Fraud coming to GDPR consent strings is the new GDPR worry
The General Data Protection Regulation has only been in force a couple of months, and some ad tech vendors have already identified fake user-consent strings, a sign that fraudsters could be manipulating them to trick ad buyers into thinking they’re bidding on ad inventory that’s compliant with the E.U. online privacy law.
A consent string is a series of numbers added to an ad bid request that identifies whether an ad tech vendor has a user’s consent to use their data to serve them personalized ads. Consent strings are a crucial way for ad tech vendors and buyers to identify inventory that’s GDPR-compliant.
Ad buyers don’t have a unified strategy to determine if they will bid only on consent-based traffic, vendors say. However, inventory that has consent information is generally regarded as more valuable than inventory that doesn’t, which can make that inventory more competitive, driving up prices and attracting fraudsters, according to ad tech executive sources.
France-based SSP Smart is strictly monitoring consent-string fraud after an ad buyer flagged a discrepancy in its consent-string information in June, said Adrien Thil, head of corporate development at Smart. The buyer knew that Smart had exclusive access to certain publisher inventory, so the buyer was confused to find the same inventory in another platform but with different consent information. The ad tech vendor investigated and found that a fraudulent site and corresponding fake consent management platform had created a fake consent string.
“They were faking the consent string to enrich the inventory and get more demand density,” said Thil. “It was totally false.”
Smart has said it hasn’t identified any other cases of fraud but that it’s monitoring the situation to ensure the problem doesn’t reoccur.
Four ad tech vendors said while they haven’t seen evidence of actual fraud, they’re concerned about consent-string fraud because it’s easy to tamper with the strings. Under the GDPR, a buyer could face fines for serving personalized ads to a user who hasn’t given consent.
“It could be that there are illegitimate websites or traffic sources that are doing this to make a fast buck until someone stops them from doing it,” said Russell McGurk, head of supply at ad tech vendor Sovrn. “No one wants to be buying fraudulent inventory. But if a fraudster is creating a website and generating traffic then manipulating a consent string from a bot or finding a way to changing it in real time to sell that as opted-in user traffic — knowing that a higher yield can be gained for consent-based inventory — this would be the window for them to take advantage.”
It’s not the first time there have been attempts to manipulate consent signals. One or two vendors have been cited as having tried to fudge consent signals in the early days of GDPR enforcement, according to sources.
One publishing executive said that in May, one of the major vendors it uses contacted the publisher for a standard tags update — a necessary procedure if a vendor has direct-tag integration with a publisher’s site. On closer inspection, the publisher found that the vendor had pre-coded every tag to show that every single user coming from the publisher’s site had opted-in for consent. This executive didn’t view the tactic as malicious but chalked it up to panic, lack of preparation and misunderstanding by the vendor.
There are other, more benign ways of altering consent strings. A vendor might alter a string so it can work within different GDPR frameworks like the Interactive Advertising Bureau Europe’s Transparency and Consent framework and Google’s own.
The IAB Europe is working on a way to prevent tampering with consent strings in the next iteration of Open RTB framework 3.0, which is expected early next year. For now, vendors will have to be vigilant.
“The reality is that GDPR has put huge pressure on the industry to create a water-tight consent mechanism that simply isn’t achievable in the time scales imposed,” said Simon Booth, chief technology officer at ad tech firm Scoota.
‘We don’t do run-of-site anymore’: How Digital Trends Media Group is using its first-party data
Building audience segments has allowed Digital Trends Media Group to more efficiently target commerce content at its readers.
Why Facebook keeps collecting people’s data and building their profiles even when their accounts are deactivated
Facebook does not make it clear to people or advertisers that, when accounts are deactivated, its vampiric data connections continue to suck in new information.
Kill Your Algorithm: Listen to episode two of the podcast featuring tales from a more fearsome FTC
As the FTC makes moves to get tougher on big data-gobbling tech, partisanship, politics -- and the agency's past -- could get in the way.
SponsoredHow cloud technologies are helping media companies unlock the value of data collaboration
Bill Stratton, global head of media, entertainment and advertising vertical, Snowflake Many of today’s media businesses and advertisers are redefining their business models in response to shifts in consumer behavior and the availability of new technologies. For instance, over the past few years, content creators such as Disney, NBCUniversal and HBO have begun selling their […]
HBO Max, Degree and Verizon are among the 2021 Digiday Awards finalists
New audiences, inclusivity and reemergence from quarantine became the backbeat of this year’s Digiday Awards shortlist. Take a look at the finalists.
Member ExclusiveDigiday Guide: How publishers and marketers can use the blockchain in their businesses
You may have heard the term "crypto" or "blockchain" come up during a recent business meeting and felt like a fish out of water. This guide will help both media execs and marketers prep for the expected blockchain revolution.