Fraud coming to GDPR consent strings is the new GDPR worry
The General Data Protection Regulation has only been in force a couple of months, and some ad tech vendors have already identified fake user-consent strings, a sign that fraudsters could be manipulating them to trick ad buyers into thinking they’re bidding on ad inventory that’s compliant with the E.U. online privacy law.
A consent string is a series of numbers added to an ad bid request that identifies whether an ad tech vendor has a user’s consent to use their data to serve them personalized ads. Consent strings are a crucial way for ad tech vendors and buyers to identify inventory that’s GDPR-compliant.
Ad buyers don’t have a unified strategy to determine if they will bid only on consent-based traffic, vendors say. However, inventory that has consent information is generally regarded as more valuable than inventory that doesn’t, which can make that inventory more competitive, driving up prices and attracting fraudsters, according to ad tech executive sources.
France-based SSP Smart is strictly monitoring consent-string fraud after an ad buyer flagged a discrepancy in its consent-string information in June, said Adrien Thil, head of corporate development at Smart. The buyer knew that Smart had exclusive access to certain publisher inventory, so the buyer was confused to find the same inventory in another platform but with different consent information. The ad tech vendor investigated and found that a fraudulent site and corresponding fake consent management platform had created a fake consent string.
“They were faking the consent string to enrich the inventory and get more demand density,” said Thil. “It was totally false.”
Smart has said it hasn’t identified any other cases of fraud but that it’s monitoring the situation to ensure the problem doesn’t reoccur.
Four ad tech vendors said while they haven’t seen evidence of actual fraud, they’re concerned about consent-string fraud because it’s easy to tamper with the strings. Under the GDPR, a buyer could face fines for serving personalized ads to a user who hasn’t given consent.
“It could be that there are illegitimate websites or traffic sources that are doing this to make a fast buck until someone stops them from doing it,” said Russell McGurk, head of supply at ad tech vendor Sovrn. “No one wants to be buying fraudulent inventory. But if a fraudster is creating a website and generating traffic then manipulating a consent string from a bot or finding a way to changing it in real time to sell that as opted-in user traffic — knowing that a higher yield can be gained for consent-based inventory — this would be the window for them to take advantage.”
It’s not the first time there have been attempts to manipulate consent signals. One or two vendors have been cited as having tried to fudge consent signals in the early days of GDPR enforcement, according to sources.
One publishing executive said that in May, one of the major vendors it uses contacted the publisher for a standard tags update — a necessary procedure if a vendor has direct-tag integration with a publisher’s site. On closer inspection, the publisher found that the vendor had pre-coded every tag to show that every single user coming from the publisher’s site had opted-in for consent. This executive didn’t view the tactic as malicious but chalked it up to panic, lack of preparation and misunderstanding by the vendor.
There are other, more benign ways of altering consent strings. A vendor might alter a string so it can work within different GDPR frameworks like the Interactive Advertising Bureau Europe’s Transparency and Consent framework and Google’s own.
The IAB Europe is working on a way to prevent tampering with consent strings in the next iteration of Open RTB framework 3.0, which is expected early next year. For now, vendors will have to be vigilant.
“The reality is that GDPR has put huge pressure on the industry to create a water-tight consent mechanism that simply isn’t achievable in the time scales imposed,” said Simon Booth, chief technology officer at ad tech firm Scoota.
‘Taking a bite’: Major political and news headlines are sucking up all the oxygen on Facebook
A confluence of national headlines and surging political ad spending appears to be eating into the Facebook referral traffic of several publishers.
Food52 jumps further on the streaming bandwagon with its new OTT app
First building up its long form video content on Xumo and YouTube, the food publisher is planning to display similar content on the OTT app, but will play to a new kind of audience consumption habit: binging.
‘All taking a chance on each other’: Jasper Wang on Defector Media’s collective ownership structure
A group of 18 former Deadspin employees have launched Defector Media with a much more collective ownership structure.
SponsoredIn the race to shore up revenue, publishers are overlooking deal terms
Many publishers are struggling to keep their business models afloat with cookies dying and brands tightening their ad spend in an age of pandemic and recession. To contend with unprecedented challenges, publishers have taken to implementing a wide variety of new tactics. Some are turning to alternate revenue streams, such as subscriptions and affiliate marketing. […]
Deep Dive: How media buying execs are adapting to the challenges and changes of 2020 and beyond
The coronavirus crisis has brands and the media they rely on scrambling to adapt to sweeping shifts in consumer behavior and attitudes.
WTF is Dovekey
Google has a published a new proposal for how online ad auctions could work in a more privacy focused way.