Even before the pandemic hit and everyone flocked online, companies were investing significant time and resources in building great online experiences for their users. But all that usability comes with a price tag in terms of risk. Today's websites are essentially a conglomeration of Web-enabled assets, a massive global supply chain that nobody really thinks about in this way. And that's a big data-privacy problem that's about to get a lot bigger.
What happens when the same applications and integrations that deliver rich user experience and insights share that sensitive information with third, fourth, or fifth parties outside your organization's control? You can get an idea by looking at dating site Grindr and a pending €10 million fine for sharing user data with advertising companies without the consent required under the General Data Protection Regulation (GDPR).
Are website owners really doing enough to protect users and understand these emerging risks?
Start Caring About Oversharing
Forms found on 92% of websites expose data to an average of 17 domains — climbing to 20 if you happen to be a top mobile service provider in the European Union, where (depending on the country) passport scans and copies of pay slips are among the documentation requested to sign a contract. That's a lot of oversharing. And what about the multiple trusted applications on your site — Google Ads, chatbots, etc.? While many of these applications are set to collect data, many organizations aren't aware of the exact kind or extent of the data they're collecting.
Can you genuinely claim to know exactly where all this data is flowing? Do you know:
- Which vendor has access to what sensitive data?
- Which vendor reads sensitive data?
- Which vendor shares sensitive data with other vendors?
Because if you don't, you should. Regulations, including GDPR and the California Consumer Privacy Act (CCPA), require enterprises to be aware of where sensitive data is flowing, as well as the purpose of these data flows.
Why It Matters
Unintentional data exposure is a significant, unaddressed problem for most of the world's website owners. When we fail to secure data as it's entered into websites, we're effectively leaving it hanging: the only reason it's not being stolen is that criminals haven't taken it. Yet.
Equally, when we overlook the need to understand how trusted applications share data, we run the risk of simply giving it away — without our users' consent.
Everyone talks about security in depth, security beyond the perimeter, and data privacy. It's time to focus on the place where those things intersect: the browser.