Vendor Management: We Don't Get Fooled Again

Halting the race to the bottom

Gavin Dunaway recaps an AdMonsters Think Tank where publishers recognize the necessity of holding all vendors to account as we venture into a post-third-party-cookie world.

Years ago, I was leading a roundtable discussion on data management at an AdMonsters Publisher Forum, and I asked a group of publishers, “So how about preventing data leakage—what’s the strategy there?”

All the eyes at the roundtable shot furtive looks to each other. Finally, one ad ops director spoke. “We already lost that fight.” The others grimaced and nodded their heads in agreement.

Since the dawn of third-party ad serving, advertisers have sent their creatives laden with third parties that scrape publisher data via cookies—often to sell that data right back to advertisers. Other data plays used alternative avenues to skim publisher audience characteristics for profit—but still through digital advertising channels and third-party cookies. 

So you can imagine why many premium publishers were excited to hear of the third-party cookie’s imminent demise—it's an opportunity for them to take the offensive in the data wars and stop the “race to the bottom.”

However, the unknowns are daunting, particularly when it comes to publisher monetization partners. It’s clear vendors can’t be allowed to run roughshod all over sites again, enriching themselves off of looted data. But can the vendor presence be tightly regulated—especially when most third-party-cookie alternatives are still maturing and there’s confusion over processes and sharing?

This was the question at the center of the Think Tank closed-door discussion group The Media Trust held recently with AdMonsters focusing on vendor management. The simple answer (that begs a million more questions): publishers need to know every provider coming onto their property and what their code is doing so they can decide what actions to authorize.

What a Tangled Vendor Web We Weave

The vendor management discussion, though, is bigger than just data protection. This group in particular was composed of next-generation publishing houses—umbrella organizations that provide infrastructure for notable publisher brands (sometimes quite disparate ones in terms of subject matter). While all of the companies strove for vendor uniformity—and some boasted success—situations on the ground often complicated this goal.

How do you stay on top of all these relationships and ensure your providers are meeting their commitments across the diaspora?

First off, several of the companies had grown via acquisition. Mergers are multi-level madness, and sometimes keeping high-performing vendor relationships in place can be more important than uniformity. (If it ain’t broke…)

Second, several Think Tank participants mentioned that different vendors across properties might make more sense due to site content. What if some of your properties are more consumer focused while others are focused on industry developments? A health and wellness site brings in quite different advertising (with different regulatory requirements) versus a consumer technology review depot. Selecting different SSPs and data partners on a site-by-site basis to focus on excellent service is probably wise—even if it means a tangled web of vendor relationships.

How do you stay on top of all these relationships and ensure your providers are meeting their commitments across the diaspora? A few attendees mentioned that while development teams are typically focused on individual sites—and definitely not experts in AdTech or data services—ad ops is often in an advantageous centralized role, offering a great vantage of the overall workings and potentially directing where the business heads. (One attendee called it a “privileged position.”)

With the right tools, they can best keep track of what third parties are doing on each publisher brand, as well as gauge new opportunities or decide when uniformity makes more sense. If you can’t incorporate uniformity, you damn well better have consistency in management.

Data Under Lockdown

Knowing who is doing what and where is doubly important when it comes to data protection. The demise of the third-party has brought vendors out of the woodwork to present publishers with untested solutions. Publishers are rightfully wary as they seek to protect both their burgeoning first-party data monetization plans and the privacy of their audiences.

A lot of newfangled data companies “are trying to get us into contracts now and deploy scripts that could potentially do anything,” one Think Tank attendee said. “Beyond data leakage, it’s a huge information security risk that is probably going to cost publishers significantly downstream.”

At the same time, it’s hard to pass up on revenue opportunities as the pandemic-driven slowdown recedes. While the publishers on the Think Tank were confident about their internal efforts to segment consumer data and offer advertisers robust cross-site targeting, they were less enthusiastic about what their partners were up to on site, and the fourth and fifth parties they were letting through the door. 

A lot of newfangled data companies “are trying to get us into contracts now and deploy scripts that could potentially do anything. Beyond data leakage, it’s a huge information security risk that is probably going to cost publishers significantly downstream.”

For one of the attendees, Mission: Plug Data Leaks starts with fully understanding all the third-party code currently being used—every bit of JavaScript must have a purpose and/or revenue alignment. Integrations with monetization partners are being heavily scrutinized. And this is not a task that can be ceded to scattered development teams lacking in AdTech knowledge—or vital experience.

While you can’t completely determine what a third-party’s JavaScript is up to, you can assess where the code is coming from, where it’s calling to and who it’s communicating with, and whether it’s behaving in the documented manner that was supplied to the publisher. And of course, you can tell when it’s appearing when it’s not supposed to—or you simply didn’t authorize it.

Although JavaScript can obscure a vendor’s ultimate intentions, there’s enough that can be discerned from client-side scanning and industry knowledge (and experience) to paint a picture, and empower publisher ad ops’ decision-making on authorizing or denying site access. 

Up for the Task?

However, as ad ops’ primary function is increasingly driving revenue, they need a tool for keeping their various vendor relationships in check. And not all vendor management systems are created equal.

“A lot of the companies I see tracking pixels or data just list them, and that’s no help at all to me,” one participant lamented. “I can’t go investigating for five hours what this thing is doing, why is it here, where did it come from. I need a better idea of what this specific pixel is doing in plain english.”

In venturing into the post-third-party-cookie world, publishers are utterly determined to protect their very valuable first-party data. Acknowledging all the unknowns floating around during this awkward transition, most have realized the importance of ensuring they are in control of all partners operating on their properties.

Fortunately, there are tools to help with that daunting task.