The General Data Protection Regulation has only been in force a couple of months, and some ad tech vendors have already identified fake user-consent strings, a sign that fraudsters could be manipulating them to trick ad buyers into thinking they’re bidding on ad inventory that’s compliant with the E.U. online privacy law.
A consent string is a series of numbers added to an ad bid request that identifies whether an ad tech vendor has a user’s consent to use their data to serve them personalized ads. Consent strings are a crucial way for ad tech vendors and buyers to identify inventory that’s GDPR-compliant.
Ad buyers don’t have a unified strategy to determine if they will bid only on consent-based traffic, vendors say. However, inventory that has consent information is generally regarded as more valuable than inventory that doesn’t, which can make that inventory more competitive, driving up prices and attracting fraudsters, according to ad tech executive sources.
France-based SSP Smart is strictly monitoring consent-string fraud after an ad buyer flagged a discrepancy in its consent-string information in June, said Adrien Thil, head of corporate development at Smart. The buyer knew that Smart had exclusive access to certain publisher inventory, so the buyer was confused to find the same inventory in another platform but with different consent information. The ad tech vendor investigated and found that a fraudulent site and corresponding fake consent management platform had created a fake consent string.
“They were faking the consent string to enrich the inventory and get more demand density,” said Thil. “It was totally false.”
Smart has said it hasn’t identified any other cases of fraud but that it’s monitoring the situation to ensure the problem doesn’t reoccur.
Four ad tech vendors said while they haven’t seen evidence of actual fraud, they’re concerned about consent-string fraud because it’s easy to tamper with the strings. Under the GDPR, a buyer could face fines for serving personalized ads to a user who hasn’t given consent.
“It could be that there are illegitimate websites or traffic sources that are doing this to make a fast buck until someone stops them from doing it,” said Russell McGurk, head of supply at ad tech vendor Sovrn. “No one wants to be buying fraudulent inventory. But if a fraudster is creating a website and generating traffic then manipulating a consent string from a bot or finding a way to changing it in real time to sell that as opted-in user traffic — knowing that a higher yield can be gained for consent-based inventory — this would be the window for them to take advantage.”
It’s not the first time there have been attempts to manipulate consent signals. One or two vendors have been cited as having tried to fudge consent signals in the early days of GDPR enforcement, according to sources.
One publishing executive said that in May, one of the major vendors it uses contacted the publisher for a standard tags update — a necessary procedure if a vendor has direct-tag integration with a publisher’s site. On closer inspection, the publisher found that the vendor had pre-coded every tag to show that every single user coming from the publisher’s site had opted-in for consent. This executive didn’t view the tactic as malicious but chalked it up to panic, lack of preparation and misunderstanding by the vendor.
There are other, more benign ways of altering consent strings. A vendor might alter a string so it can work within different GDPR frameworks like the Interactive Advertising Bureau Europe’s Transparency and Consent framework and Google’s own.
The IAB Europe is working on a way to prevent tampering with consent strings in the next iteration of Open RTB framework 3.0, which is expected early next year. For now, vendors will have to be vigilant.
“The reality is that GDPR has put huge pressure on the industry to create a water-tight consent mechanism that simply isn’t achievable in the time scales imposed,” said Simon Booth, chief technology officer at ad tech firm Scoota.