Data Privacy: Looking Behind the Curtain

While it’s common for companies to think that simply having a data privacy policy is enough to meet privacy law requirements, a strong privacy program involves much more than what’s visible on the “stage.” Behind the curtain, businesses must navigate a complex web of legal obligations.

Much of the work required is guided by hidden compliance mechanisms that protect your business, including managing third-party vendors, executing data-processing agreements, conducting privacy impact assessments and properly configuring website tracking technologies. These behind-the-scenes efforts play a crucial role in safeguarding consumer data and helping businesses steer clear of legal trouble.

Act I: Vendor Management and Data-Processing Addendums

Every business relies on vendors, cloud providers, marketing platforms and payment processors, but not every business realizes that these relationships can trigger privacy law obligations.

Under a plethora of state privacy laws, including the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), sharing personal data with vendors without proper contracts can be considered a “sale” or “sharing” – triggering consumer opt-out rights. In other states, similar laws emphasize consumer opt-out rights with respect to targeted advertising.

To stay compliant, businesses must:

Conduct due diligence to assess vendor risk, capabilities and access to personal data.
Classify vendors correctly as service providers, contractors or third parties.
Execute Data Processing Addendums (DPAs) that include statutorily required terms.
Limit liability by ensuring vendors are contractually bound to comply with privacy laws.
Ensure vendors have security breach incident response protocols and timely notification procedures.

These contracts are not mere formalities – they are shields that protect your business from downstream violations.

Act II: The Chain of Data

Think of personal data like a baton passed from one “runner” (entity) to another. From collection to processing to storage, each handoff must be documented and justified. This “chain of data” is scrutinized under privacy laws, especially when data is transferred across borders or used for profiling and targeted advertising.

Businesses must map their data flows and understand:

where data originates and where it goes;
who has access and under what conditions;
for what purposes the data is being processed;
who determines how and why the personal data is processed, with clarity as to each party’s role regarding the data;
whether any transfers constitute a “sale,” “sharing” or “targeted advertising” under applicable laws; and
how long data is retained, and whether data retention aligns with a business’ legal and regulatory obligations.

Businesses need to further build on their data-mapping efforts by developing internal processes capable of responding to privacy inquiries and consumer privacy requests. There should be a clear, documented procedure for receiving, verifying and responding to these requests within required timeframes.

Businesses should account for how individuals can submit requests, such as through a dedicated webform, email or account settings. It’s also important to designate a team or individual to oversee the process, track and log requests, protect against unauthorized disclosures, and use automated tools that are tested and validated.

Without this clarity and proper internal procedures, companies risk non-compliance and enforcement actions, as seen in high-profile cases like the Sephora settlement under the CCPA.

Act III: Data Privacy Impact Assessments

Data Privacy Impact Assessments (DPIAs) are the unsung heroes of privacy compliance. Required under various laws – such as the Colorado Privacy Act and Virginia’s Consumer Data Protection Act – these assessments evaluate the risks associated with processing personal data, especially when there’s a heightened risk of harm.

A DPIA should:

Identify the purpose and scope of data processing.
Assess potential risks to individuals.
Evaluate the necessity of data processed and the proportionality of security and data protection measures.
Recommend safeguards to mitigate those risks.
Include approvals from various stakeholders.
Be updated when introducing the use of or deployment of new tools or platforms such as artificial intelligence.

Conducting DPIAs is not just about compliance – it’s about demonstrating accountability and foresight.

Act IV: Cookies, Pixels and Consent Management

The curtain rises on your website, and the first thing users see is often a cookie banner (or lack thereof). But what lies behind the curtain and how the “actors” behave backstage is key.

Cookies and tracking pixels are powerful tools for analytics and advertising, but they collect vast amounts of personal data. Under most current privacy laws, businesses must:

Clearly disclose tracking technologies.
Configure cookie consent tools to be user-friendly, avoid manipulative dark patterns and meet jurisdictional requirements.
Obtain valid consent before deployment or offer certain opt outs, depending on the user’s location.
Honor user preferences, including universal opt-out browser-based signals like Global Privacy Control (GPC).

Failure to manage these tools properly can result in costly enforcement actions and reputational damage.

Final Act: Keeping the Script Updated

Privacy laws evolve rapidly. States like California, Colorado, Connecticut and Minnesota have enacted or proposed new regulations, and state and federal agencies like the Federal Trade Commission are stepping up enforcement. Businesses must treat privacy policies, vendor contracts and internal procedures as living documents to be updated and enhanced over time.

Best practices include:

At least annual reviews of privacy policies and notices.
Regular audits of vendor relationships and data flows.
Annual awareness training so employees understand and adhere to privacy obligations.
Cross-departmental input involving IT, legal, security and marketing to catch any privacy blind spots.
Proactive updates in response to legal changes.

Encore: Why It Matters

Privacy compliance is not just a legal obligation – it’s a strategic advantage. By managing what happens “behind the curtain,” businesses can build consumer trust while also reducing legal risk.

If your business needs help ensuring its privacy program is “ready for the spotlight” (e.g., navigating this complex landscape with tailored solutions that align with business goals), please contact Chiara Portner or Bushra Samimi, or your regular Lathrop GPM attorney.

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_cfuvid		Calendly sets this cookie to track users across sessions to optimize user experience by maintaining session consistency and providing personalized services
algoliasearch-client-js	1 year	Necessary in order to optimize the web site's search-bar function . The cookie ensures accurate and fast search results.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
rc::a	Never Expires	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::c		This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
ASPSESSIONIDQWBCSSBS	1year	Description is currently not available. Vuture is a third-party subscription tool used to send updates if you opt in to provide information to subscribe.
YSC	1 year	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
ytidb::LAST_RESULT_ENTRY_KEY	Never Expires	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
_ga	1 year	Registers a unique ID that is used to generate statistical data on how the visitor uses the web site.
_ga_#	1 year	Used by Google Analytics to collect data on the number of times a user has visited the web site as well as dates for the first and most recent visit.
vuid	1 year	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
yt.innertube::nextId	1 year	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	1 year	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.