Marketers shouldn’t use Tag Manager without IT support

A tag manager (such as Adobe Launch, Adobe DTM, Google Tag Manager, Tealium IQ, Tag Commander) makes it easy for marketers to instantly install any third-party web service on their website. Though useful, leveraging it without specific and detailed knowledge about potential technical impacts will pose a high risk to the digital property in question - whether it’s a website or an app.

Therefore, this guide will detail the risks that come with third-party services, and how these risks can be managed and minimized.

What is a tag manager?

In our current digital age, almost all websites use a third-party service of some kind. These services support businesses by tracking users, running A/B tests, personalizing content, creating revenue by showing ads, loading web fonts, pushing content to social media networks, collecting user feedback, chatting with users and much more.

“Third-party tools are infrastructure and code managed by someone else.” - Guy Podjarny

Today, there are more than 6,800 marketing tools available, each promising to generate income by simply adding one line of code to your website. From a business perspective, this sounds highly appealing and many will be tempted to try multiple tools.

However, inserting a line of code into your website can prove a hassle and require the help of an IT department that may not have sufficient capacity, meaning the next deployment could take as long as a month to be ready. This isn’t a good solution for anybody, right? That’s where tag managers come in.

Tag managers are third-party tools themselves. They work by injecting a JavaScript library into the site, which makes adding other third-party tools as easy as filling out a simple web form.

Tag manager vendors usually highlight the following benefits in their marketing messaging:

• The ability to run all necessary tools without IT involvement
• Accelerated time to market for products
• Quicker turnaround
• Endless flexibility

These statements are all true, but they disregard one significant fact. The hard part here isn’t just adding a tag to your page, it’s also understanding the impact a third-party service could have on your website or app. In light of this, despite the messaging that IT involvements aren’t necessary, these potential risks mean that a tag manager should, in fact, be operated by IT departments, rather than marketers.

What can possibly go wrong by adding one line of code?

Third-party services can break your website in many different ways:

1. User experience

• The rendering of the page can be delayed if additional (unnecessary) JavaScripts are loaded synchronously in the document head — which is usually the case with personalization and A/B testing services.
• If services are following the best practices and loading scripts asynchronously, the page load event will be delayed, having an impact on the scripts triggered by the page load event - meaning the user has to wait for the page to load.
• Long-running JavaScripts can make the site unresponsive for a few seconds. This is when you see a button but nothing happens if you click on it.

If your pages take longer than 3s to load on a mobile connection, the chances are high that a lot of users will abandon their visit and will never come back. In extreme cases, the third-party scripts can prevent your whole page from rendering, meaning they will simply present the user with a white page for an extended period of time.

2. Accessibility

Accessibility is very important, even being a legal requirement for many companies. Therefore, companies will need to make sure services provided by 3rd parties are accessible in addition to their own by asking the following questions:

• Is the chatbot usable via keyboard?
• Is the color contrast of the chatbot high enough?
• Do you have ads with animations that are running in an unstoppable loop?

3. Data privacy

A lot of third-party services are collecting personal data (IP addresses for example) or setting cookies. Since May 25th, the General Data Protection Rules (GDPR) will now hold you responsible for the data you collect. The consequent penalties can be draconic. Therefore, you need to ensure you are fully compliant by asking the following questions:

• Do you know which data is being collected?
• Do you know where the data is stored?
• Do you know how long data is stored for?
• Do you have a proper contract with the third-party service?
• Do you need to update your data privacy statement?

4. Security

Third-party services come with a number of security risks. For example, there have been several known attacks on ad services like Doubleclick. In this case, several ads were delivered with hidden bitcoin miners which even affected sites like Youtube. This increasingly common type of attack has become known as ‘malvertising’.

In addition to this risk, often third-party services don’t update their used JavaScript libraries, meaning some well-known vendors might be loading old JavaScript library versions with known security vulnerabilities.

It’s crucial to keep in mind that third-party code can change anytime and introduce new security vulnerabilities with the new iterations.

5. Code incompatibilities

If you’re using many different third-party services, it’s very likely you’re loading different versions from the same JavaScript libraries. These can cause issues that are difficult to identify and resolve.

The correct way to add a third-party service

Given these potential risks and dangers involved in leveraging a third-party service, clearly having a process in place for this implementation is important. It’s also crucial to have an allocated person that’s accountable for each third-party service, that can manage and lead the process. My recommended process is as follows:

Checklist

Prepare a checklist to make sure all needed tasks are done before a third-party service is installed. Document every step with the following questions:

• What was done?
• What was the outcome?
• Who did it?
• When was it done?

Vendor survey

Get in contact with the vendor sales team and ask the right questions before you start with your own investigations. If there are any problems, talk to the vendor to discuss whether the issues can be fixed. If not you can stop the process at this point and look for alternative tools. On the other hand, if you’re satisfied with the answers given, ask the vendor for 5 URLs of customer websites which are already using the features you are interested in. These URLs can be used for an audit.

Third-party tool audit

Ensure that your experts have thoroughly checked the third-party service, and gone through necessary processes in order that the third-party service can be used in a secure way. This involves examining issues such as:

• Web performance: How large is the impact of loading the third-party service on performance? What is the best way to load the service? What happens if a service can’t be loaded? What happens if the service loads very slowly?
• Accessibility: Is the third-party service compatible with the WCAG level you want to achieve with your website? What needs to be fixed?
• Legal: Is the service compatible with GDPR? What needs to be added to the privacy statement? Is there a special contract needed with the vendor?
• Security: What security risks are at play? What can we do to prevent these dangers as much as possible?
• Code incompatibilities: Are there any anticipated conflicts between third-party services and your own website code?

Following your audit, communicate with your third-party service vendor with the outcomes of your audit and check whether the found issues can be fixed. If solutions aren’t possible, stop the process at this point and look for alternative tools.

Know the value and costs

“Everything should have value, because everything has a cost.” - Tim Kadlec

Before you start using a third-party service, it’s important to make sure that the tradeoff between value and cost is positive.

What is the expected business value of adding the third-party service?

• Which relevant business is supported and improved by using a third-party service?
• To which extent is it contributing to the realization your goals/conversion (monetary, percentage)?
• How can you measure the business value?
• Is there another way to achieve the same results?

What are the real costs of the third-party service?

• Licensing costs
• Maintaining costs (audit, monitoring)
• How is the third-party service affecting user behavior? A slower loading website or app can decrease engagement, the time on page, and the bounce rate. You want to be able to measure and quantify these factors.
• How much do our users have to pay for downloading extra data?

Prepare your site for the new service

Go through the action list the experts created during the audit:

• Update your site’s privacy statement.
• Update your Content Security Policy (CSP).
• Use a Service Worker to fetch the network requests and drop the service if it is not responding fast enough.
• Make the third-party service measurable.
• Respect user preferences: Don’t track users with a “Do Not Track” (DNT) header and don’t waste data for users with a “save-data” header.

Monitor third-party services

Once you’ve been through these preparation stages, you should set up a monitor service and gather real user data. You’ll want to be able to measure how the service is influencing your user experience. Many RUM (Real User Measurement) tools have an alert function which automatically informs the right person if there are problems with a third-party service. It makes also sense to scan for security vulnerabilities which can be introduced at any time.

Have an emergency plan

“Anything that can go wrong, will — at the worst possible moment.” - Murphy’s Law

If there is anything wrong with a service, you should know exactly what steps to take and whom to contact. There should be a detailed emergency plan in place for each service you use. Don’t start searching for a solution when everything is already on fire. Also, make sure to do a fire drill from time to time.

Implement the third-party service

If you have a complex website, I would recommend using a tag manager in combination with a data layer. This makes it easy for you to add, maintain and remove a third-party service. However, be extremely careful with user permissions and involve your IT.

Before you roll out the new service to all of your users, you might want to test it with a small user group (1%-10%). Then, depending on the insights you get by collecting real user data, you can decide whether to roll it out to a bigger user base or to stop using the service entirely.

Ask yourself whether you really need the data from all of your users. Using the third-party for a smaller user group without losing insights could be a good solution. This could even save you money if the third-party service is charging based on traffic or user sessions.

Monthly reviews

Things can change quickly. Set up a monthly meeting with all team members responsible for the third-party services and check out the following:

• Is the third-party service still used? Make sure to remove all third-party services which are not used anymore.
• Does the third-party service deliver the business value as expected?
• Are there any changes in the third-party service which should be investigated?

Do you need help?

When it comes to leveraging third-party services safely, and in a way that generates the best value for your business, Netcentric can provide expert guidance to support you in the process. This includes:

• Auditing third-party services you need for your business
• Setting up a tag manager for your app or website
• Specifying and implementing data layers for your application
• Reviewing and migrating tags