How Haymarket Uses Sourcepoint to Manage Vendor Compliance

Haymarket is a privately-owned media, data, and information company, shaping a better future with remarkable content for specialist audiences around the world. The company has 1,300 employees across offices in the UK, US, Canada, Hong Kong, Singapore, India, Germany and the Netherlands.

Click here to read the case study

The importance of assessing vendor compliance

Haymarket have long recognized that they have a leadership role to play in ensuring a safer digital ecosystem. Global regulatory scrutiny is rising and requires that publishers communicate consumer consent preferences with all third-party processors, not just direct partners.

The team sought to elevate their level of compliance by identifying and removing unreputable adtech vendors. Additionally, they were keen to work with a privacy partner that could provide increased technical support, as well as improved monitoring capabilities. They wanted to bolster their overall compliance efforts while also streamlining their CMP vendor list so it accurately reflected their partnerships and aligned with their commitment to responsible digital practices.

To achieve this, Haymarket partnered with Sourcepoint and launched their vendor compliance project using Diagnose.

Managing vendor compliance with Diagnose

Through ongoing scans, Diagnose tracks several metrics with individual dashboards to improve the compliance score of websites or mobile apps. The Haymarket team looked at the following metrics:

• Vendors triggered prior to consent

As per GDPR and the ePrivacy Directive, only vendors with a strictly necessary function should trigger prior to consent. Haymarket’s first step was to understand what vendors were triggering on their properties prior to consent.

• Non-disclosed vendors observed

This metric is designed to generate a comprehensive view of any vendors observed operating on scanned properties that are not on a CMP’s vendor list. It is a requirement to declare all of the technology vendors active on-page, and Haymarket wanted to ensure they were properly handling any vendors who might not be on their CMP vendor list.

• Disclosed vendors

The more vendors on a vendor list means more vendors with access to your end-user’s data. Haymarket wanted to make sure there were no surplus vendors to the ones that they actually used, to prevent exposing themselves to potential data leakage due to a longer chain of vendors.

• Cookies with long lifespans

A best practice for GDPR compliance is that personal data not be kept for longer than 13 months. Since it is up to the vendor to set cookie durations, Haymarket wanted to ensure most cookies did not have a lifespan of more than 13 months and contact the vendors for remediation as needed.

• Possible fingerprinting

Each publisher has a different policy regarding vendors who use technology similar to fingerprinting. Haymarket utilized the Possible Fingerprinting dashboard to approach specific vendors and understand why Sourcepoint scans have picked up the similar technology.

• Data leaving the EEA

Haymarket reviewed the Data Leaving the EEA metric in order to identify vendors who have servers located outside the EEA, which can be a compliance risk under GDPR.

The results: Fewer vendors, more control

Curating their vendor list

Haymarket reduced the number of their vendors down using Diagnose. The team leveraged Sourcepoint’s vendor prevalence metric to identify which of their partners were actually active on their sites. At the end of the process, Haymarket reduced their vendor list from over 230 to 101 vendors — an over 50% reduction — without seeing any revenue impact.

“Haymarket has benefited hugely from Sourcepoint’s Diagnose tool — it’s given us a clear view on exactly what vendors and partners are doing on our sites in a way that would be difficult to do ourselves. Their scale and coverage mean we’ve been able to challenge multiple partners on their activity which has reduced unnecessary cookie and script loading.”

— Liv Horner, Lead Product Manager at Haymarket Automotive

Achieving a best-in-class compliance score

From the outset, Haymarket sought to utilize Sourcepoint’s compliance score to establish success metrics for themselves. The results have been impressive.

After completing their initial vendor curation exercise, Haymarket achieved a relative score of 100 for both “vendors triggered prior to consent” and “cookies with long lifespans.” They also have a relative score of 0 for “disclosed vendors.” This means they are working only with necessary partners and avoiding a larger chain which can lead to data leakage and compliance risk.

What is Sourcepoint’s relative score?

Sourcepoint’s relative score is percentile rank calculated from all the compliance metrics. It compares the performance of a client’s monitored websites or apps with the performance of benchmark properties selected by the client.

For example, a relative score of 67% would mean that the client’s compliance metrics score better than 67% of the properties in their benchmark dataset.

Establishing a vendor review workflow

Haymarket’s vendor curation journey didn’t stop once they achieved their compliance score objectives. The dynamic nature of programmatic operations means they are committed to performing regular due diligence to remain compliant.

Haymarket has monthly calls to go through the Diagnose dashboard with their Sourcepoint technical account manager, for which they utilize Sourcepoint’s Vendor Status feature. This allows them to review and whitelist new vendors that are discovered on their properties via a Diagnose scan and amend the status after reviewing each vendor.