in the US have also offered curious functionality that doesn’t strictly map to US privacy laws, but instead mimics the EU’s ePrivacy Directive by classifying cookies and cookie controls into categories such as “performance,” “functional,” and “strictly necessary.” If the controls don’t work as intended, a company may be sued or investigated for making misrepresentations to consumers about controls that weren’t even required to begin with.

This risk isn’t theoretical. Setting up CMPs to work as intended can be difficult due to the sheer amount of third-party code that is baked into most consumer-facing web and mobile apps. Such code performs a wide variety of functions: analytics, payment, content delivery, email sign up and dispatch, map integration, and ad tech.

Modes of Operation

CMPs have only two modes of possible operation: sending a signal that indicates a preference or restricting data transmissions. The mode in which it operates depends on a company’s configuration choices and the CMP’s features.

Deploying CMPs to send the right signals or restrict the proper transmissions can be a daunting task in even modestly complex development environments. From a consumer’s perspective, CMP failures result in technical behaviors—data transmissions or lack of an opt-out signal—that are contrary to what the user selected.

These failures can arise either from problems with the CMP code, configuration errors by the company, or both. During a failed event, the CMP might trigger the wrong signal, send no signal at all, or fail to block the relevant transmissions.

Detecting CMP Failure

Impediments to detecting failures can be technical in nature or arise from organizational behavior.

The technical challenge is that CMP failures are difficult for a company to detect from its own cloud environment or data center. Although companies have visibility over the server side of its website and mobile app operations, the client side—what happens on the user’s device, including what data is transmitted to third parties—is harder to see.

Most CMP failures happen client-side because the relevant technology is embedded in the website or app used by the consumer, not in the company’s cloud infrastructure. In this respect, CMP visibility issues are a subset of a larger problem that companies have observing client-side technical behaviors.

The gap between what a company thinks is happening client-side versus what is actually occurring drives a vast majority of privacy class actions and regulatory risks, based on our review of suits and enforcement actions commenced over the past several years.

The organizational behavior challenge, meanwhile, stems from the “dead zone” of responsibility when the company believes that the CMP vendor is responsible for the opt-outs. However, CMP vendors often disclaim ultimate responsibility contractually, so it is up to the company to ensure CMPs work as intended. The company also will be the controller or independent business under privacy laws, which likely will be where the buck stops.

Network Traffic Analysis

So, what should a company do? Because the problem is one of technical visibility, the rational answer is for the company to observe what happens on the client side. The most effective and comprehensive way to gain this line of sight and detect CMP malfunctions (along with other potential privacy issues) is to conduct client-side network traffic analysis.

Network traffic analysis is a type of application testing conducted from a would-be user’s perspective. This involves using a special test device that is running the relevant mobile app or web browser; configuring a proxy software that sits between the test device and the internet, decrypting and capturing all traffic; configuring the test device to “trust” the proxy; and testing the relevant features of the website or app while using the proxy.

If a CMP operates as intended in signal mode, the proxy will capture the appropriate opt-out signals being transmitted. Where the CMP is configured to restrict certain transmissions in an opted-out state, the proxy will capture that delta in before/after testing—that is, not-opted out/opted-out—and will show certain transmissions being made in the not-opted-out state and transmissions that are no longer present in the opted-out state.

Network traffic testing is precisely the type of testing regulators and plaintiffs’ experts perform. If a company wants to gauge and reduce its risk profile, there is no better tool than traffic analysis. Such testing can level the playing field in an arena that has become increasingly favorable to regulators and plaintiffs’ class action attorneys.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

Steven B. Roosa is head of Norton Rose Fulbright’s US digital analytics and technology assessment platform.

Wenda Tang is a senior associate in Norton Rose Fulbright’s cybersecurity and data privacy practice.

Write for Us: Author Guidelines