‘This is scary stuff’: Cookie compliance efforts continue to fall short even three years after GDPR

Woman sitting a desk looking at computer screen with magnifying glasses surrounding her head.

European Union law on cookie consent is clear: a person should be given a simple choice to accept or reject being tracked by advertisers on publisher sites. The problem is that there are moments when they don’t seem to have that choice.

That’s according to the findings released today from a new study commissioned by Ebiquity which aims to spotlight privacy shortcomings in the ad tech ecosystem. 

​​The investigation found the vast majority (92.6%) of websites that attract tier-one advertiser-spend place at least one tracker on internet users’ devices prior to gaining their consent.

Ebiquity partnered with Usercentric’s consent management platform Cookiebot to conduct the study which analyzed almost 200,000 cookies across the 1,000 largest domains based for programmatic ad investments based on Ebiquity’s records of the top 100 global advertisers.

Of the 200,000 cookies analyzed in the study, half were defined as “marketing cookies” by the CMP with 82.4% of these tracking tools determined to have been installed on users’ devices by third parties. A third (32.3%) of those cookies were fired without valid user consent. In addition, researchers also found that 70% of third-party marketing cookies transferred user data outside of the European Union, a practice that is subject to strict regulatory requirements. Put another way: the report suggests that many of the biggest publishers are potentially violating their readers’ privacy and data protection rights by giving them a false notion of control.

“Advertisers want to ensure they fund responsible media outlets, and these numbers clearly show there is a lot of work to do,”  said Ruben Schreurs, group chief product officer at Ebiquity. “Particularly in light of recent industry developments, we advise brands to ensure they have full transparency and controls on their investments in programmatic open web activity.”

Unsurprisingly, marketers are concerned. Of course, publishers are more exposed should regulators choose to investigate these findings further — the potentially shady data practices are happening on their site after all. Advertisers, however, are wary of being found guilty by association. So much so that they’re conducting their own investigations into the matter. “We’re going to have to audit our own media buys to see if we’re privacy compliant,” said the chief media officer at a global CPG company, who was not authorized to speak to Digiday. If those buys aren’t compliant, then the marketer can use the audit to consolidate their spending into those publishers working with ad tech vendors that can assure them they have EU-based data centers. “This is scary stuff,” said the marketer.

Granted, those fears aren’t new. In October, ad data detectives shared findings with Digiday which observed a gap between what someone consents to let happen to their personal data versus what actually happens to it three years after the arrival of a law (the General Data Protection Regulation) meant to reconcile the divide. Ebiquity’s study does, however, crank up the pressure on marketers to confront their own role in fueling an ad market where the idea of people being targeted without their consent is even possible.

“For decades, advertisers have been collecting data on users via publishers by pixeling ad creatives unbeknownst to the publishers themselves,” said Lulu Phongmany, a consultant with experience of working at both ad tech companies and media owners. “I work with publishers all the time to develop data agreements and pixel approval workflows now that agencies and brands are being held responsible for how they are collecting their data with new (and evolving) privacy laws being introduced.”

Even if advertiser-led checks confirm Ebiquity’s own conclusion, it doesn’t necessarily mean publishers are intentionally acting nefariously. According to Digiday sources, publishers can sometimes be limited in their ability to outright block third parties from tracking their audiences without their consent. Consider this: neither the advertiser nor the publisher has total control over what trackers are used. When a cookie is loaded on a page it calls a server to then register that the cookie has been served. Sometimes that cookie doesn’t just call the server, it calls other cookies. Essentially, one primary cookie could subsequently call upon hundreds of other cookies, which is where things get tricky for publishers trying to keep track of what’s happening on their site.

It raises further questions over whether the Transparency and Consent Framework, which was developed by the Interactive Advertising Bureau’s Tech Lab and IAB Europe, is robust enough to comply with the demands of the GDPR.

The protocol standardizes how businesses —  publishers, ad tech vendors and agencies — can continue running programmatic advertising outside of walled gardens in a way that is compliant with GDPR. The problem is that it may not actually be legal. Several EU data protection authorities are questioning the robustness of the IAB’s TCF. In fact, policymakers at IAB Europe are awaiting key directives from the Belgian authority, with the data watchdog there expected to publish a key verdict on TCF’s compliance with GDPR in the coming weeks.

“Since the inception of IAB’s TCF initiative, it has relied heavily on good actors and the industry’s desire to be compliant, but a known challenge has been that controls and checks need to be applied and enforced by the Framework’s administrator,” said Richard Reeves, managing director at U.K. trade body the Association of Online Publishers: “IAB’s TCF is still a very necessary structure to enable the programmatic supply chain to be fulfilled; working with senior members of the AOP, and in support of the TCF objectives, we have identified, and shared publicly, a number of actions that can be undertaken to further mitigate risk. The document has been shared with both IAB and ICO, who maintain direct dialogue, to inform their decision-making on how to enforce greater controls and checks.”

Still, as alarming as the report’s conclusions are, it should be taken with a pinch of salt. Indeed, several sources advised those reading Ebiquity’s report to interrogate some of the assertions in its latest report, albeit none questioned its observations. Not least the fact that both Ebiquity’s audit business and Usercentric’s CMP stand to benefit from any alarm kicked up by the report.


More in Media

daily newsstand

Media Briefing: Why some publishers are resurrecting their print magazines

Nylon and Complex are bringing back print, but see more opportunity than just pure ad revenue.

Publisher strategies: Condé Nast, Forbes, The Atlantic, The Guardian and The Independent on key revenue trends

Digiday recently spoke with executives at Condé Nast, Forbes, The Atlantic, The Guardian and The Independent about their current revenue strategies for our two-part series on how publishers are optimizing revenue streams. In this second installment, we highlight their thoughts on affiliate commerce, diversification of revenue streams and global business expansion.

How sending fewer emails and content previews improved The New Yorker’s newsletter engagement

The New Yorker is sending newsletters less frequently and giving paid subscribers early access to content in their inboxes in an effort to retain its cohort of 1.2 million paid subscribers and grow its audience beyond that.