New Jscrambler Research Reveals 97% of Organizations Know JavaScript Tags Collect Private and Sensitive Data

PORTO, Portugal - October 23, 2024

A global report published today by Jscrambler, the pioneering platform for client-side protection, and conducted by Dimensional Research, outlines the risks and exposure created by third-party JavaScript tags. While businesses understand that third-party tags collect information, only 13% are confident they understand what information they collect and only 26% are aware that tags leaked their private user data to other organizations. Full details are available in the report The Perils of Third-Party Tags: Examining the Client-Side Security Risks and Compliance Challenges of JavaScript. 

“Today, virtually all websites use JavaScript to seamlessly integrate third-party services and transform their online operations by leveraging analytics, user tracking, payments, social media, communications, support chat functions and chatbots, performance measurement, and more,” said Rui Ribeiro, CEO and co-founder, Jscrambler. “But this adoption comes at a price. Most businesses have no idea what information these tags are collecting and what highly sensitive customer data may be being leaked. Companies must invest in client-side protection and compliance solutions to continue benefiting from these tags while protecting user data from being collected, skimmed, or leaked by third parties.”

Key findings of the report include: 

Third-Party Tags Collect Sensitive Information, Creating Significant Compliance and Security Risks

Nearly every respondent (97%) indicates that they know that third-party tags collect sensitive or private information regularly. Additionally, 49% admit that in the previous 12 months, these tags collected data they were not supposed to, including site traffic, website form data, login, order, social media information, customer account details, and more. And it doesn’t stop with data collection – 26% of respondents realize sensitive data has been leaked to another organization. 

The Case of Google Tag Manager

Google Tag Manager (GTM) may present the best illustration of the value of tag usage while also highlighting users' limited understanding of the potential risks involved. According to the research, while more than 90% of respondents are familiar with GTM, only 33% recognize that teams can autonomously add more third-party tags and code without additional authorization, creating major compliance and security risks. Slightly more encouraging is that 47% confirm that GTM creates privacy and compliance risks.

Digital Skimming Prevention and Tag Audits are Crucial as March Compliance Deadlines Draw Closer

As compliance implications for third-party vendor tag use become more pronounced, it is promising that 61% of respondents state that a tool that prevents digital skimming is key to achieving PCI DSS compliance. This is especially important regarding PCI DSS requirements 6.4.3 and 11.6.1, designed to prevent digital skimming attacks on websites that capture payment card data. The deadline to comply with these two requirements is March 31, 2025. 

What’s encouraging is that 57% of respondents audit third-party tags to ensure data collection authorization and compliance. Gaining control over the behavior and data consumption of third-party tags is instrumental in helping organizations comply with various standards, regulations, and laws, including PCI DSS, DORA, GDPR, and HIPAA.

Critical Need for Client-Side Protection

Although data protection policies require strict enforcement and scalability, only 36% of respondents’ companies have policies and tools to prevent data skimming. For example, one-quarter of respondents cannot ensure that sensitive data in their company's chatbot is not shared with another third party. 

When it comes to addressing the issue, 68% of respondents agree that a client-side protection and compliance solution should be deployed to protect user data from being collected, skimmed, or leaked by third parties. Furthermore, an overwhelming 97% indicate that a client-side protection and compliance solution would be valuable to their company. This consensus highlights the critical need for enhanced client-side protection measures. 

Download a full copy of the new market research. 

Methodology

The report includes findings from a July 2024 global survey of 327 professionals with website responsibilities at medium-size and enterprise companies including IT, cybersecurity, product management, marketing, etc. The survey was administered electronically by Dimensional Research on behalf of Jscrambler. Participants spanned five continents, represented all seniority levels, and had roles across IT, cybersecurity, product management, and marketing. Of the respondents, 74% had responsibility for the technical aspects of their organizations’ websites.  

About Jscrambler

Jscrambler is the leader in Client-Side Protection and Compliance. Jscrambler is the first to merge advanced polymorphic JavaScript obfuscation with fine-grained third-party tag protection in a unified Client-Side Protection and Compliance Platform.

Jscrambler’s integrated solution ensures a robust defense against current and emerging client-side cyber threats, data leaks, misconfigurations, and IP theft, empowering software development and digital teams to securely innovate online with JavaScript. Jscrambler’s Code Integrity product safeguards first-party JavaScript through state-of-the-art obfuscation and exclusive runtime protection. Jscrambler’s Webpage Integrity product mitigates threats and risks posed by third-party tags, all while ensuring compliance with the new version 4 of PCI DSS.

With Jscrambler, businesses adopt a unified, future-proof client-side security policy, all while achieving compliance with emerging security standards.  Jscrambler serves a diverse range of customers, including top Fortune 500 companies, online retailers, airlines, media outlets, and financial services firms whose success depends on safely engaging with their customers online.

For more information, visit the website, or follow Jscrambler on LinkedIn or X.