For publishers: 5 tips for optimizing your vendor assessment process

The shift to more transparent data practices continues to evolve. Users are taking more control over whether or not they want to allow third-party cookies, trackers, and tags access to their personal data when they visit their favorite sites and apps. As a result, publishers need to adopt a more proactive approach to managing the vendors processing consumer data on their digital properties.

If a publisher fails to curate their vendor list on a regular basis to understand what vendors are present on their digital properties, the consequences can be significant. Regulators in Europe have been cracking down on third-party data processing violations. For example, French data protection authority, the CNIL, ruled that Carrefour France and Carrefour Banque were in violation of GDPR for vendors who processed consumer data prior to user consent, resulting in a €3.05 million fine. The recent Belgian DPA ruling on the TCF emphasizes publishers’ responsibility, as data controllers, for the behavior of vendors on their site.

Not only are publishers at risk of regulatory fines, but you could be missing out on monetization opportunities as well. Data leakage, caused when unknown vendors triggered by redirects capture audience data in the programmatic bid request, is both a security risk and devalues your relationship with the consumer.  You need to identify the vendors who can provide value — so you can enter into a commercial arrangement — and block the ones who don’t. 

Download our guide to vendor list curation.

Protecting your website from compliance risk and data leakage should be a top priority, and it all comes down to understanding which vendors are adding value to your site. So how do you know which vendors are right for you? Below are five tips to help guide you. 

1. Analyze your current tech stack

Any vendor you choose to work with must adhere to the same level of data privacy as your existing tech stack. Ask yourself these three questions to better understand if a vendor is a good fit:

• Does the vendor have servers in Europe, or is the data going to a county that does not offer the same level of data protection?
• Does the vendor adhere to the principle of data minimization, or do they use permanent cookies with an excessively long lifespan?
• Does the vendor use intrusive JavaScript methods to create a fingerprint of the device without providing users the option to opt out?

2. Make sure you and your vendors are up to date with the latest compliance guidelines

It seems like there’s a new data privacy regulation cropping up every few months. There are no signs of this slowing down as more and more regions focus on the importance of data privacy. Unfortunately, compliance to GDPR and other regulations has been uneven, with some vendors showing a lack of commitment to data privacy. These vendors put your website at risk of noncompliance. 

3. Focus on transparency

A key indicator of whether or not a vendor is a good fit for your website is transparency. Make sure that the vendor not only specializes in cookies but also covers all other technologies. The more vendors you involve, the higher the technical effort and the less transparent the process, which opens up more opportunities for errors. Transparent documentation ensures that dubious vendors can be discovered and removed from your website.

4. Know where the data is coming from

It’s essential to know the origin of the third-party data available. Was it collected with the consent of the users? Have users been informed about the use and processing of the data (i.e., personalized advertising)? These questions are necessary to answer for each vendor you allow on your website. Since compliance is not a static state, you should revisit these questions with your vendors on a regular basis.  

5. The timing of consent matters

Advertising cookies that are dropped before the user’s consent is given is still a fairly widespread practice, but regulators are cracking down. See the recent fines handed out to European supermarket giant Carrefour and publisher Le Figaro, from the French data protection authority, the CNIL. When reviewing your vendors, make sure to monitor the timing of when they access data. If cookies or trackers collect information as soon as a website page loads, that’s not only a violation under consent-based regimes, but it could be a red flag for other risky behavior.

These five steps are a good place to start to evaluate which partners and technologies are a good fit for your business without impacting performance.

Are you looking for more information on vendor assessments for CMP optimization? Download your free copy of our guide, A Publisher’s Guide to Vendor List Curation.