Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

CCPA used to audit your policies and paperwork. Then came the Sephora settlement, and things moved to logs, runtime, and network reports. The company’s privacy policy said it didn’t sell consumer data. California’s AG ran the site, watched the cookies and pixels fire, and found that in reality, they did. Healthline followed in 2025. Then Disney in 2026. Different companies, common findings. Data gets collected and shared with third parties via tags. GPC gets ignored.

Three million patients. That’s how many had their most sensitive health information silently siphoned from hospital systems and handed to a party that had no authorization to receive it. The year was 2022. And what would become one of the largest unauthorized disclosures of protected health information ever documented didn’t arrive through a ransomware attack, a stolen credential, or a nation-state intrusion. It came from a piece of marketing software doing exactly what it was designed to do.

If your organization serves patients in both the United States and the European Union, two regulators, HIPAA and GDPR, are already watching your website. Specifically, what happens in the seconds between a visitor landing on your page and your analytics stack doing its job. In March 2024, OCR mentioned that even unauthenticated website interactions, like a user browsing your oncology content or typing into a symptom checker, can constitute PHI if the visit is for health-related purposes.

In 2024, the California Attorney General established a new standard for mobile app compliance after securing a $500k settlement with Tilting Point Media, owing to misconfigured SDKs in one of their games that led to inadvertent CCPA and COPPA violations. The issue? The misconfigured SDKs silently caused sales and the share of children’s data without parental consent. And despite the company’s argument that the misconfiguration was unintentional, the AG’s response set a precedent.

The largest CCPA settlement in California history isn’t a story about a company that ignored privacy. It’s a story about what happens when doing the right things isn’t the same as making sure the right things have been done right.

For marketing, a JavaScript tag is a growth lever. Something that’ll allow your business to target the right people, run personalized campaigns, and onboard more customers with less spend. For your security team, though, it’s a different story. The third-party scripts and tags on your pages can be a shadow PHI disclosure pipeline that quietly avoids detection, sidesteps your server-side controls, and transmits sensitive member data to third parties without triggering a single alert.

Most websites host tracking systems that change continuously, tag by tag, pixel by pixel, version to version, often without anyone in privacy touching a line of code. Marketing adds a session replay script through the tag manager. Vendors quietly push updates to the tags. By the time it’s noticed in the next periodic review, the damage is done. Drift in tag behaviour leads to consent violations. And tracking scripts load and process data despite GCP signals.

So your team just uncovered a GDPR tracking violation, a consent anomaly that, after a deeper look, turns out to be a pixel firing regardless of consent state.” From the looks of it, it’s definitely an ePrivacy violation. But the harder question, the one you now have to race against time to answer, is whether this is also a notifiable breach under GDPR. For that determination, you now have 72 hours. One gets fixed with a tag manager update and a stern email to marketing.

U.S. state privacy compliance now operates in an environment that doesn’t stand still. The number of state laws keeps growing, and their requirements continue to evolve through new effective dates, amendments, and guidance. By January 2026 alone, Indiana, Kentucky, and Rhode Island added three more state privacy laws. This makes one thing clear. Compliance is no longer something you implement once and revisit periodically. It has to stay accurate as the requirements keep shifting.

The skimmer doesn’t go inside the iframe. It doesn’t need to. In every significant payment page compromise of the last decade, the malicious code sat on the merchant’s page, outside the payment component entirely, watching form submissions, intercepting keystrokes, reading values before they ever reached the provider’s sandbox. This is the architecture SAQ A-EP merchants live in.