In this article, we will cover strategies that your organization can leverage using Diagnose's dashboards to improve the compliance score of your properties.
- Review vendors triggered prior to consent
- Review non-disclosed vendors observed
- Review disclosed vendors
- Review cookies with long lifespans
- Review possible fingerprinting
- Review data leaving the EEA
Review vendors triggered prior to consent
As per GDPR and the ePrivacy Directive, only vendors with a strictly necessary function should trigger prior to consent.
The first step to improve a publisher's compliance score is typically to understand the vendors that trigger on your properties prior to consent. Below are strategies you can implement to analyze vendors triggered prior to consent using the Vendors Triggered Prior to Consent Dashboard:
We recommend examining the referrer vendors who trigger prior to consent, and identifying any common themes. A referrer vendor is the vendor who it identified as owning the last web address accessed by the browser prior to triggering the vendor in question.
Story from the field
A publisher found that 90% of vendors triggered prior to consent were being triggered by a single referrer vendor. By moving the referrer vendor behind consent, this publisher was able to restrict all of these vendors from firing before consent and improve their compliance score within 24 hours.
Prioritize vendors triggering prior to consent by sorting their prevalence % from highest to lowest using the filters on the detailed breakdown. Start by identifying these ad tech partners and investigate why they are triggering before consent.
Vendors with a prevalence of over 20% on your properties are more than likely to be triggering prior to consent on a significant number of the scans, and therefore are of more relevance.
Your organization can also focus on those vendors who have dropped cookies (persistent or session) since not all triggered vendors actually access the storage of the device. Use the provided column filter for Information Storage/Access to narrow down the list of vendors triggered before consent.
Using this information in combination with the Technology Categorisation column, you can pinpoint the vendors who drop strictly necessary cookies versus those for advertising. Where you see advertising cookies, this immediately goes against GDPR and the ePrivacy Directive and you should take action to prevent these cookies from dropping before consent has been given.
Use the vendor type column to check if the majority of vendors are IAB vendors. If yes, are they relying on legitimate interest on your vendor list? Are they ad tech partners? If so, you may need to work with your DPO to reconsider their purpose classification.
Additionally, if a large number of IAB vendors are triggering prior to consent on your site, the TCF stubfile (
__tcfapi) may not be firing until after your ads tags. Check to make sure the TCF stubfile has been implemented before any ads tags and as high up in the header as possible.
Sometimes, there can be historical tag wrapping/implementation applied to certain vendors which causes vendors to trigger before consent. This might have been in place before the TCF created a Global Vendor List.
Story from the field
A publisher found that a historical implementation was causing a specific vendor to drop before consent, who in turn referred multiple other vendors. This vendor is registered with the TCF and should not have fired before consent but the on-page implementation was overriding this.
Review non-disclosed vendors observed
Below are recommendations on how to improve your compliance score using the Non-disclosed Vendors Observed dashboard depending on your CMP.
If your sites are integrated with the Sourcepoint CMP, we will automatically pull in all of the vendors from your vendor list into Diagnose, so we can ensure that every vendor who is on your vendor list has been accounted for in the scans.
However, many publishers find that our scans identify vendors who are active on their site, but have not yet been added to the vendor list. It is a requirement to declare all of the technology vendors active on your site, and this list will help manage those not on the vendor list. Additionally, many of our publishers have been able to identify vendors with historical integrations who they no longer have partnerships with and remove them from the site. Sort by prevalence on your properties to identify technology that is on-site.
If you use an alternative CMP provider, Sourcepoint is only able to accurately map the IAB and Google ATP vendors to the Disclosed Vendors list as any non-IAB vendors will have different mapping, of which we can not automatically detect.
A strategy to implement may be to examine the referrer vendor to see if there are any vendors who are on your vendor list unknowingly referring vendors on your properties.
Story from the field
Our scans revealed for a publisher that a vendor who was on their vendor list was unknowingly referring multiple vendors onto the properties. Finding this activity enabled the publisher to take an action, and to decide whether to add these vendors to the vendor list OR reach out to the initial vendor and ask them to stop referring these additional vendors.
Review disclosed vendors
Having a large vendor list is not in itself non-compliant, but it can be cumbersome to manage and more often than not, most publishers are not actually working with all 800+ vendors in the TCF Framework.
The more vendors in your vendor list means that all of those vendors have access to your end-user's data. If you have surplus vendors to the ones that you actually use, then you are leaving yourself open to data leakages as end-user data is passed through a longer chain.
Reduce your vendor list to partners you actually work with. Use the Disclosed Vendors dashboard to understand the vendors who are in your vendor list, but have less than 2% prevalence in the scans running on your site. Because they are seen so few times, you can remove them from your list, with almost no revenue impact. Most publishers work with between 150-200 vendors within the TCF list, and a reduction in 500+ vendors has little to no impact on revenue.
Additionally, reducing the size of your TCString can also benefit the performance of your site and ads loading, since ad partners will receive the consent string sooner.
Story from the field
One of our publishers removed 200+ vendors from their list after Diagnose identified a large number of vendors with less than 2% prevalence. The result was a 0% decrease in revenue and a much more manageable list of vendors.
Review cookies with long lifespans
It is a GDPR requirement that personal data is not kept for longer than 13 months. Due to this declared lifespan, most cookies should not have a duration of more than 13 months and it is up to the vendor to set these durations. Below is a strategy to implement using the Cookies with Long Lifespans dashboard:
Sort the Cookies with Long Lifespans dashboard by highest-lowest in prevalence to understand how common these cookies are on your properties and prioritise those with a prevalence higher than 20%.
- For first party cookies (those managed by your organization), ensure the duration is either 13 months, or talk to your DPO to understand if a longer duration is strictly necessary.
- For third party cookies, reach out to your partnership directly and ask them to reduce the lifespan or for an explanation of the set duration. Pass this by your DPO to be sure.
Review possible fingerprinting
The allowance of vendors who use technology similar to fingerprinting can differ per publisher; some clients allow this behaviour while others do not allow this behaviour. It is up to your Privacy Team or DPO to define your internal policy regarding this behaviour.
If your organization does not allow fingerprinting, use the Possible Fingerprinting dashboard to approach specific vendors and understand why our systems have picked up the similar technology and to define what they are doing. Sort by prevalence to identify more common vendors.
Review data leaving the EEA
The Data Leaving the EEA dashboard helps to identify vendors who have servers located outside the EEA which can be a compliance risk under GDPR.
Use this dashboard to understand the partners you work with who have non-EU servers and either ensure you have adequate agreements in place with your DPO or reach out to these vendors for clarification. Sort by prevalence to identify more common vendors.