Vendor list cautionary tales: what you can do to protect your site

When was the last time you took a look at the different vendors accessing data from your website? If it’s been a while, it’s time to take a look under the hood with a cookie and tracker scanner. There may be a range of questionable scenarios lurking on your website. 

Now, this isn’t meant to scare you—but we do encourage you to take a proactive approach to who you are partnering with and understanding the value they bring to your website. The more you know, the better-informed decisions you can make for your website, which in turn boosts your bottom line and ensures you’re protecting users by maintaining compliance with major data privacy regulations. And not having regular monitoring processes in place can exposure you to the scrutiny of privacy advocates and regulators alike.

Are you curious about some of the less-than-ideal situations that can happen when you neglect to review your vendor list on a regular basis? Here are a couple of examples our team has come across when helping publishers curate the vendor lists in their CMP.

If you’re interested in learning more, download our Publisher’s Guide to Vendor List Curation.

1. The (almost) eternal cookie lifespan

Until Google’s delayed cookiepocalypse goes into effect, there’s one thing we know for sure: third-party cookies and trackers will continue to appear on websites. 

One of the most important things publishers should know about cookies firing on their websites is the cookie’s lifespan. Not all cookies are built the same, so it’s normal to see differing lifespans. For example, a session cookie expires once you log off or close your browser and is only stored temporarily. They are also referred to as transient cookies, non-persistent cookies, or temporary cookies.

It’s important to note that session cookies are not the same as tracking cookies. What makes tracking cookies unique from session cookies is that they can persist beyond a session and follow a user across multiple sites or services to collect data for personalized advertising. The lifespan of a tracking cookie varies, but the length of the lifespan can become a nightmare for publishers and privacy-conscious users.

There are three main reasons why publishers should focus on reducing the lifespan of their cookies:

1) Data minimization. A key aspect of most data privacy regulation is data minimization. For example, the General Data Protection Regulation (GDPR) states that the processing of personal data must be “adequate, relevant and limited to what is necessary.” Therefore, the cookie (and any associated data) should only be kept for as long as is necessary. This means companies shouldn’t be accumulating data associated with a Cookie ID simply to collect it. 

2) Data integrity. Consumer data inherently has a short shelf life which means the quality of the data is quickly impacted. In order to remain relevant, your targeting segments need to be up-to-date. Think of it this way; if you’re in the market for a toaster today, you probably won’t still be in the market for one a few years from now. If vendors are holding on to cookies with long shelf lives, it may be a sign that they’re keeping data for too long and are delivering stale segments.

3) Access control. The longer the cookie’s lifespan, the less control the vendor has over who can access the data and how it is used. Cookie syncing occurs among vendors across the advertising ecosystem. The longer a cookie persists, the more cookie syncing is likely to occur, which increases the opportunity for misuse.

In our experience helping publishers curate their vendor lists, we’ve come across tracking cookies with extreme lifespans—one tracking cookie had a lifespan of 89 years!    

2. Cookies and other trackers firing without consent 

Without proper consent, GDPR compliance isn’t possible, and it is a problem for many websites across the internet. This has become an increasing priority for regulators: French data protection authority, the CNIL, recently fined major French publisher Le Figaro 50,000 euros for the appearance of advertising cookies before user consent.

Under GDPR, for example, consent must be specific, informed, and freely given. And until that consent is given by the user, cookies and other forms of data tracking are not allowed. With the right tool, like Sourcepoint’s DIAGNOSE, you can see which vendors are firing cookies prior to consent being given. From there, you can reach out to vendors to fix the misfiring of cookies or curate them from your list. In the end, the more data you have, the better informed your decisions will be.  

3. Vendors accessing user data without a formal agreement

A formal agreement between you and your vendors protects your business from fraud, but it also ensures that your business is able to drive revenue. Without a formal agreement, vendors may allow other vendors to indirectly access your user’s data without fairly compensating you. 

A formal vendor agreement will help you keep track of exactly who you’re partnering with and make sure you’re compliant with all data privacy laws as well as optimizing your revenue. It’s a win-win.

4. Vendors that are not compliant with data privacy regulation

Not only are you on the hook for adhering to all relevant legislative regulations and industry frameworks. Many of these guidelines also require that every vendor you partner with also meets the requirements. Do you know for certain that all of the vendors are meeting the compliance standards? If you don’t, you definitely want to check. 

Not only can non-compliance land you in hot water with privacy regulations. It can also impact your bottom line. In fact, failure to adhere to the General Data Protection Regulation (GDPR) in the EU may result in a fine of up to €20 million or 4% of your annual revenue (whichever is higher). The costs of non-compliant vendors can be very costly to your business. It’s not only European companies that are on the hook for adhering to the GDPR. Any US company that is getting website traffic from European residents is also responsible for being GDPR compliant. 

5. Vendors impacting the performance of your website

In 2020, Google made it clear that the web experience is an essential part of your website’s performance in search rankings. The vendors you partner with can directly add stress to your site that can negatively impact Core Web Vitals scores.

What it comes down to is whether the vendors on your list are adding or detracting value. Are they contributing to a poor website experience? Are they adding bloat and stress on your backend? You want to prioritize the vendors that are helping you successfully monetize your website.  

As you can see, a lot can happen when you’re not looking. That’s why it’s important to regularly review the vendors accessing data from the backend of your website. If you’re unsure where to start, take a look at these three tips:

1) Build your vendor knowledge. A good rule of thumb is to proactively review your vendor list every quarter to have several months’ worth of data for each vendor.

2) Review in times of major change. As you stay up to date on privacy regulations, it’s a good idea to get in the habit of reviewing your vendor list whenever a major legislative change is made to ensure your vendors are compliant.

3) Less is more. There is no magic number of vendors you should have on the backend of your website. But, on average, publishers have around 200 vendors—including those within and outside of the adtech ecosystem.

Download a copy of the Publisher’s guide to Vendor List Curation to access more FAQs, best practices, and tips.