Fraud coming to GDPR consent strings is the new GDPR worry
The General Data Protection Regulation has only been in force a couple of months, and some ad tech vendors have already identified fake user-consent strings, a sign that fraudsters could be manipulating them to trick ad buyers into thinking they’re bidding on ad inventory that’s compliant with the E.U. online privacy law.
A consent string is a series of numbers added to an ad bid request that identifies whether an ad tech vendor has a user’s consent to use their data to serve them personalized ads. Consent strings are a crucial way for ad tech vendors and buyers to identify inventory that’s GDPR-compliant.
Ad buyers don’t have a unified strategy to determine if they will bid only on consent-based traffic, vendors say. However, inventory that has consent information is generally regarded as more valuable than inventory that doesn’t, which can make that inventory more competitive, driving up prices and attracting fraudsters, according to ad tech executive sources.
France-based SSP Smart is strictly monitoring consent-string fraud after an ad buyer flagged a discrepancy in its consent-string information in June, said Adrien Thil, head of corporate development at Smart. The buyer knew that Smart had exclusive access to certain publisher inventory, so the buyer was confused to find the same inventory in another platform but with different consent information. The ad tech vendor investigated and found that a fraudulent site and corresponding fake consent management platform had created a fake consent string.
“They were faking the consent string to enrich the inventory and get more demand density,” said Thil. “It was totally false.”
Smart has said it hasn’t identified any other cases of fraud but that it’s monitoring the situation to ensure the problem doesn’t reoccur.
Four ad tech vendors said while they haven’t seen evidence of actual fraud, they’re concerned about consent-string fraud because it’s easy to tamper with the strings. Under the GDPR, a buyer could face fines for serving personalized ads to a user who hasn’t given consent.
“It could be that there are illegitimate websites or traffic sources that are doing this to make a fast buck until someone stops them from doing it,” said Russell McGurk, head of supply at ad tech vendor Sovrn. “No one wants to be buying fraudulent inventory. But if a fraudster is creating a website and generating traffic then manipulating a consent string from a bot or finding a way to changing it in real time to sell that as opted-in user traffic — knowing that a higher yield can be gained for consent-based inventory — this would be the window for them to take advantage.”
It’s not the first time there have been attempts to manipulate consent signals. One or two vendors have been cited as having tried to fudge consent signals in the early days of GDPR enforcement, according to sources.
One publishing executive said that in May, one of the major vendors it uses contacted the publisher for a standard tags update — a necessary procedure if a vendor has direct-tag integration with a publisher’s site. On closer inspection, the publisher found that the vendor had pre-coded every tag to show that every single user coming from the publisher’s site had opted-in for consent. This executive didn’t view the tactic as malicious but chalked it up to panic, lack of preparation and misunderstanding by the vendor.
There are other, more benign ways of altering consent strings. A vendor might alter a string so it can work within different GDPR frameworks like the Interactive Advertising Bureau Europe’s Transparency and Consent framework and Google’s own.
The IAB Europe is working on a way to prevent tampering with consent strings in the next iteration of Open RTB framework 3.0, which is expected early next year. For now, vendors will have to be vigilant.
“The reality is that GDPR has put huge pressure on the industry to create a water-tight consent mechanism that simply isn’t achievable in the time scales imposed,” said Simon Booth, chief technology officer at ad tech firm Scoota.
‘We’re out there hitting the pavement’: Ad management firms scoop up sites ahead of cookie changes
Ad management platforms such as Cafe Media and Freestar have collectively gobbled up the rights to thousands of sites' ad inventory.
Browser makers, now including Mozilla’s Firefox, are already ditching Google’s proposed cookieless ad targeting method FLoC
Google's cohort-based tracking needs browser support to work, but browsers like Brave and Microsoft Edge can easily block its functionality.
‘It’s OK if someone wants to work 3 or 4 days a week’: How female news leaders are changing media culture for women
There's still a long way to go before the media workplace is a level playing field for men and women, but female news chiefs are pushing hard to change internal cultures.
SponsoredAs publishers recognize the true cost of malvertising, recent cases highlight the damage
Malvertising — the use of ad tech by malicious actors to attack end users at scale — has been a silent but insidious aspect of digital advertising in recent years. Now, however, the extent of the damage, both real and potential, is expanding. And it should, according to experts, as approximately $1 billion revenue was lost […]
Cheat Sheet: What a ‘radical’ GOP antitrust bill that would kill big tech acquisitions has in common with the Democrats’ push for reform
Bipartisan momentum behind Sen. Josh Hawley’s antitrust bill is likely to be tepid, but it could spur more dialogue on anti-competitive behavior in an tech-ruled era.
Los Angeles Times enters crowded daily news podcast market with a West Coast twist
The Los Angeles Times is banking on offering a West Coast twist to daily news podcasting when it debuts its own version next month.