‘It’s hurting us’: Confessions of an ad tech exec on GDPR consent-string fraud
Three months ago, four ad tech vendors flagged that they had identified fake consent strings. Consent strings are generated by a publisher’s consent management platform and passed back to all that publisher’s digital ad partners to show which impressions have user consent for personalized advertising, and which don’t. It seems the issue hasn’t gone away.
For the latest instalment in our confessions series, in which we trade anonymity for candor, we spoke to an ad tech executive who is frustrated that consent-string manipulation is potentially costing its business hundreds of thousands of pounds.
Excerpts lightly edited for clarity and flow.
How big a deal is consent string fraud?
It’s cropping up in a lot more conversations. Certain demand-side platforms are looking for consent-string anomalies by checking the different consent strings that come through different exchanges for the same domains. Those exchanges that look like they have lower levels of consent than others are being flagged by the DSPs as anomalies, but the irony is that those that stand out may not be the anomaly.
How are they not anomalies?
The exchanges that appear to have lower volumes of consented requests are only looking that way because they’re not tampering with the consent strings. The real anomalies may be those who don’t look like they have been affected, because it’s likely they’re altering the strings, or potentially behaving in a more nefarious fashion.
Are there different kinds of consent-string fraud?
Yes. We see two main types.The first type is due to a lack of interoperability between the consent strings being generated by Google’s CMP, and those that are generated via CMPs in the Interactive Advertising Bureau Europe’s GDPR framework, which use the IAB consent string. Each code is generated to do the same thing — to show a publisher’s ad tech partners which impressions have consent attached or not — but they use different codes and although everyone would like them to be interoperable, they’re not. Some DSPs don’t even know how to read the Google consent-string version. Therefore some vendors may be manipulating the strings so they can work in either environment.
That seems kind of understandable.
It is is some ways, but it’s a frustration for any exchange that’s following the rules because it puts them at a massive commercial disadvantage. We’re sticking to the IAB’s rules, but it is hurting us to do so. Those exchanges that aren’t altering them, like ours, are then hurting commercially as a result because we’re not able to monetize the same volume of inventory. Those that are tampering with the strings, are hurting less. There isn’t much visible enforcement yet from the IAB on this.
How much are we talking about being lost here?
Potentially hundreds of thousands of pounds.
What about the second type of fraud?
Some of the more murky stuff isn’t visibly happening among the tier-one vendors, but more likely with the tier-two and-three vendors and the mid to long-tail publishers. I know of one that gives publishers an option like: “tick this box if you have consent but are not using an IAB CMP,” and then the exchange is creating a string to look like they do have IAB consent from a CMP.
What does this mean for your business?
Because some of these more nefarious activities are likely to be more prevalent in the smaller exchanges, the actual impact may not be huge. There’s potentially a larger impact from anyone who is converting consent signals from one framework to another. But I see it being something we will continue to have to look into and troubleshoot well into 2019.
Are these just teething issues?
There are still technical examples of consent strings not being properly transmitted. And that’s not necessarily because of shadiness, but due to how complex our ecosystem is — there are lots of ways publishers connect to demand through containers, header bidding, tags — some things just get lost along the way. It will be extra work to ensure appropriate consent strings are passed through in the right way, and in a way that can be read.
How can this be stopped?
The problem with coming down on this issue is that it will cause pain through the value chain. It’s a little like the wider issue with ad fraud — not many businesses are incentivized to completely clamp down on it because everyone’s motivations are commercial. No one gets a bonus for being legally compliant, they get a bonus for hitting their numbers. Really, the only businesses with the incentive to want to remove fraud entirely are the advertisers because it’s their budgets.
Member ExclusiveDigiday Research: The coronavirus pandemic left marks on publishers’ 2021 revenue plans
While publishers remain focused on direct-sold ads and subscriptions, they seem less focused on diversifying revenue in 2021.
‘We had to take full ownership of data’: Why Denmark’s biggest news site cut reliance on Google’s tech
Denmark’s biggest news site Ekstra Bladet pushes ahead with its investment in first-party data with a homegrown sub for Google Analytics.
WTF is FLEDGE?
FLEDGE stands for 'First Locally-Executed Decision over Groups Experiment' and makes ad auction decisions in the browser, rather than at ad server level.
SponsoredWhat a content hub can do for marketing teams
In a truly effective marketing team, each team member is aligned, using shared tools and processes to efficiently create, collaborate and connect with their customers. With a content hub, marketers can break down the silos that have traditionally held them back, increasing collaboration in the crucial planning and workflow stages. Implementing this technology will make […]
Cheat sheet: Twitter’s acquisition of Revue heats up the battle of the inbox
The acquisition of Revue shows newsletter platforms will have to continue to ratchet up their efforts to deliver value to authors.
The New York Times’ Ben Smith saw the alt-right’s rise and sees a new era for social platforms
In the latest episode of the Digiday Podcast, the Times media columnist and former BuzzFeed editor-in-chief discusses misinformation on social platforms and why BuzzFeed didn’t make a big subscription push.