Fraud coming to GDPR consent strings is the new GDPR worry
The General Data Protection Regulation has only been in force a couple of months, and some ad tech vendors have already identified fake user-consent strings, a sign that fraudsters could be manipulating them to trick ad buyers into thinking they’re bidding on ad inventory that’s compliant with the E.U. online privacy law.
A consent string is a series of numbers added to an ad bid request that identifies whether an ad tech vendor has a user’s consent to use their data to serve them personalized ads. Consent strings are a crucial way for ad tech vendors and buyers to identify inventory that’s GDPR-compliant.
Ad buyers don’t have a unified strategy to determine if they will bid only on consent-based traffic, vendors say. However, inventory that has consent information is generally regarded as more valuable than inventory that doesn’t, which can make that inventory more competitive, driving up prices and attracting fraudsters, according to ad tech executive sources.
France-based SSP Smart is strictly monitoring consent-string fraud after an ad buyer flagged a discrepancy in its consent-string information in June, said Adrien Thil, head of corporate development at Smart. The buyer knew that Smart had exclusive access to certain publisher inventory, so the buyer was confused to find the same inventory in another platform but with different consent information. The ad tech vendor investigated and found that a fraudulent site and corresponding fake consent management platform had created a fake consent string.
“They were faking the consent string to enrich the inventory and get more demand density,” said Thil. “It was totally false.”
Smart has said it hasn’t identified any other cases of fraud but that it’s monitoring the situation to ensure the problem doesn’t reoccur.
Four ad tech vendors said while they haven’t seen evidence of actual fraud, they’re concerned about consent-string fraud because it’s easy to tamper with the strings. Under the GDPR, a buyer could face fines for serving personalized ads to a user who hasn’t given consent.
“It could be that there are illegitimate websites or traffic sources that are doing this to make a fast buck until someone stops them from doing it,” said Russell McGurk, head of supply at ad tech vendor Sovrn. “No one wants to be buying fraudulent inventory. But if a fraudster is creating a website and generating traffic then manipulating a consent string from a bot or finding a way to changing it in real time to sell that as opted-in user traffic — knowing that a higher yield can be gained for consent-based inventory — this would be the window for them to take advantage.”
It’s not the first time there have been attempts to manipulate consent signals. One or two vendors have been cited as having tried to fudge consent signals in the early days of GDPR enforcement, according to sources.
One publishing executive said that in May, one of the major vendors it uses contacted the publisher for a standard tags update — a necessary procedure if a vendor has direct-tag integration with a publisher’s site. On closer inspection, the publisher found that the vendor had pre-coded every tag to show that every single user coming from the publisher’s site had opted-in for consent. This executive didn’t view the tactic as malicious but chalked it up to panic, lack of preparation and misunderstanding by the vendor.
There are other, more benign ways of altering consent strings. A vendor might alter a string so it can work within different GDPR frameworks like the Interactive Advertising Bureau Europe’s Transparency and Consent framework and Google’s own.
The IAB Europe is working on a way to prevent tampering with consent strings in the next iteration of Open RTB framework 3.0, which is expected early next year. For now, vendors will have to be vigilant.
“The reality is that GDPR has put huge pressure on the industry to create a water-tight consent mechanism that simply isn’t achievable in the time scales imposed,” said Simon Booth, chief technology officer at ad tech firm Scoota.
‘Scale with great context’: The Independent eyes global expansion
The U.K. news title marked 'double-digit' revenue growth this year and posted a profit, despite the pandemic. It plans to grow headcount by up to 25%.
‘This is a tricky job for humans’: How Meredith used AI and contextual data to build Campbell’s a new campaign
To keep Campbell's ads relevant, Meredith created new artificial intelligence technology to track hyper-contextual data.
Vying for consumer revenue, Eater serves up new wine subscription play
Eater's making a play for more national scale consumer revenue with the launch of its new wine club.
SponsoredHow artificial intelligence and machine learning power content-first newsrooms
By Chris Nguyen, executive vice president, marketing at Naviga Digital is no longer just a nice addition to a newspaper’s success, but an imperative. While print remains a key source of revenue — capturing both subscriptions and advertising — spending too much time on designing and managing printed editions has become an obstacle to digital transformation. […]
‘Clearly underinvesting’: Some of the world’s biggest marketers pledge to direct more media dollars to minority-owned business
Procter & Gamble to McDonald’s, Pernod Ricard to PepsiCo, big marketers pledge to curtail media dollars that help fuel racial basis.
Paid virtual events are the new golden ticket for publishers
There are other added benefits for publishers to have ticketing on their events, beyond the revenue.