The leaky nature of the real-time bidding advertising ecosystem continues to cause problems in a post-General Data Protection Regulation era.
Publishers that rely heavily on programmatic advertising bought via the open exchange as a revenue stream have always been vulnerable to sketchy ad tech vendors that drop tags on pages without the publisher’s knowledge. But when those same so-called vendors don’t have GDPR policies, they create bigger problems.
“We have yet to find one website whose CMP [consent management platform] vendor list covers all vendors that are dropping or reading cookies,” said Chloe Grutchfield, co-founder of ad tech consultancy RedBud. “And that includes publishers that opt to display the full IAB list of vendors in their CMP.”
RedBud has scanned 30 of the top U.K. publisher sites and flagged several dubious redirects occurring on a dozen sites, triggered by vendors that have no clear GDPR policy. That puts both publishers and legitimate vendors they work with at risk of penalties. Two companies flagged by RedBud have vague office addresses listed outside the European Union in countries like Israel and Russia.
Some redirects are vendors triggered by other, bona fide vendors for the purpose of cookie syncing. Some may be a little questionable and piggyback on a redirect to redirect to other smaller vendors, added Grutchfield. But in general, redirecting for cookie syncing purposes is a legitimate digital advertising method. The issue comes when the smaller players outside of Europe, that are not GDPR compliant, are triggered on U.K. browsers. There are several like this that are managing to slip through, she added.
RedBud flagged several specific companies as suspicious redirects, which are appearing on publisher sites in the U.K. One such company called “Upravel” states on its website that it has offices in Moscow in Russia and Raanana in Israel. There is only an Israeli address and one generic email listed as contact details on its site. Digiday contacted Upravel via the contact details on its site but received no reply before this article’s publication.
RedBud isn’t the first company to flag Upravel as needing further scrutiny. The Media Trust, which continuously scans publisher pages for unauthorized tags, has previously flagged Upravel as potentially an illegitimate business. A year ago, Upravel was flagged as serving tags and loading a tracking pixel onto a site, been although it doesn’t position itself as an ad server. The fact its name was nearly identical to Uprival, a legitimate business with a good reputation among publishers also roused suspicion, according to Chris Olson, CEO of The Media Trust.
“Publishers need to scan their ecosystem for any unauthorized supply chain code,” said Olson. “The rogue code could enable unauthorized data gathering or a data breach that would put a publisher at odds with GDPR.”
Despite being flagged as suspicious a year ago, the company continues to appear on sites today. Another name flagged by RedBud as suspicious and appearing on major U.K. publisher sites is “Slowplay,” which shares a domain name with “cootlogix.” A visit to its site shows no GDPR policy and three vague office addresses in Malta, London and Denver in the U.S. Digiday contacted Slowplay via the contact details on their site but received no reply.
Many media executives believe that the seemingly infinite number of vendors in the digital ad market create the perfect camouflage for fraudsters and bad practice. However, GDPR needs to be used as a tool by all legitimate players in the ecosystem to enforce cleaner practice. “It is the natural outcome of strategies and practices which are ignoring the fact that RTB is not GDPR compliant and so bundling consent,” said Alessandro de Zanche, independent media consultant and former News UK executive. “This is leaving gray areas and dodgy practices active, something which in a pre-GDPR era were ‘just’ unacceptable but today are also illegal.”
Continuously monitoring which vendors a publisher’s vendors are redirecting to is a constantly moving beast. Typically, exchanges and SSPs rotate who they redirect to. They won’t call all their partners per session because it would put too much pressure on a website. If they have more than 100 partners they sync cookies with they will use redirect rotations. That makes it tricky for publishers to see the full extent of who is dropping cookies on their sites.
That said, onus shouldn’t be just on the publishers to monitor. Ad tech vendors also share the responsibility of auditing who they are redirecting to and whether those companies have GDPR policies.
“Third-party vendors doing business with the digital publishers do have a responsibility to know where their source code is running,” said Olsen. “Though, there is a willpower issue in the digital ad ecosystem. If you shut off one company from running on your site, they will find others [vendors to piggyback on] to get them there.”
Member ExclusiveMedia Briefing: Advertising and commerce ebb while subscriptions flow in publisher’s Q2 earnings reports
In this week's Media Briefing, media editor Kayleigh Barber analyzes the latest quarterly earnings reports from BuzzFeed, IAC's Dotdash Meredith, News Corp's Dow Jones, Gannett and The New York Times.
Member ExclusiveDigiday+ Research deep dive: YouTube investments pay off for publishers’ brands, revenues
In this final installment of Digiday+ Research's deep dive into how publishers are using social media platforms, we're covering how publishers are investing time and money on YouTube -- and how that's translating to their revenues and brands.
ANA’s programmatic buying guide aims to shine a light on murky inefficiencies for CMOs
The Association of National Advertisers released a guide on programmatic media buying that aims to save marketers billions of dollars a year.
SponsoredWhat gaming habits reveal about media consumption
Jordan Shlachter, head of research, Activision Blizzard Media Entertainment choices have never been more abundant, and gaming has emerged as one of the biggest winners in the battle for audiences’ attention. While gaming’s exponential growth has been well documented — there are currently nearly 3 billion gamers worldwide spanning a diverse set of demographics, interests […]
Can Niche build the next decentralized social platform? Here’s why it matters
Niche is a decentralized online marketplace and social networking platform rolled into one. Unlike other social apps, it doesn't carry ads and it doesn't harvest user data.
How The Washington Post’s Joy Robins is using lessons from 2020 to handle the current economic slowdown
Joy Robins' role as CRO looks different than it did a year ago, but in a volatile economy, a media company's revenue sources are subject to change as well.