‘It’s hurting us’: Confessions of an ad tech exec on GDPR consent-string fraud

This article is part of our Confessions series, in which we trade anonymity for candor to get an unvarnished look at the people, processes and problems inside the industry. More from the series →

Three months ago, four ad tech vendors flagged that they had identified fake consent strings. Consent strings are generated by a publisher’s consent management platform and passed back to all that publisher’s digital ad partners to show which impressions have user consent for personalized advertising, and which don’t. It seems the issue hasn’t gone away.

For the latest instalment in our confessions series, in which we trade anonymity for candor, we spoke to an ad tech executive who is frustrated that consent-string manipulation is potentially costing its business hundreds of thousands of pounds.

Excerpts lightly edited for clarity and flow.

How big a deal is consent string fraud?
It’s cropping up in a lot more conversations. Certain demand-side platforms are looking for consent-string anomalies by checking the different consent strings that come through different exchanges for the same domains. Those exchanges that look like they have lower levels of consent than others are being flagged by the DSPs as anomalies, but the irony is that those that stand out may not be the anomaly.

How are they not anomalies?
The exchanges that appear to have lower volumes of consented requests are only looking that way because they’re not tampering with the consent strings. The real anomalies may be those who don’t look like they have been affected, because it’s likely they’re altering the strings, or potentially behaving in a more nefarious fashion.

Are there different kinds of consent-string fraud?
Yes. We see two main types.The first type is due to a lack of interoperability between the consent strings being generated by Google’s CMP, and those that are generated via CMPs in the Interactive Advertising Bureau Europe’s GDPR framework, which use the IAB consent string. Each code is generated to do the same thing — to show a publisher’s ad tech partners which impressions have consent attached or not — but they use different codes and although everyone would like them to be interoperable, they’re not. Some DSPs don’t even know how to read the Google consent-string version. Therefore some vendors may be manipulating the strings so they can work in either environment.

That seems kind of understandable.
It is is some ways, but it’s a frustration for any exchange that’s following the rules because it puts them at a massive commercial disadvantage. We’re sticking to the IAB’s rules, but it is hurting us to do so. Those exchanges that aren’t altering them, like ours, are then hurting commercially as a result because we’re not able to monetize the same volume of inventory. Those that are tampering with the strings, are hurting less. There isn’t much visible enforcement yet from the IAB on this.

How much are we talking about being lost here?
Potentially hundreds of thousands of pounds.

What about the second type of fraud?
Some of the more murky stuff isn’t visibly happening among the tier-one vendors, but more likely with the tier-two and-three vendors and the mid to long-tail publishers. I know of one that gives publishers an option like: “tick this box if you have consent but are not using an IAB CMP,” and then the exchange is creating a string to look like they do have IAB consent from a CMP.

What does this mean for your business?
Because some of these more nefarious activities are likely to be more prevalent in the smaller exchanges, the actual impact may not be huge. There’s potentially a larger impact from anyone who is converting consent signals from one framework to another. But I see it being something we will continue to have to look into and troubleshoot well into 2019.

Are these just teething issues?
There are still technical examples of consent strings not being properly transmitted. And that’s not necessarily because of shadiness, but due to how complex our ecosystem is — there are lots of ways publishers connect to demand through containers, header bidding, tags — some things just get lost along the way. It will be extra work to ensure appropriate consent strings are passed through in the right way, and in a way that can be read.

How can this be stopped?
The problem with coming down on this issue is that it will cause pain through the value chain. It’s a little like the wider issue with ad fraud — not many businesses are incentivized to completely clamp down on it because everyone’s motivations are commercial. No one gets a bonus for being legally compliant, they get a bonus for hitting their numbers. Really, the only businesses with the incentive to want to remove fraud entirely are the advertisers because it’s their budgets.

https://digiday.com/?p=312980

More in Media

Media Briefing: How Dow Jones is developing an AI model to help its planning team respond to advertisers’ RFPs

This week’s Media Briefing looks at how Dow Jones is incorporating generative AI tools into its ad ops workflows.

Retail media strategies

Snap survey: How brands’ retail media strategies are maturing

That was the overarching theme at Digiday Media’s Retail Media Strategies event held in New York City last month.

Google ad tech antitrust trial

What happens in the Google ad tech antitrust trial now that testimony is done?

While some observers felt like there were no “bombshells” during the testimony, there was still a sense of vindication that some evidence has come to light.