What is actually happening
There are three major uses for this kind of tag injection, the innocent, the nefarious and the dumb.
An innocent use would be e.g. to load a tracking library from the vendors server; this makes sure you always have the most recent version of their code without checking for updates yourself. As long as the code comes from a server under your tag vendors control I don’t see anything wrong with this. Or they might have acquired another company, or have been acquired by another company, and want to spare you the trouble to re-tag your site while their are transitioning between two technology stacks.
By “nefarious” I do not mean anything illegal – tag vendors do not usually purposefully break the law. By nefarious I mean they do something legal that is still opposed to your (as in “you, the client”) best interest.
For example at an previous employer we ran a remarketing campaign with Google, but also tested a third party retargeting platform. When we examined their tag we found that they dynamically loaded a Google tag of their own (evidently their delivery network did not have the necessary coverage to generate enough clicks). Now prices are determined in a bidding contest, so the effect of this was that we paid a third party to bid against us for clicks from the same audience. Or rather that would have been the effect had we chosen to work with them (we did not).
What aggravates the problem is that it affects not only you, it affects your tag vendor as well – every third party (or fourth- or fifth party rather) service your vendor uses to enhance his tags might itself load additional scripts, and these might load others, and so on and so on (this is not a theoretical concern btw., this happens in real life). Each of these tags can extract information from your page and send them god knows where.
So, the more tags are chained together in this fashion the harder it is to say who is responsible should user data go astray.
This is the point where you go and read your contracts and consult with your data protection officer (if you do not have one this might be the time to go looking for one). I’ll leave you to it until the second installment of this series where we take a look at possible solutions to the problem.