How to Protect Data Privacy in Cybersecurity for End-Users

Bot management Account Takeover

Privacy is a fundamental human right, one that is increasingly protected by compliance restrictions around the globe, including regulations for data privacy in cybersecurity. A good bot management solution will make every accommodation to respect your end-users’ privacy while also supporting the optimal user experience. Best practices are to ensure your platform and security solutions are compliant with as many data privacy regulations as possible.

Some of the many data privacy laws DataDome complies with around the globe:

When processing data, there are key factors that online fraud and bot management providers must focus on to stay compliant with global privacy regulations. We have organized them into three pillars:

Data Collection
Data Retention
Data Usage

At DataDome, our team is fully committed to protecting the privacy of all humans within our purview—including our customers’ end-users. Our commitment to providing a data privacy compliant solution is unequivocal and firm—a commitment reflected in our Service-Level Agreements (SLAs) and Data Processing Agreements (DPAs).

It’s why every touchpoint, algorithm, and customizable rule created by DataDome prioritizes data privacy as much as security and performance. It’s also why we want to share our approach to privacy to help you in your efforts to protect your data and customers.

A Bit of Background

Before we dive into our pillars of data privacy, let’s review some key landmarks in data privacy regulation:

GDPR (General Data Protection Regulation) Implementation

May 25, 2018 is a date every lawyer knows. It’s the date the General Data Protection Regulation (GDPR) was implemented in Europe.

GDPR is the toughest privacy and security law in the world, drafted and passed by the European Union (EU). As the highest, leading standard on privacy protection, GDPR lays a strong foundation for data privacy requirements worldwide.

At the end of 2020, 106 countries had national regulations (many inspired by GDPR) for the protection of personal data applying to all sectors of activity. Businesses and platforms must comply with the national and local privacy regulations (such CCPA in the US and PDPA in Australia) for all locations where their products and services can be accessed by users.

French Regulator Commission Nationale de l’Informatique & des Libertés (CNIL) Challenges Google ReCAPTCHA

July 15, 2020, the Commission Nationale de l’Informatique & des Libertés (CNIL) in France raised the issue of Google reCAPTCHA’s failure to inform and obtain consent from end-users to process their data within applications.

Google specifies in its documentation that reCAPTCHA can collect user data that is “transmitted to Google for analysis” (i.e. for purposes different from security—the perceived purpose of reCAPTCHA) and that companies using reCAPTCHA must inform and obtain the consent of end-users for processing their data.

The CNIL discovered that users of some applications were not informed or asked for consent at any time—not upon opening the apps or later in the users’ journey—for the collection of information stored on their mobile equipment. Users were also given no means of refusing the collection of their data.

The purpose of reCAPTCHA’s user data collection is not clearly defined by Google, but the tool could be linked to Google Analytics, among other things. Google reCAPTCHA collects users’ IP address, browser language, number of clicks, list of plugins, cookies deposited by Google in the last six months, and the JavaScript objects on the page.

The lack of notification and consent is still an issue for platforms using reCAPTCHA today, violating the privacy of the end-users. The CNIL criticizes organizations that lack any impact analysis on their use of reCAPTCHA.

Recommendations

Since the purposes of reCAPTCHA’s data collection are not precisely defined, it is difficult to imagine how user consent—if collected—could meet the GDPR requirements of being “free, specific, informed, and unambiguous.” Therefore, to be GDPR compliant, companies have no choice but to turn to alternative solutions.

The GDPR obligation to collect “free, specific, informed, and unambiguous” consent from each end-user can only be bypassed if solution providers (like DataDome):

Apply a principle of strict minimization of the data collected by the technology.
Do not use data collected for any purpose other than securing the customer’s site, app, service, or platform.
Integrate the data processing via CAPTCHA technology into processing carried out as a subcontractor of the client (contractual clauses of article 28 of the GDPR).
Remind customers of their obligation to inform end-users of the technology.
Carry out an impact assessment that can be provided to clients upon request.

3 Pillars of Data Privacy

Data Collection – Data Privacy Pillar 1

1. Data Collection

There are a few essential data collection measures that bot protection providers can take to maintain data privacy compliance:

Collect minimal data from users.

By design, cybersecurity solutions should limit the type of sensitive data required to operate effectively. For example, DataDome does not collect end-users’ International Mobile Equipment Identity (IMEI) or details such as name, email address, credentials, phone number, payment information, form information, etc.

(DataDome discloses all the data collected by our solution in the documentation on our website. We only gather the absolutely necessary data, which is protected with the highest security standards and used solely for detection and security. We never use data for any purpose other than security, nor do we share data with any third party.)

Encrypt all customer integrations.

As a best practice, DataDome maintains end-to-end encryption for all communications with our customers’ third-party environments. Encryption between third-party user dashboards and DataDome use a SHA256RSA encryption algorithm. Encryption between customers’ web servers and DataDome’s API use a SHA256RSA encryption algorithm.

Process all data at the edge, without any outsourced data processing.

Whenever possible, solution providers should avoid outsourcing data processing to third parties. If any third-party handling of data is necessary, it must be clearly communicated, documented, and consented to by the customer.

(DataDome has always met the above requirements and is compliant with privacy by process and by design. Our only purpose for deploying our proprietary technology is to protect our customers.)

Qualities to look for in your solution provider:

High standards of securitization and encryption.
Full transparency of the data collected.
No consent required from end-users (due to the nature of the data collection being for security purposes only).*

*Note that because Google reCAPTCHA uses data collected for reasons other than security, businesses using reCAPTCHA must provide a data collection opt-out for end-users in order to fully respect the GDPR. The required opt-out makes it easy for bots to bypass reCAPTCHA.

Data Collection – Data Privacy Pillar 2

2. Data Retention

Data retention measures you should expect from your bot protection provider for data privacy compliance include:

Designated PoPs for data storage.
30-day default retention period for data collected.
Customizable retention period to adjust if required.

Solutions like DataDome that serve an international customer base must be able to guarantee that all data will be processed and stored at a regional or local scale in the correct, closest PoP to be compliant.

Another key feature to look for is custom time limit options for data storage. For example, DataDome’s default retention period (30 days) can be adjusted by our customers through their dashboard or with help from our success team.

GDPR’s Data Minimization Principle

GDPR provides a great example of why the ability to change your bot management’s data retention period to accommodate regulations is important:

The data minimization principle expressed in Article 5(1)(c) of the GDPR and Article 4(1)(c) of Regulation (EU) 2018/1725 states that personal data must be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.”

DataDome guarantees that all data collected by our solution is used only in the context of the security service we provide and is retained within a time frame respectful of the data minimization principle.

Store all collected data using high-performing security standards.

In order to meet best practices and achieve GDPR compliance, any data collected by a bot and online fraud protection solution must be stored using high-performing security standards. At DataDome, our security standards include Tier3 data centers, HTTPS connection, OAuth2 authentication delegation, and encryption (TLS/Ipsec VPN).

Data Collection – Data Privacy Pillar 3

3. Data Usage

We can’t emphasize enough the importance of data usage in complying with GDPR and similar regulations. Your bot and online fraud protection vendor should provide a 100% guarantee that they only process data for security purposes.

Here are a few of the benefits DataDome unlocks by using data for security only:

DataDome’s CAPTCHA does not require end-user consent for data collection.
Our relationship with customers is built on trust, and we also help our customers nurture trust with their end-users.
Our bot detection engine continuously improves based on the signals collected through our CAPTCHA.

Our customers are able to analyze their traffic, threats, and CAPTCHA passes/fails through our dashboard. They can then choose to consult with our SOC team and refine the response rules if needed.

DataDome’s Commitment to Data Privacy Compliance

DataDome’s Service-Level Agreements (SLAs) and Data Processing Agreements (DPAs) are strong testaments to our dedication to data privacy compliance.

DataDome’s SLAs contain:

Our long-term commitments regarding the various data privacy regulations DataDome complies with.
Our liability commitments regarding customers’ data availability.
Details of our format and deadline commitments for the transmission of data to the customer.

Our DPAs provides detailed information regarding:

The description of our processing—the service provided, the nature of the processes performed, the purpose and duration of the processing, the data processed, and the data subject categories involved in the process.
The measures we have implemented to ensure the confidentiality and security of the data processed.
The specification of the DataDome cookie, which is part of our solution.

DataDome's CAPTCHA gives us peace of mind. Not only does it block bot traffic, we know that our users' experience remains uninterrupted. And because DataDome prioritizes privacy, we likewise don't have to worry about violating compliance regulations.

Ivan Delgado, CIO, RealClearPolitics.com

Learn More

Privacy and Trust Go Hand-in-Hand

At the end of the day, compliance with laws that protect users’ data privacy in cybersecurity will help build customers’ trust in your brand. Trust is the fabric of online interactions (and transactions).

Businesses need to trust that real humans are interacting with them, and users need to trust that their data won’t be compromised. In today’s online-first economy, data privacy continues to be a top priority and concern among digital commerce enterprises and their customers.

Make sure you can trust your bot and online fraud management solution (and your CAPTCHA provider) to prioritize your end-users’ privacy as much as you do. DataDome will always maintain our standards and work with the best law firms globally to ensure the highest levels of compliance.

DataDome CAPTCHA guarantees our customers can rely on a single, trusted provider for their whole protection journey. See how it works with a live tour.