The Website Privacy Episode

Introduction to the Guest and Topic:

Host Allie Krings introduces Mark Hinely, Vice President of Privacy Assurance Services at KirkpatrickPrice. The conversation focuses on website privacy and the common issues that arise from it. Mark shares his background, noting that his expertise lies in privacy compliance rather than healthcare emergencies.

What is Privacy?

Privacy is fundamentally about the idea that personal information – such as a person’s name, image, email address, and account numbers – is property that belongs to them. Individuals have the right to decide how that information is used, who it is shared with, where it goes, and what happens to it. Even in a digital world where personal information moves quickly and freely, allowing others to use that data does not mean individuals lose all rights over it. Organizations that receive personal information have ethical, contractual, and legal obligations to handle it responsibly. Privacy has evolved beyond simple secrecy to include rights such as the ability to delete information, opt out of its use, amend it, or restrict its processing.

What Does Website Privacy Look Like Up Close?

When visiting a website or using a mobile application, users are often presented with cookie consent banners asking them to accept or opt out of data collection. Ideally, a user would read the options carefully, understand what each choice means, make an informed decision, and trust that the website will honor it. However, this does not always happen:

Broken Opt-Out Functions: Some organizations implement opt-out or “Do Not Sell My Information” buttons that appear functional but do not actually work. In one notable case, Tractor Supply Company directed users to a web form to opt out of their data being sold or shared, but when the form was submitted, nothing happened. The state of California discovered this and fined the company over one million dollars for failing to facilitate those opt-out requests.

Intentionally Difficult Opt-Out Processes: Some organizations make it deliberately difficult to opt out by hiding opt-out links in obscure corners of their website, routing users through chatbots or agents who resist the request, or requiring so many steps that users give up. Even if the technical option exists, making it impractical can itself be treated as a privacy violation.

How Are Privacy Violations Discovered?

Regulatory Action: Privacy regulators at the state level – particularly in California – actively monitor and sanction organizations that violate privacy rights. Tractor Supply Company’s case is one example of a regulator finding and penalizing a company for a non-functioning opt-out mechanism.

Litigation: There is a growing number of privacy-related lawsuits, sometimes called “nuisance litigation.” This includes privacy advocates who deliberately test websites to check whether opt-out and cookie consent features work correctly. If they do not, an attorney may send a demand letter or initiate litigation. Some organizations receive what appear to be form letters that have simply had the company name changed, alerting them that their cookie consent or privacy policy had a defect – often learning about their own violations only after being threatened with legal action.

What Are the Consequences for Consumers?

The outcome for affected consumers depends on the specifics of the case and any resulting settlement agreement. In Tractor Supply’s case, the company was required to take remediation steps, which can include posting a notice on their website explaining the violation, the timeframe in which users may have been affected, and the steps taken to address the issue. However, once personal data has been shared or processed, it may be impossible to fully retrieve it.

How Should Companies Ensure Website Privacy Compliance?

Conduct a Tracking Technology Inventory: Whether a website is brand new or already established, the first step is to create a complete inventory of all the ways personal information is collected. This goes beyond obvious methods like web forms to include cookies, beacons, replay sessions, pixels, and other tools that may not be immediately visible. This inventory should be kept up to date as the website evolves.

Test All Configurations: A cross-functional team including legal, marketing, and technology should test every opt-out option and configuration when the website is set up – and again whenever changes are made. This includes verifying that when a user makes a choice in one place on the website, that choice is honored everywhere else.

Maintain Logs: Organizations should keep records of user opt-out requests, including timestamps, so they can demonstrate compliance if challenged by a regulator or in litigation.

Review Frequently: As part of their settlement with California, Tractor Supply Company was required to check their tracking technology every quarter. However, for organizations with frequently updated websites – particularly B2C companies with loyalty programs, discounts, and new product features – quarterly reviews may not be sufficient. Some may need dedicated personnel focused solely on monitoring their website’s data practices.

What About International Privacy Laws?

In many respects, the United States lags behind the rest of the world when it comes to privacy rights. The UK operates under UK GDPR, the European Union under GDPR, and Australia, Japan, Brazil, and many other countries have enacted their own privacy laws, many modeled after GDPR. In a global economy, it is difficult for any organization to avoid the reach of one or more of these laws. A US-based website could face litigation under California law even if the business is headquartered in Florida, simply because a California resident visited and attempted to use the site. The risk of fines and lawsuits is effectively nationwide and, for websites operating internationally, even broader.

What Are the Biggest Emerging Privacy Risks for Websites?

Third-Party Marketing Vendors: When organizations use third-party marketing companies to manage their website, there can be a disconnect between what the organization intends the website to do and what it actually does. If the marketing company controls the tracking technology configurations, the organization may not be aware of what data is being collected.

AI and Chatbots: AI-powered chatbots are among the most common ways people now interact with websites, and they introduce a level of privacy governance complexity that exceeds that of a simple beacon or pixel.

Third-Party Tool Updates: Even if an organization has everything configured correctly, a platform like Google or Meta may change how a pixel or tracking tool functions, causing it to collect data the organization never intended to collect. Organizations must monitor their third-party tools for changes even when they have not made any changes themselves.

Mark’s overall advice: be vigilant and think like a user visiting your own website. Consider how you would want your data treated if it were being misused or sold to a third party without your consent.