Unauthorized redirects are putting publishers at GDPR risk
The leaky nature of the real-time bidding advertising ecosystem continues to cause problems in a post-General Data Protection Regulation era.
Publishers that rely heavily on programmatic advertising bought via the open exchange as a revenue stream have always been vulnerable to sketchy ad tech vendors that drop tags on pages without the publisher’s knowledge. But when those same so-called vendors don’t have GDPR policies, they create bigger problems.
“We have yet to find one website whose CMP [consent management platform] vendor list covers all vendors that are dropping or reading cookies,” said Chloe Grutchfield, co-founder of ad tech consultancy RedBud. “And that includes publishers that opt to display the full IAB list of vendors in their CMP.”
RedBud has scanned 30 of the top U.K. publisher sites and flagged several dubious redirects occurring on a dozen sites, triggered by vendors that have no clear GDPR policy. That puts both publishers and legitimate vendors they work with at risk of penalties. Two companies flagged by RedBud have vague office addresses listed outside the European Union in countries like Israel and Russia.
Some redirects are vendors triggered by other, bona fide vendors for the purpose of cookie syncing. Some may be a little questionable and piggyback on a redirect to redirect to other smaller vendors, added Grutchfield. But in general, redirecting for cookie syncing purposes is a legitimate digital advertising method. The issue comes when the smaller players outside of Europe, that are not GDPR compliant, are triggered on U.K. browsers. There are several like this that are managing to slip through, she added.
RedBud flagged several specific companies as suspicious redirects, which are appearing on publisher sites in the U.K. One such company called “Upravel” states on its website that it has offices in Moscow in Russia and Raanana in Israel. There is only an Israeli address and one generic email listed as contact details on its site. Digiday contacted Upravel via the contact details on its site but received no reply before this article’s publication.
RedBud isn’t the first company to flag Upravel as needing further scrutiny. The Media Trust, which continuously scans publisher pages for unauthorized tags, has previously flagged Upravel as potentially an illegitimate business. A year ago, Upravel was flagged as serving tags and loading a tracking pixel onto a site, been although it doesn’t position itself as an ad server. The fact its name was nearly identical to Uprival, a legitimate business with a good reputation among publishers also roused suspicion, according to Chris Olson, CEO of The Media Trust.
“Publishers need to scan their ecosystem for any unauthorized supply chain code,” said Olson. “The rogue code could enable unauthorized data gathering or a data breach that would put a publisher at odds with GDPR.”
Despite being flagged as suspicious a year ago, the company continues to appear on sites today. Another name flagged by RedBud as suspicious and appearing on major U.K. publisher sites is “Slowplay,” which shares a domain name with “cootlogix.” A visit to its site shows no GDPR policy and three vague office addresses in Malta, London and Denver in the U.S. Digiday contacted Slowplay via the contact details on their site but received no reply.
Many media executives believe that the seemingly infinite number of vendors in the digital ad market create the perfect camouflage for fraudsters and bad practice. However, GDPR needs to be used as a tool by all legitimate players in the ecosystem to enforce cleaner practice. “It is the natural outcome of strategies and practices which are ignoring the fact that RTB is not GDPR compliant and so bundling consent,” said Alessandro de Zanche, independent media consultant and former News UK executive. “This is leaving gray areas and dodgy practices active, something which in a pre-GDPR era were ‘just’ unacceptable but today are also illegal.”
Continuously monitoring which vendors a publisher’s vendors are redirecting to is a constantly moving beast. Typically, exchanges and SSPs rotate who they redirect to. They won’t call all their partners per session because it would put too much pressure on a website. If they have more than 100 partners they sync cookies with they will use redirect rotations. That makes it tricky for publishers to see the full extent of who is dropping cookies on their sites.
That said, onus shouldn’t be just on the publishers to monitor. Ad tech vendors also share the responsibility of auditing who they are redirecting to and whether those companies have GDPR policies.
“Third-party vendors doing business with the digital publishers do have a responsibility to know where their source code is running,” said Olsen. “Though, there is a willpower issue in the digital ad ecosystem. If you shut off one company from running on your site, they will find others [vendors to piggyback on] to get them there.”
How agencies are shaping the future of DEI beyond their own walls
Agencies are acknowledging that diversity efforts don’t stop with their companies. In addition to improving employee representation, now agency efforts in diversity, equity and inclusion are aimed at supporting clients and external partners.
Newsletter publishers say they continue to see uptick in revenue despite advertising slowdown
At a time when larger media companies are feeling the pressure of the economic downturn and advertising slowdown, newsletter businesses continue to be in a period of revenue growth.
TikTok’s CEO faces bipartisan skepticism in first Congressional hearing on security concerns
The hearing comes amid calls to remove TikTok from government devices and in some cases even ban it entirely.
SponsoredHow advertisers are leveraging omnichannel attribution and measurement to power CTV
Sponsored by MNTN Connected TV advertising has joined and expanded the larger ecosystem of campaigns that advertisers deploy. As such, omnichannel marketing strategies now encompass television and mobile devices, tablets and other screens such as out-of-home. And as customers engage across these different touchpoints, brands are seeking and moving their measurement and analytics efforts to […]
Media Briefing: What to expect at the Digiday Publishing Summit
As DPS draws nearer, top pain points for publishers are coming to light.
New app launches through Apple hoping to win with ‘zero-party data’ when others haven’t
Caden's new app lets users connect data from their Uber, Amazon, Netflix and other accounts in exchange for money. Will it take off?