Protect Your Brand from Tag Piggybacking Risks

April 2, 2017 - Ensighten

Tag basics

Tags are the technical mechanism for collecting data from a digital property, typically requiring that a small snippet of code be placed on the website/app . Tags serve a variety of purposes such as collecting data from web browsers, setting cookies, extending audiences between multiple websites, incorporating 3rd party technologies into a website, etc. Data that is collected from these tags power marketing campaigns, personalization, advertising, web analytics systems and a host of other important marketing responsibilities.

This data can either be passed to a server owned and managed by the current website owner or to another company entirely. Tags themselves can them be categorized in two ways: first-party tags which collect data on the same domain, and third-party tags which collect data on a third-party domain, giving them insights into your internet browsing behavior across multiple web properties. For example, when visiting a tag passing information to “” would be considered first-party while a tag from “” would be third-party because the top level domain, “”, is different.


What is tag piggybacking?

The most basic definition of tag piggy-backing, also referred to as daisy-chaining or chaining, is when one tag invokes another tag. Piggybacking can add dozens or hundreds of additional tags and introduce services that the digital property owner may not be aware of. This is often encountered when a container-like tag (ex: DoubleClick Floodlight) is placed on a site for marketing purposes, and then overloaded with tag calls for additional vendors.  In the following example, we can see an AppNexus tag piggybacking off a standard DoubleClick Floodlight tag:

Tag Piggybacking Example

In the following extreme example, we can see piggybacking resulting in multiple tag-to-tag instantiations:

Multi-level Tag Piggybacking Example

Without constant monitoring/auditing, this type of multi-level tag handoff is extremely difficult to manage. Ensighten completed a recent industry audit of almost 1500 digital properties and on average there were 49 piggybacked tags, with the worst offender having 144! When a tag is invoked via piggybacking, you don’t have visibility or control over what information it receives, but you may be legally responsible for it.


Risks, limitations and issues related to piggybacking

There are several items to be aware of when dealing with piggybacked tags:

  • Data leakage: Your valuable customer data (including PII) can be passed to a piggybacked tag without your knowledge or consent. If the data in question is available in-session, it can typically be captured via tags.
  • Poor website performance and data loss due to tag loading issues: Every tag that loads has an impact on your site performance. Slow loading tags at the top of your page can block the page from loading, decrease time to interactivity or impact data collection.
  • Malicious code installation: Malicious code can be installed on your site or on your customer’s device via tag piggybacking, granting access to any personal information users give you.
  • Inability to comply with privacy regulations: When a piggybacked tag fires, you don’t have visibility over what information it receives, which immediately puts you out of compliance with global privacy regulations like the EU’s GDPR.
  • Breaks in security/SSL: A tag that violates your website security will throw a glaring warning to your end-users and potentially break checkout flows and impact revenue.


Next steps: Protect your brand

For the best approach to protecting your brand, we recommend using a real time blocking tool that allows the brand to protect against unauthorized data collection across all tags (even tags deployed outside of a TMS). One of the best options on the market for complete protection is our own Ensighten Privacy. It includes complete control, insight and risk assessment into your tags and what we consider to be key areas:

  • How many unique tags are on your website?
  • How many of those tags are loaded via tag piggybacking?
  • How many of those tags are sharing your customer’s data and violating brand privacy and security policies?
  • Blocking of all tags with one line of code
  • Monitoring real user interaction to catalogue data collection points
  • Notification when even a single user sees a new data collection point

If you’d like to learn more about tag piggybacking, how Ensighten can help protect your brand or how Ensighten can make your global digital properties compliant with the EU GDPR, contact us today.