Like most evaluation efforts when a massive change happens, we start with an audit. Document all of the channels you use, plan to use, are investigating using or/and have used in the last 12 months (to account for changes with seasonality). 

Supplement this list by using third party tools like Wappalyzer to identify any pixels, code, plugins, etc., that may be on your website.

PRO TIP:

It is important not to skip this part. We cannot tell you how many clients have told us that they removed a software but we still saw live tags in GTM or hard-coded on their website There are also many plugins that our clients didn’t even know existed that we were able to identify (and actually remove if needed) through using these tools.

At least in the initial stage, it’s important for marketers to know what applies to them. Covered entities are always beholden to HIPAA, but health-adjacent companies and non-covered entities also need to be aware of the FTC and state laws, where applicable. Most states require companies to reach a number of annual visitors or/and meet a specific revenue goal in that state before they are required to comply, but it does vary. IAPP is a great resource for keeping up with those details. 

First, conduct a monthly traffic report for the last 12 months, and separate out by state. 

• Add Europe to confirm if GDPR needs to be included

Under the state(s) that are relevant to your company, review the following:

• Are companies who follow HIPAA excluded from compliance? If so, and you are a covered entity, then the state’s laws likely do not apply
• How does the state describe “sensitive information”? This can include marital status, sexual orientation and other non-health-specific (but very personal) information. 
• Is consent required from users before any data can be collected (i.e., before any tags are fired)? If so, how is “consent” defined?

You will probably find a lot of softwares that can be excluded from further investigation, like Javascript libraries, fonts and some plugins. But there will be a host of others that, either by nature of the platform or based on your implementation, will cause some issue with privacy – specifically with the “selling” (or sharing) of personal information. 

Below is a guide for the kinds of platforms we have seen make the priority list:

• Analytics tools (i.e., Google Analytics, Mixpanel, Piwik Pro)
• Advertising platforms (i.e., Meta, Google Ads)
• User Experience tools (i.e., Optimizely, Medallia, Lucky Orange, Crazy Egg)
• Website Servers, Hosts, CDNs (i.e., Kinsta, WP Engine, Cloudflare) 
• Customer Relationship Managers/CRM (i.e., Hubspot, Salesforce)  
• Video Embeds (i,e. Wistia, YouTube)
• Product Review platforms (i.e., Yotpo)
• Data Visualization tools (i.e., Marketing Cloud Intelligence (Datorama), Looker Studio)

If this list freaks you out, we see you. It looks like EVERYTHING is a priority! So we broke it down even further to prioritize based on the intent of how the platform is using that data, which makes the list looks a bit more manageable: 

Priority 1: Data shared with additional third parties or/and includes sensitive information

• Analytics tools
• Advertising platforms
• Video Platforms or Embeds 
• Product Review platforms

Priority 2: Data necessary to perform function

• User Experience tools 
• Website Servers & Hosts) 
• Customer Relationship Managers/CRM
• Data Visualization tools 

Ok, that probably still makes your heart race, but what’s important to keep in mind is that the biggest concern for these platforms is based on the information being shared and how. Tools like your Website CMS by nature need to collect IP addresses, so while your company is sharing that “personal” information with a third party, it might not be a big risk for your company since that access is required to work. 

Why do we say that? Although an IP address is still considered PII, it’s not nearly as personal (i.e., 1-to-1) as a diagnosis, a name, or an email address. This is why it’s essential to work with your legal team to determine what platforms are riskier than others based on the agreements in place.

As a marketer, your first instinct may be to say that all of these softwares, tools and platforms are necessary. And that might be the case. In our experience, however, there are usually software or tactics that are duplicative or have a more compliant alternative. Think critically about what your marketing is doing for you and embrace the opportunity for refinement that you now have.  

Here are some questions to ask yourself while evaluating the priority tools:

• Has this tool provided me with information that helped me improve a marketing tactic or initiative? 
• Has this tool impacted my bottom line? Is it a tool that has generated leads or improved customer experience? What data do I have to prove it?

If you said “no” to either of these questions, definitely consider removing those tools and tactics and you’ll be on your way to a cleaner, more compliant marketing plan and website. If you responded yes to any of these questions, then the next step is an important one – so keep reading! 

PRO TIP:

Consider if any of the tools are duplicative. If you can consolidate tools to limit the number of third party tags and tools on your website, we would always recommend doing so.

This is the big one – the future of your marketing activation and evaluation. This last part will take some time and collaboration from your organization and marketing partners. The main question here is how you can modify the implementation or replace the tool to improve compliance. Some tools may offer anonymization, for example, which would be worth exploring. 

Each marketer will implement various tools in various ways (too many variables for this post!). Here are a few best practices that helped us get our clients up to par (without losing their minds). 

• Get Business Associate Agreements (BAA) in place for the platforms that have access to your customer’s PHI. Not all of them will sign one (we’re looking at you, Google and Meta), but those that will sign one should be looked into.
• Consider moving to server-side analytics
  • Pixels are helpful and make optimization really easy and automated. But they are also a primary culprit in why advertising and analytics platforms can be risky. Moving to server-side analytics or incorporating a Customer Data Platform (CDP) might be the way to go if you have the proper IT infrastructure and resources in place. 
  • Moving to server-side doesn’t automatically absolve your website of data privacy concerns, but it could be the first step in a privacy-forward approach to data collection and storage.
• Remove pixels and rely more on manual UTMs and short links. It might seem like a step back for senior marketers, but ensuring that Meta, Google, Microsoft and other advertising platforms have no access to user data is a critical component to compliance, especially for platforms that don’t have the option of a BAA or updated terms.
• Take an extra step in updating tag configurations and settings for tools and platforms that offer such settings, to anonymize or remove specific PII from website visitors
  • Be sure to confirm what they mean by anonymization, and that they don’t really mean pseudonymization. Also, be sure to confirm that data is anonymized before it’s shared and that the third party in no way has access to the actual data). 
• Make sure consent banners and your website’s Privacy Policy have been updated to account for what website data is shared and how (and what privacy regulations you need to follow).

PRO TIP:

If you’ve not done so already, this is the time to make absolutely sure your legal team is aware and involved in these discussions. With the number of nuances with HIPAA privacy, it’s critical that your company’s legal team has the opportunity to engage and provide input on updates, specifically on privacy policies and  the company’s overall data privacy approach.

Once these changes are in place, consider the next 30-60 days as a trial period. Are you missing any data for evaluation? Any new questions arising with the data you can see? It’s a good reminder that any change that you make will take some adjusting, but that doesn’t mean insights can no longer be found.

PRO TIP:

Don’t forget to update your data visualization dashboards to account for any new placements, accounts or configurations!