"Rogue tags" and "piggybacking tags" are terms used in digital marketing and website management, particularly in the context of tracking technologies such as tags and cookies.

Rogue Tags

Rogue tags are unauthorized tracking tags added to a website without proper approval or oversight. These can come from third-party vendors, internal teams, or malicious actors, often bypassing governance policies. Rogue tags can include piggybacking tags.

Piggybacking Tags

Piggybacking tags are additional tags triggered by an authorized tag, often loaded by third-party vendors without explicit approval.

These tags can result in data security and privacy violations (GDPR, CCPA, etc.), website performance issues, and unauthorized data sharing.

ObservePoint Audits can help you identify these unwanted rogue and piggybacking tags and show you which technologies are ultimately responsible for initiating those tags

The Tag Initiators report allows users to see relationships between tags on a web page. Through inspection of this report you can see the tag responsible for requesting another unapproved tag.

The Privacy Tags report describe tags that are approved and unapproved. To truly monitor rogue and piggybacking tags at scale you need to leverage this report and the associated Consent Categories and Alerts capabilities.

The image below shows unapproved Google Tag Manager containers which are some of the most dangerous rogue/piggybacking tags because a 3rd party could use these to embed any number of malicious scripts and effectively take control of your whole website.

By approving only specific tag accounts you can be notified when an approved tag is identified with an account id that is not yet approved. This way you can better govern these technologies and be informed whenever they are detected.

After configuring the Consent Category appropriately, be sure to implement an unapproved Tags Alert and apply it to this Audit so you can be promptly notified of any newly introduced unapproved tags.

There are multiple scenarios for remediation described below:

Rogue tags can be hard coded on a page by a developer, implemented through a Tag Management System, or piggyback off of other 3rd party tags.

In the case of hard coded tags, you'll need to collaborate with product manager or developer to remove the script tags from the HTML.

In the case of a tag firing through a Tag Management System, you'll need to collaborate with the team responsible for implementation.

See details on remediating piggybacking tags below.

Either remove or modify the tag responsible for setting the unauthorized tag (the immediate parent tag).

Typically you will need to talk to someone on your team responsible for implementing a tag or contact the vendor directly and they can advise on how to make modifications (if possible to prevent this tag from firing).

You may determine that the vendor is unable to prevent the unauthorized piggybacking tags from firing. In this case you need to make a decision on whether or not to continue partnering with that vendor.