If you use technologies like trackers and cookies to collect and process user data, you need to implement a Consent Management Platform (CMP) to comply with regulations like Europe’s GDPR, Québec’s Law 25, and a few others.
In that process, you must identify all the vendors that drop trackers on your websites, configure them and their purpose, and maintain that list over time to reflect which vendors are active.
This is a massive undertaking.
This article reviews how you can go about this process and why it matters before introducing you to Didomi’s Advanced Compliance Monitoring, our solution for organizations to approach their website governance and compliance.
Related reading: Do you want to know how many vendors you should declare in your vendor list? Check out our article on the topic, introducing our Vendor Balance Ratio (BR):
Why does managing your vendor list matter?
We’ve covered how to reduce your vendor list in the past, but since that article, a lot has changed in the AdTech and data privacy landscape, and it’s important to remember why managing your vendor list matters in the first place.
Ultimately, it comes down to three main reasons: compliance, monetization, and user experience.
Reason 1: Complying with global regulations and industry standards
Today, over 150 territories have enacted comprehensive data protection laws, from Europe to Japan, India, Brazil, South Korea, and the patchwork of laws in the United States.
Many of these regulations incorporate the notion of consent as a legal basis for data collection, something that can be managed with a Consent Management Platform (CMP) such as ours at Didomi. The GDPR - widely considered as the golden standard for data protection regulation - defines valid consent as follows:
“Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis.”
- General Data Protection Regulation (GDPR) (Source: Eur.lex)
For this requirement to be fulfilled, organizations must transparently inform their users about everything that will happen to their data, including the third party that will have access to it after clicking “Accept.”
The question of the vendor list became an even bigger issue in early 2022, when the Belgian Data Protection Authority (APD) fined IAB Europe under the reasoning that users cannot reasonably give informed consent for hundreds of vendors, rendering user consent invalid as a result. This has led to a new iteration of IAB Europe’s Transparency and Consent Framework (TCF), the TCF v2.2, which now requires organizations to display vendors in the first layer of the consent banner, among other changes.
Today, over 15% of websites have more vendors dropping trackers than disclosed in their consent notices. This is not only a security liability related to privacy breaches but also a major compliance faux pas, which could result in loss of user trust and massive fines.
TCF v2.2 study: Compliance with TCF v2.2 is mandatory for all TCF participants since November 20th, 2023. Ahead of that date, the Didomi team has researched the latest iteration of the framework, including adoption, impact on consent rates, and more.
Download the whitepaper here (no email required):
Reason 2: Optimizing monetization best practices
Taking a step aside from compliance, another massively important reason for organizations to manage their vendor activities is to optimize monetization.
When auditing their vendor list, organizations should be able to determine whether vendors are dropping trackers without consent, exposing them to legal trouble, but also to draw further conclusions about the state of their vendor ecosystem:
- How do vendors interact with each other?
- What trackers do they drop, and why?
- Do they provide any value? What would be the impact of removing them?
Regulations emphasize reducing the vendor list for compliance and user experience reasons, but it also makes sense from an ROI perspective. Why keep vendors that are not bringing any revenue when they could potentially damage your brand and jeopardize your compliance?
Reason 3: Providing the best possible experience to users
The last and too often overlooked reason for managing vendors and reducing one’s vendor list is user experience.
Using a CMP, organizations are not only able to collect, store, and leverage user consent but also to communicate transparently with their users about their data practices and to reassure them that their data is in safe hands, something that people have been increasingly concerned about:
- Only a third of online users feel their data is being used responsibly.
- 80% of consumers believe that transparency is essential for trusting a company or brand
- More than 30% of consumers consider more accurate privacy protection more important than lower prices.
Transparency goes a long way and is one of the critical components of a sound Privacy UX strategy, which is increasingly reflected in regulations and industry standards. The TCF v2.2, as mentioned earlier in the article, now requires participating organizations to display the number of vendors on the first layer of the consent banner, giving users more visibility at a glance.
To learn more about Privacy UX, visit our article on the topic:
{{what-is-privacy-ux}}
How to identify all the vendors that drop trackers on your websites?
There are three main methods to identify vendors that drop trackers on a website: manually, using a basic scanning solution, and with our Advanced Compliance Monitoring (ACM).
First method: Manually identifying and categorizing vendors
The first and most obvious solution is to do it all manually.
In short, the organization’s Data Protection Officer (DPO) and their team would have to identify all vendors manually, categorize them, clean the list up, and go through it regularly, updating it to ensure it’s up to date.
Keep in mind that, on average, players in the publishing industry have over 850 vendors declared in their CMP, making this method not only highly time-consuming and unscalable but also very risky from a compliance standpoint.
Second method: Using free compliance tools
The second method available is to leverage one of the free compliance tools available on the market, which can help identify issues and areas of improvement in your domains.
At Didomi, we provide a free compliance report that scans your website, providing you with insights on vendor activity (including trackers dropped) and giving you compliance recommendations and steps you can take to solve issues, if any.
This is a great first step and a much more resource-efficient way to get started with an audit of vendor and tracker activity. If you’re interested, head to our free compliance report and give it a shot:
{{get-your-compliance-report}}
Third method: Using the Advanced Compliance Monitoring
Finally, the third and last method is to use a dedicated, advanced product specifically to ensure compliance and transparency of their users’ privacy experience at any time.
At Didomi, we built Advanced Compliance Monitoring (ACM) to help organizations maximize business while staying compliant. The ACM allows them to monitor vendors' and trackers' activity automatically, identify compliance breaches, and take corrective actions automatically.
This is critical for several stakeholders internally:
- Project Managers are notified of new vendors that drop trackers on their websites, configure them, and maintain an accurate vendor list in the consent banner.
- Legal and privacy teams can identify trackers dropped in a non-compliant way to provide a 360° compliance audit and address technical teams with precise recommendations.
- Technical teams can understand non-compliance scenarios (are trackers dropped before user choice? Despite user refusal?) and implement corrective measures accordingly.
This third method is our recommendation, but how does it work exactly?
How does Advanced Compliance Monitoring work, and how to get started?
Advanced Compliance Monitoring (ACM) is the most advanced scanning solution of its kind in the industry, helping organizations stay on top of vendor and tracker activity.
Put simply, the technology uses an automated script that simulates scenarios to identify data privacy issues with regulations in place. For example, do vendors drop trackers despite user refusal or without any user action on the CMP? Is your consent banner up-to-date with the latest vendor list.
There are four components to the ACM:
1. Compliance scenarios
The ACM supports legal and privacy teams in performing compliance audits by automatically identifying trackers dropped without consent and despite refusal.
Once detected, these issues are disclosed in a Compliance Report so technical teams can take corrective measures.
2. Custom frequency
The ACM supports CMP Product Owners and DPOs by providing monthly, weekly, and/or daily frequency to monitor closely and frequently the compliance breaches and impacts of corrective actions.
3. Vendor and tracker analytics
Use our detailed analytics dashboards to quickly resolve compliance issues and optimize your vendor lists.
4. CMP Vendor Sync
The CMP Vendor Sync supports CMP project managers in keeping their vendor list current.
This is especially important given the increasing concern surrounding vendor list size, for example, in the TCF v2.2, which now states that the number of vendors should now be displayed in the first layer of the consent banner.
The ACM can monitor the vendor list by automatically identifying and configuring new active vendors, adding them to the CMP, and republishing the consent banner.
Interested in learning more about Advanced Compliance Monitoring and how it can help your compliance challenges? Get in touch with our team, and they’ll be able to answer all your questions:
{{talk-to-an-expert}}