A tag manager (such as Adobe Launch, Adobe DTM, Google Tag Manager, Tealium IQ, Tag Commander) makes it easy for marketers to instantly install any third-party web service on their website. Though useful, leveraging it without specific and detailed knowledge about potential technical impacts will pose a high risk to the digital property in question - whether it’s a website or an app.
Therefore, this guide will detail the risks that come with third-party services, and how these risks can be managed and minimized.
In our current digital age, almost all websites use a third-party service of some kind. These services support businesses by tracking users, running A/B tests, personalizing content, creating revenue by showing ads, loading web fonts, pushing content to social media networks, collecting user feedback, chatting with users and much more.
“Third-party tools are infrastructure and code managed by someone else.” - Guy Podjarny
Today, there are more than 6,800 marketing tools available, each promising to generate income by simply adding one line of code to your website. From a business perspective, this sounds highly appealing and many will be tempted to try multiple tools.
However, inserting a line of code into your website can prove a hassle and require the help of an IT department that may not have sufficient capacity, meaning the next deployment could take as long as a month to be ready. This isn’t a good solution for anybody, right? That’s where tag managers come in.
Tag manager vendors usually highlight the following benefits in their marketing messaging:
These statements are all true, but they disregard one significant fact. The hard part here isn’t just adding a tag to your page, it’s also understanding the impact a third-party service could have on your website or app. In light of this, despite the messaging that IT involvements aren’t necessary, these potential risks mean that a tag manager should, in fact, be operated by IT departments, rather than marketers.
Third-party services can break your website in many different ways:
If your pages take longer than 3s to load on a mobile connection, the chances are high that a lot of users will abandon their visit and will never come back. In extreme cases, the third-party scripts can prevent your whole page from rendering, meaning they will simply present the user with a white page for an extended period of time.
Accessibility is very important, even being a legal requirement for many companies. Therefore, companies will need to make sure services provided by 3rd parties are accessible in addition to their own by asking the following questions:
A lot of third-party services are collecting personal data (IP addresses for example) or setting cookies. Since May 25th, the General Data Protection Rules (GDPR) will now hold you responsible for the data you collect. The consequent penalties can be draconic. Therefore, you need to ensure you are fully compliant by asking the following questions:
Third-party services come with a number of security risks. For example, there have been several known attacks on ad services like Doubleclick. In this case, several ads were delivered with hidden bitcoin miners which even affected sites like Youtube. This increasingly common type of attack has become known as ‘malvertising’.
It’s crucial to keep in mind that third-party code can change anytime and introduce new security vulnerabilities with the new iterations.
Given these potential risks and dangers involved in leveraging a third-party service, clearly having a process in place for this implementation is important. It’s also crucial to have an allocated person that’s accountable for each third-party service, that can manage and lead the process. My recommended process is as follows:
Prepare a checklist to make sure all needed tasks are done before a third-party service is installed. Document every step with the following questions:
Get in contact with the vendor sales team and ask the right questions before you start with your own investigations. If there are any problems, talk to the vendor to discuss whether the issues can be fixed. If not you can stop the process at this point and look for alternative tools. On the other hand, if you’re satisfied with the answers given, ask the vendor for 5 URLs of customer websites which are already using the features you are interested in. These URLs can be used for an audit.
Ensure that your experts have thoroughly checked the third-party service, and gone through necessary processes in order that the third-party service can be used in a secure way. This involves examining issues such as:
Following your audit, communicate with your third-party service vendor with the outcomes of your audit and check whether the found issues can be fixed. If solutions aren’t possible, stop the process at this point and look for alternative tools.
Know the value and costs
“Everything should have value, because everything has a cost.” - Tim Kadlec
Before you start using a third-party service, it’s important to make sure that the tradeoff between value and cost is positive.
What is the expected business value of adding the third-party service?
What are the real costs of the third-party service?
Go through the action list the experts created during the audit:
Once you’ve been through these preparation stages, you should set up a monitor service and gather real user data. You’ll want to be able to measure how the service is influencing your user experience. Many RUM (Real User Measurement) tools have an alert function which automatically informs the right person if there are problems with a third-party service. It makes also sense to scan for security vulnerabilities which can be introduced at any time.
“Anything that can go wrong, will — at the worst possible moment.” - Murphy’s Law
If there is anything wrong with a service, you should know exactly what steps to take and whom to contact. There should be a detailed emergency plan in place for each service you use. Don’t start searching for a solution when everything is already on fire. Also, make sure to do a fire drill from time to time.
If you have a complex website, I would recommend using a tag manager in combination with a data layer. This makes it easy for you to add, maintain and remove a third-party service. However, be extremely careful with user permissions and involve your IT.
Before you roll out the new service to all of your users, you might want to test it with a small user group (1%-10%). Then, depending on the insights you get by collecting real user data, you can decide whether to roll it out to a bigger user base or to stop using the service entirely.
Ask yourself whether you really need the data from all of your users. Using the third-party for a smaller user group without losing insights could be a good solution. This could even save you money if the third-party service is charging based on traffic or user sessions.
Things can change quickly. Set up a monthly meeting with all team members responsible for the third-party services and check out the following:
When it comes to leveraging third-party services safely, and in a way that generates the best value for your business, Netcentric can provide expert guidance to support you in the process. This includes: