How Marketers Are Unknowingly Giving Third-Parties Access to their User Data

Tags: a blessing and a curse

For the marketing team at Crownpeak, we have never spent much time thinking about the ramifications of adding tags to our website. Instead we’ve focused on how we benefit from the enhanced reporting and targeting we’re able to do as a result, and the valuable insights we’ve gained about our website visitors.

We have accepted that as we build this dream team of a tech stack to help us optimize our inbound demand gen programs, run retargeting campaigns, and gather user behavior intelligence, we will need to add more tags to our websites.

It wasn’t until we acquired Evidon, a leader in digital governance, privacy and compliance, last year that we started to look at the tags on our website with a more critical eye.

Apparently, we’re not alone in our liberal use of tags. By some estimates, companies outsource up to 80% of a website’s functionality to outside vendors supplying specialized services. That can include data management, image or video hosting, marketing analytics, content delivery, customer identification, payment processing, and more which are generally handled via third-party code lying outside the scope of a company’s control infrastructure.

The top thousand most-visited U.S. websites have an average of 100 technologies in their marketing cloud. Many were provided – directly or indirectly – by third parties.

What marketers don’t know about tags (and we didn’t either)

Even a closely-managed site may have an increasing number of tags from third-party vendors embedded on its pages, enabling their various digital marketing tools to function. Although they are usually installed by a website producer, developer, or someone within the marketing department, what exactly resides in those tags is often an unknown.

That’s because the tags placed on a website regularly provide access to the websites of their customers to other tags, for a number of reasons. For example, advertising tags might call to others to increase chances of conversion or to increase traffic to the site. The indirect consequence of increased third-party tags, however, adds to a lack of visibility into who exactly has access to the site’s customer data.

To illustrate what’s happening, here’s a common scenario most digital marketers have experienced. A marketer contracts “Vendor A” to provide deeper analytics of their website visitors. To make “Vendor A’s” technology work, the marketer must add a line of code to its website, often referred to as a tag or pixel. It’s a generally accepted model for granting a vendor access to website data they need to fulfill their agreement with you.

Some of the lack of visibility of the full scope of tags on their website can occur when “Vendor A’s” tag uses another vendor (“Vendor B”) to perform the function they were contracted for. The marketer doesn’t have a direct relationship with “Vendor B”, and therefore might not have the full picture of why they have access to the site.

The problem is compounded when you realize that by adding more tags, you’re giving up more control over information that technically belongs to you, but has now been shared with more vendors than you thought.

A few things to note:

• By permitting those tags on its site, a company is implicitly giving those vendors the right to collect visitor data.
• Often, the tag may give data access to other third parties that the website operator isn’t aware of, but who are necessary to functionality of the vendor’s product.
• A typical enterprise site may have from 50 to 150 third-party tags embedded on it, as well as a large number of redirects to other third parties.

The growing trouble with tags

For enterprise companies operating across markets and countries where global privacy regulations are more stringent than they are in the US, giving another company access to its website visitor data can pose significant and costly liability issues.

For example, the upcoming General Data Protection Regulation (GDPR), which takes effect this year, requires that any company conducting business in the EU (or conducting business elsewhere but selling to EU citizens) get explicit consent before it can collect personal data.

You also cannot hold the user hostage by withholding access to your website until the user has provided consent. To the contrary, all users whether they’ve given consent or not, must still be able to access all the content on your website.

Regardless of whether the company or a third-party vendor is the one collecting the data, it is still the company’s responsibility. Under the GDPR, they may be fined up to 4% of annual revenue or €20 million (whichever is greater) for failure to comply.

Getting visibility into the hidden tags on your website

Thanks to Evidon’s Trackermap®, we’re now aware of all the tags on our website, and we’ve made some changes as a result.

As a company that does business in the EU, Trackermap® has also helped us in the GDPR compliance process. Getting visibility into all of the third-party tags that are collecting user data on your site is one of the first steps towards making sure that you are compliant with the consent requirement of the GDPR.

Here’s a screenshot of the tags firing on our website’s home page as of this blog post:

As you can see, quite a few companies have access to our visitor data (besides the ones we were already aware of), and thanks to this visibility we are now able to govern them more closely, while still reaping the benefits of the services they provide.

Input your own company’s home page URL to get a free scan, and an idea of the how many tags reside on your website. It’s truly an eye-opener – and if you’re preparing for the looming GDPR deadline, you’ll also be that much closer to compliance.