If you receive and process personal data from third-party sources, Sentrio (opens in a new tab) will scan them, score them, and report on them at the scale you need.
Sentio is the tool for verifying third-party data compliance - at scale, in real-time, and over time.
This newsletter sets out some of the insights we have gained from analysing privacy policies recently, looks at how Sentrio can have a role in due diligence, and finally reviews important developments in global data protection laws.
Sentrio is a tool which helps audit and monitor your data sources by analysing and scoring 100s or 1000s of Privacy Policies at scale.
In the past months we’ve noticed the following:
- High scoring Privacy Policies almost always mention “consent” - low scoring ones usually do not. Other legal bases are available, but this seems to be the most common one mentioned in the Policies analysed, and “legitimate interests”, for example, is not seen as often. Let's remember the ePrivacy directive requires consent for cookie collection and storage, and that the leading supervisory authorities have clearly stated that we must receive consent before setting and using any cookies (except strictly necessary cookies). It is therefore no surprise we find a correlation between websites where privacy policies reveal an acknowledgement that consent is an important factor and data protection compliance. To us, privacy policies are not only a "test of transparency", they are also the best indicator of the compliance work of the data source, publisher or website.
- Over all the thousands of Privacy Policies we’ve seen, the most common area covered relates to data use through cookies, whether for advertising or analytics. Possibly this explains the focus on consent referred to above. In spite of the ever delayed demise of cookies, and postponements of third-party deprecation by Chrome, cookies remain the currency of the digital industry... for now.
- Google and Microsoft are frequently mentioned. It seems positive that major processors are being disclosed. However, it seems a surprise that Amazon/AWS is not currently high on this list in the Policies that we have analysed.
We’ll continue to analyse trends and good practices in Privacy Policies as we build an ever-growing portfolio of Privacy Policies. Contact us for a demo or further information on how Sentrio can help you fulfil your data protection compliance obligations and assess and mitigate your third-party data risks.
Recently, we are seeing a lot of M&A activity in adtech, and financing activity for all types of tech. Data processing and security are a core part of nearly all due diligence questionnaires these days, particularly where third-party data is used. All due diligences include a substantial section dedicated to privacy and data protection. They used to be focused on general practices, security, and documentation. They have become recently more exhaustive and all-encompassing. Potential buyers or investors are increasingly inquisitive about the approach and efforts made with regards to due diligence of data partners. Sentrio (opens in a new tab) is a unique automated tool which enables us to give a positive answer to that question.
In addition to giving a snapshot of the general state of compliance of all third-party publishers and data partners, using Sentrio also sends a positive signal that the company has taken steps to monitor, flag, and follow up any possible problematic data sources.
Sentrio is most often used on an ongoing basis to manage data providers, warn of any issues, and enable clients to take action to improve data quality and reduce compliance risks. However, it can equally be used as a due diligence tool to provide data for a particular transaction. Contact us (opens in a new tab) if this would be useful for your transaction or business.
In July 2022, further progress was made towards a pan-US data privacy act. The revised draft American Data Privacy and Protection Act (opens in a new tab) advanced to the next stage after a near-unanimous vote in the House Committee on Energy and Commerce.
The legislation would make “covered data” subject to obligations including data minimization and opt-outs e.g., for transmission to third parties, or for targeted ads. “Sensitive covered data” (e.g. various familiar special categories of data, but also precise location data and video and web browsing data), would require affirmative express consent for collection and use.
The draft sets out mandatory information to be included in Privacy Policies and would oblige certain large data holders to publish short-form notices of data processing practices to consumers.
It is impossible to predict whether the American Data Privacy and Protection Act will be passed or not before the Midterm elections in November 2022, and whether the new Congress will look at it with the same urgency. On the other hand, it seems clear to us, that until Federal legislation is passed, digital companies will have to deal with an increasingly complex patchwork of State laws (recently California, Virginia, Colorado, Utah and Connecticut have all adopted stricter data protection legislations) even if the principal “by-default” law for thousands of digital companies is still California’s CCPA/CPRA.