This is a guest post written by Matthew La Fontaine, in collaboration with the Piwik PRO tag management and web analytics team.
Are you absolutely certain you’ve done everything possible to secure the setup you’re running your tag management system (TMS) on?
It’s better you get the bad news here than from someone else: If you’re using a TMS (and you really should be using a TMS!), chances are you’re screwing up some really important things. Therefore you’re putting yourself at risk.
What kind of risk do we mean?
Compliance problems can cost your company BIG money in the form of heavy fines. You can learn more about this in this blog post about the EU’s General Data Protection Regulation.
Worse than that, if people don’t trust your brand, they won’t do business with you. Collecting and processing large amounts of data means you are facing a great responsibility. Breaches, leaks, and other failures will have a measurable financial impact on your bottom line and damage your brand.
One of the things most people have trouble with is keeping their tag management setup secure. Tag management and user tracking in general has a lot of moving parts, and you can experience all sorts of problems like:
- Insufficient technical knowledge of marketing team members – configuring advanced triggers, working with variables, and navigating the data layer can pose problems for the uninitiated
- Poor planning and communication between those responsible for website development and marketing
- No proper QA process in place
- The time-consuming nature of dealing with tags
- Privacy considerations – an opt-out page needs to be configured, and functional tags should be set up to fire regardless of whether a user opts out of tracking tags
In this blog post, I’d like to share with you 6 vital things our experts believe you need to focus on for a safe tag management setup.
Keep reading to learn how you can get a clean bill of tag management data security health.
1. Every pixel and tag fired from your website should be audited, as well as pixel redirects and additional calls
First perform a detailed audit, using a tool such as Tag Inspector. It will give you a complete list of the tags and pixels firing on your website, whether they come from a tag manager or are embedded directly in the source code. A smart move would also be to install the Tag Inspector browser plug in, for on-the-fly website checks.
With this full list of tags and pixels from your website, you can research each of them and determine on an individual basis which ones are privacy threats. The next step is to then decide which tags can be fired on every page, and which ones require certain restrictions.
As we’ve already mentioned, there is a difference between tracking tags (following user behavior) and functional tags (tags which enable functionality of a website). Privacy protection settings should be designed to let users opt out of tracking tags, but they should leave the functional tags in place so your website works the way it’s supposed to.
Another part of this audit is a review of the value of tags and pixels. You should look carefully to see if you’re firing tags from vendors that you don’t have a relationship anymore. There could also be legacy tags and duplicated tags which hurt performance, but more importantly cause a security risk.
A good rule of thumb is to eliminate tags from your setup if nobody from your team can tell you what they are, what they do, and who they are from.
TAKE ACTION: Install Tag Inspector or another similar plugin to generate a list of all tags and pixels on your site. Audit them and get rid of the ones you don’t need.
2. Particularly data-sensitive pages and areas should have a limited number of tags. If your TMS allows you to create blacklists and whitelists, take advantage of this feature.
Many websites have areas of special privacy concern. One good example is bank websites: lead capture forms and login pages can collect sensitive data and leave it exposed.
Although more and more websites are employing SSL certificates across all pages, this doesn’t mean you can forget about something just because it’s displayed in the browser as green HTTPS.
For instance, some tools used for click heat maps and user video recording may actually capture visual screens of forms filled in by users with sensitive data.
We recommend creating a whitelist of tags which can be fired on your website’s data-sensitive pages, as well as a blacklist of those which pose threats to user privacy. This is why it’s important to use a TMS which offers whitelisting and blacklisting functionality.
TAKE ACTION: Create a tag blacklist/whitelist and implement it in your TMS.
3. Limit the amount of first-party data collection you do
When verifying tags on your list (see point 1), check and see which of them are using first-party data. Every piece of data you collect leaves you open to compliance problems, especially in the dynamic regulatory environment.
Think long and hard about whether you need to be gathering a given piece of information on data-sensitive pages, as well as in other places on your website. If you’re in doubt as to whether you should be tracking something, consult your legal team for assistance.
Read up on the 7suite blog about data collection and drawing up a data management plan for your organization.
It’s best to avoid collecting personally identifiable data like IP addresses or e-mail addresses with your tags and pixels. If you do decide you want to track this data then make sure you get proper consent from the visitor for what you plan to use the data for. Also ensure that you comply with storage and access-control regulations, and that you enforce SSL on the pages where it happens.
TAKE ACTION: Do an audit of the first-party data you’re gathering. If you’re not sure about compliance, ask your legal team. Draw up a plan to limit how much sensitive data you collect.
4. Watch out for tags you don’t need which can be sources of data leakage. Don’t pass user data along to another marketer’s campaign
When you’re evaluating the list of tags and pixels fired on your website (point 1 and 2), check if all the tags belong to you. Verify that tracking pixels like Facebook, AdWords, or DoubleClick are attached to your advertising account and not someone else’s.
The same applies for web analytics trackers like Google Analytics. Make sure your GA tracker is assigned to your account and not another. This is much easier to do if pixels and tags are being fired via a TMS. In the event you find a tag that does not belong to you, your TMS should also allow you to verify who implemented it and when.
TAKE ACTION: When you’re auditing your tags and pixels (see point 1), check their settings to make sure they are assigned to your account. If not, change the settings or dump the tag/pixel.
5. Make sure you’re up to date with vendor tag code and version changes.
Load self-hosted vendor tags whenever it’s feasible to do so. It’s also a good practice to check regularly whether vendors have made any updates which would require revisions to tag and pixel code.
A proper Tag Manager with tag templates should handle updates automatically. Custom HTML tags, however, need to be dealt with manually, which requires some time and effort on your end.
This will be easier if you keep the number of common cookie tags as low as possible. Try to limit the presence of common tags from Google Analytics and AdWords that share data about your users anonymously with advertisers using AdWords and DoubleClick.
This same rule applies to Facebook pixels and other third-party Ad Networks. The fewer of these you need to keep track of, the easier your job will be.
TAKE ACTION: Draft and implement a policy for checking for updates that ensures you check at regular intervals for new software versions.
6. Be on top of permissions and access rights
Access to a TMS gives a user a large amount of power. Be careful about the number of people in your organization who can modify your tag management setup.
This means you need to keep a number of important things in mind:
- Password policies
- Restricting the number of employees with the freedom to add and modify tags
- Which teams and which individuals (in terms of position, seniority, required technical knowledge) in your organization are able to access your TMS
Some good information about permissions and access rights in Google Tag Manager can be found in this blog post by Curamando.
The obvious and most effective thing to do is to put comprehensive access and password policies in place. Then just be sure that you enforce them strictly!
You can also find great ideas on how to create and maintain your own comprehensive tag policy in this webinar resources section from Tag Inspector.
TAKE ACTION: Draft and implement access and password policies for your TMS. Limit the people with the power to change something in the setup, and make it clear who is responsible for what actions.
Like we said, there’s a lot of moving parts in the business of tag management. Although a good Tag Management System will help you automate processes, thereby saving time and money, it won’t eliminate the risks associated with security of your digital setup.
We’ve done our best in this blog post to present the issues we think are crucial in being safe, secure, and compliant. Take these tips and use them to reduce compliance risks in your organization by enhancing protection of your users’ sensitive data.
This post was written by Matthew La Fontaine and the Piwik PRO tag management and web analytics team. Piwik PRO provides enterprise-grade web analytics and tag management services in both On-Premises and Cloud models.