What Every CISO Should Know About Marketing Ad Tags
By Jodi Daniels
Modern online marketing began in 1996 when DoubleClick developed the first ad server. Since then, this industry has evolved into a complex ecosystem of thousands of players using programmatic advertising, retargeting, and collecting millions of digital footprints. This data collection starts with online identifiers that can include IP addresses, device IDs, advertising IDs, precise location information, and referring URLs. Before GDPR and CCPA, many considered these identifiers anonymous and adtech companies emphasized that they were not collecting personally identifiable information. Companies convinced their legal teams that they were not collecting personal data, and so these adtech companies were safe.
To date, initiatives such as the Digital Advertising Alliance’s Self Regulatory Online Advertising Framework and Network Advertising Initiative included specific language about companies’ obligations if personal data was tied to non-personally identifiable data. But now with GDPR and CCPA, the definition of personal data has been expanded to now include online identifiers. This personal data must be protected and companies need to include it in their processing activity records, honor individual rights, and describe activities in their privacy notice.
Historically, marketers worked in their own silo and only handled limited data that required protection. Today, with over 5,000 martech companies (check out the full list here) in existence, marketing partners more strongly with the IT department. Between building and hosting websites, third party integrations, and increased personal data collection, IT departments must focus on protecting this marketing data.
In this article, I will discuss the risks associated specifically with online marketing tags placed on websites and why these risks should concern CISOs.
Understanding the World of Pixels
Marketers use pixels (also known as tags or beacons) for many different reasons including retargeting customers who abandoned an online shopping cart, submitted an employment application online, or filled out a form on a website. Pixels are also used for the delivery and performance measurement of advertisements. A company can have hundreds of pixels on a site that are measuring the performance of ads, page or advertisement analytics, shopper behavior, and more.
Using pixels like Google Analytics also allow for companies to understand the behavior of website visitors such as how long the user stayed on a site, what pages were visited, and how many times they clicked on a piece of content. The Facebook pixel is ubiquitous today to retarget users from a company site and deliver a targeted ad potentially using data from both Facebook and the company’s website.
Let’s explain how this works. A company wants to retarget shoppers who did not complete a purchase on its site by serving them with an ad on a third-party site such as Facebook. The ad will entice the shopper to come back to the company’s website and finish the purchase. The company starts by placing a Facebook pixel (and potentially other third-party pixels) on its website. These other pixels may measure the effectiveness of the ad or change the creative in the ad depending on the user.
The way ads are actually displayed is through a complex web of parties in the middle trying to get the message from an advertiser to the end consumer. (To see an example of the complexity for just display advertising, you can check out this infographic.) Every company is trying to find its perfect customer, and so an ecosystem exists of ad exchanges, supply side exchanges (a number of websites that join together to try and receive ads), data brokers, programmatic bidding (that automatically determines which ad should appear in the ad space based on criteria read from pixels), ad networks, data management platforms (DMPs), and others all involved in trying to deliver a single ad impression.
Piggybacking and the Risk of Data Leakage
Sometimes, “piggybacking” occurs. That means an ad exchange may place a pixel on the company site and then that pixel may make a call to yet another ad tech vendor. Each of these pixels may appear on the site, and each of them are collecting data. The site where these pixels drop can also collect data about that site and, in some situations, rewrite your web page or even leak sensitive information.
Another pixel example may be a media company or retailer that places ads on its own site. The advertisers place pixels in the ads to measure effectiveness, confirm that the ad delivers only to the right locations (such as Atlanta, Boston or Denver), or change the creative so that it is personalized for the shopper. For example, let’s say Vendor A is a measurement vendor. Depending on the contract with Vendor A, they could use the data only for delivering information back to the advertiser or use the information collected for its own purposes.
Let me repeat that: If your company allows advertisements on its site, you could have a vendor hired by an advertiser collecting information about your company site and using that information for its own purposes. Behind the scenes, these companies are sharing, selling, and buying data to make online advertising happen. This data is used not only in online advertisements but also in email marketing. That’s how marketers know who opened which email and clicked on a link. To conduct all these marketing activities, some companies work with just a select handful of tags while others can have more than 100 tags on their site.
Security Concerns
While these ad tags can provide great value to marketers, they also pose significant risks including security, site latency, and data leakage.
Malware
Malware can creep into ad tags. When it’s exposed on a high-traffic website, thousands of computers could potentially become exposed and compromised quickly. In 2017, Equifax experienced malware in a lesser publicized breach related to online advertisements on its website. As quoted in CNET, “An Equifax representative said in a statement that the problem was coming from a third-party company that analyzes data on the Equifax website. ‘That vendor's code running on an Equifax website was serving malicious content,’ the representative said.”
An organization like the Trustworthy Accountability Group (TAG) offers a variety of resources designed to help companies learn how to combat malware including a “Certified Against Malware Program” designed to help companies secure their digital advertising supply chain.
Site Latency
Ad tags also cause site latency issues. When ad tags slow a site down, revenue loss may result. Webpage load time is a critical component of user experience to the point that some companies lock down adding any new ad tags when a site loads too slowly. At a cybersecurity event, a CISO once told me that she could not get a security-focused tag on her company’s site because of site latency concerns. I suggested she conduct a marketing ad tag audit. If an ad tag was up but no longer needed, it should be removed to give her room to put her security tag on the site.
Data Leakage Concerns
Most pixels on a website are from a third-party vendor to perform a certain function on the site like measurement, advertising, or collecting and selling data to another third party. The company should know the function of each pixel on the website and have an agreement either directly with the third party or by ensuring that the marketing agency has an agreement. That agreement needs to clearly outline what can and cannot be done with the data. Many existing arrangements allow the third party to aggregate the data for its own purposes. But what does that mean? Does that include just analyzing that it collected 10 million data points? Or can it use the aggregate information to sell or share with others (such as a competitor)?
What to Do
Data is a company asset and you want to protect it. You don’t want bad actors using it for their own purposes. It’s critical to do due diligence to peel back the onion layers on these companies. Otherwise, data leakage hurts marketing efforts as it depreciates the data in the marketplace. Adware, site latency, and the ability for bad actors to get through to your site from ad tags are real risks. Here’s how you can prevent those risks.
- Pixel Audit: As a first step to find out how many pixels are on a site, use the free plugin, Ghostery. It will let you see what tags are on a site and give you the ability to block them. Additional tools from other companies are available that show a hub and spoke visual of ad tags that provides clarity on which tags may let others in (i.e. piggybacking).
- Pixel Governance: In addition to legal contracts for ad tags, a pixel governance process should exist. Many companies have a tag manager which helps with tag visibility and limits who can place a tag on the site. However, a tag management system just puts them all in one basket and does not address whether the tag should be there in the first place. The governance process should start with a basic assessment of the pixel’s purpose, vetting of the third-party pixel, identifying the internal owner, and stating how long it needs to be on the site.
- Pixel Maintenance: Once a pixel has been approved, a company should conduct ongoing pixel tag audits to ensure pixels slated to come down have been removed. Place vetted and approved pixels on a whitelist, and place those with a problem on a blacklist. Doing ongoing site performance scans can also identify any pixels that may slow the site down.
Through a repeatable plug and play process, companies can control the ad tags on their site to allow marketers to do their jobs while also mitigating security, data leakage, and site latency risks. A strong privacy program will include a well-orchestrated pixel governance process that includes ongoing audits, management of new and existing pixels, and thorough third party management.
With each pixel, a company is entrusting the website with this third party. Revenue, site performance, and protecting data is on the line with each pixel placed. Therefore, it is critical to perform due diligence that only allows trusted companies on the site. These activities position companies to successfully comply with privacy laws including managing individual rights and reducing data breach risks.