As businesses race to enhance customer experience with third-party tools, GDPR’s consent requirements are missing a critical blind spot: the growing threat of script-based data theft. Rui Ribeiro, CEO and co-founder of Jscrambler, sounds the alarm.
It has been just over six years since the General Data Protection Regulation (GDPR) officially went into effect. Adopted by the European Parliament and the Council of the European Union, GDPR was created to give individuals greater control over their data and more specifically, assurances that their personal information would not be used or shared with anyone and for any purpose other than what’s required to provide a service. GDPR would also give people the power to reject or ask to be forgotten, with any business in the European Union (EU) found in violation being held accountable.
Since its introduction, GDPR has certainly helped increase awareness of data privacy and the need for businesses to adopt greater protection measures and privacy policies. And many onlookers might declare the regulation a success based solely on heavy fines levied on those in violation. These include Meta, which holds claim to the largest GDPR fine ever issued at $1.3 billion back in 2023. Other penalized businesses include Amazon ($780 million), TikTok ($377 million), WhatsApp ($247 million), Google ($99 million), H&M ($39 million) and more.
But once you get past these high-profile violations, it becomes more clear that GDPR has underdelivered and there is still work to be done if we want to achieve the regulation’s original mission. A great place to start is GDPR’s consent form requirements, which are used to gain explicit permission from individuals to collect and process their data in compliance with the regulation. Forms must answer the following questions:
- Why is the data being collected and how will it be used?
- What specific types of personal data are being collected?
- What organization is collecting the data and which, if any, third parties will have access to it?
- Does the individual understand specifically what they are giving consent for?
While the answers to these questions and others may have seemed sufficient at the time, they are missing the mark for a few reasons. For starters, we now know about a phenomenon called “consent fatigue.” People today are constantly receiving requests to provide consent for data collection and processing activities. Adding insult to injury, these forms are complicated and over time, rather than reading the fine print, recipients blindly sign off on requests without giving them much thought.
EU AI Act Elevates Responsible Standards, Outpacing GDPR
Rigid guidelines to impact deployment and innovation of AI on a global scale
Read moreDetailsAnother shortcoming is that these forms do not consider the technological advances that have developed in recent years. With the introduction of applications like chatbots and payment solutions, businesses can dramatically improve customer experiences, but this can come at a cost. To roll out these applications, businesses must add third-party scripts to their websites. But the devil is in the details as companies don’t realize these scripts can access forms and data outside of their intended business purpose, which is precisely what GDPR was designed to prevent. They can also be viewed and manipulated by malicious actors looking to gain access to highly confidential information, including intellectual property (IP), as well as customers’ personally identifiable information (PII), credit card data and more.
Scripts can be viewed and manipulated in various ways. One possibility is digital skimming, which involves the theft of sensitive data input by users into web forms. This data can include payment information obtained from online checkout pages and PII. In 2023 T-Mobile revealed that 37 million customers had their personal and account information accessed in a digital skimming attack. More recently, MGM Resorts International was the victim of a digital skimming attack that ultimately cost the business $100 million.
Another related example is web supply chain attacks. In this instance, the JavaScript of a third-party add-on is compromised, and all its downstream users suddenly face the risk of data theft. According to Gartner, 45% of organizations worldwide will have experienced attacks on their software supply chains by 2025.
This trend will only intensify, with AI now powering a new generation of attacks, making them more sophisticated, more insidious and harder to detect than ever before.
So, where does this leave businesses that must live up to their GDPR commitments? Companies must step up their efforts, which means going beyond consent by regaining control over their first- and third-party JavaScript environments. This is more than a recommendation; it’s a necessity for any business looking to ensure data security and maintain GDPR compliance.