More than three years after Europe’s sweeping privacy law took effect, consent mismatches and illegitimate data collection continue to undermine advertisers’ and publishers’ efforts to comply with the General Data Protection Regulation. These issues bedeviled companies back in 2018, and new data shows continued gaps between the permissions people give companies to collect and use their data and what ad tech firms actually do.
On the average day between May and the end of August this year, 500,000 online ad impressions served in Europe contradicted the data-collection choices people made as required under the GDPR, according to ad security monitoring company Confiant, which sees digital ad activity across tens of thousands of websites. It’s worth noting that millions of ad requests might be processed each second by just one digital ad platform, so half-a-million ad impressions represents a miniscule portion of all the ads served every day.
We’re not alleging fraud. We’re just alleging that they’re tracking in an unauthorized fashion.
John Murphy, chief strategy officer of Confiant
“We’re not alleging fraud,” said John Murphy, chief strategy officer of Confiant. “We’re just alleging that they’re tracking in an unauthorized fashion.”
Because Confiant has its technology integrated directly with publishers’ pipes, the company can observe the actual behavior of ads and trackers in real-time across tens of thousands of websites and compare it with the information showing whether people have consented to it. Most of the allegedly unauthorized activity Confiant has detected has been enabled by lesser-known ad tech firms, according to Murphy, who declined to provide names of any vendors enabling unpermitted tracking. He added, “The vast majority of the time there is not malicious behavior.”
Sourcepoint, another privacy tech firm that helps companies assess ad tech vendors, scanned 266 publisher sites across the U.K., France, and Germany between June and September. It found that on average, around 37 vendors allowed on domains scanned in the U.K. dropped cookies before getting consent from visitors. For domains scanned in France, the average number of vendors dropping cookies without permission was around 30, and in Germany around 29. The company also declined to provide names of any of the vendors that dropped cookies without permission.
Transparency and consent framework forensics
There are lots of cogs moving at once in the digital ad machine, of course. Although the systems relied on by website publishers to manage consent are built to broadcast people’s data collection preferences throughout the ad ecosystem, those consent management platforms don’t necessarily monitor the validity of people’s data tracking choices that are being passed by other ad tech players. Those choices are reflected in the so-called consent string, which is attached to the bid requests that publishers send when an ad slot is available for advertisers to purchase through programmatic ad systems.
“The [consent management platforms] are there for information collection,” said Kaileigh McCrea, a privacy engineer at Confiant. “This is about the [ad tech] vendor who should be responding to that information accordingly.”
There is a potential for companies to misrepresent things.
Alex Cone, senior director of product management at IAB Tech Lab
The consent string passed around by consent management platforms and observed by ad fraud watchdogs can indicate when people’s choices don’t match up to actual ad tech activity, in part, because there is a standard framework for encoding and passing those signals. That’s the TCF, the Transparency and Consent Framework devised by the Interactive Advertising Bureau’s Tech Lab for its counterparts in Europe as a way to comply with the demands of the GDPR.
The TCF has its fair share of detractors, though, and is under investigation by the Belgian data protection authority for infringing European data privacy rules. Indeed, it is not clear the technical method for passing people’s privacy choices through the programmatic ad marketplace is curbing tracking that violates GDPR. In its aforementioned study, when Confiant evaluated specific advertisements included among the ad impressions found to contain consent discrepancies, the company found that on average 51% of those discrepancies were enabled by vendors that were not registered to use the IAB’s framework. Even still, 45% of the consent mismatches were enabled by vendors who were registered with TCF, but enabled tracking for purposes those vendors did not have consent for or legitimate interest in doing.
“There is a potential for companies to misrepresent things. An ad request is just a set of fields that’s transmitted out to a bunch of different parties,” said Alex Cone, senior director of product management at IAB Tech Lab, who helped create TCF. He said that exposing inconsistencies in the consent and ad data chain “is the first step in shutting down [those problems].”
Punishing publishers and tech firms
As the face of digital media, publishers can be held liable for the shady data practices they enable on their websites. France’s data protection regulator Commission Nationale de l’Informatique et des Libertés, for example, fined newspaper publisher Le Figaro 50,000 euros for allowing third-party companies to drop tracking cookies without people’s permission. Google was also fined for violating GDPR rules around cookie tracking permissions.
“As a publisher, I feel like I was lulled into a false sense of ‘I am good because nobody’s come with an enforcement action against me, and I would probably be one of the first they’d fine,’” said a publishing exec during a closed-door discussion at Digiday’s recent Publishing Summit. The exec, who spoke on condition of anonymity, continued, “There’s definitely been a false sense of ‘we’ve done the right thing.’ I very much suspect we haven’t done the right thing. They’re just now coming to look at us, and those enforcements really are actually picking up.”
There’s definitely been a false sense of “we’ve done the right thing.” I very much suspect we haven’t done the right thing.
anonymous publishing exec
Global data protection authorities, after meeting in early September, said that the way most websites get people to agree to tracking is not good enough. They wrote, “Action is needed to ensure that web users are able to meaningfully control the processing of their personal data as they browse the internet, in tandem with promoting high standards of data protection by websites and acting to tackle harmful practices.”
IAB Europe itself has begun to crack down on consent management platforms and other ad tech vendors for dropping cookies or firing ad tags without permission from people. The trade group in the last six months has sent warning letters and suspended consent management platforms for failing to comply with guidelines associated with the TCF, according to Filip Sedefov, legal director for privacy at IAB Europe.
“Hopefully that can serve to tackle some of the problems around that,” said Sedefov. The organization recently launched a vendor compliance program to complement its program for monitoring compliance with TCF standards by consent management platforms, he said.
Efforts are also underway at IAB Tech Lab to fortify the signals passed inside TCF consent strings against fraud and falsification. A recent update to the IAB’s framework for enabling buying and selling of programmatic connected TV ad inventory incorporates cryptographic security methods. Down the road, Cone told Digiday, cryptographic or tokenized security measures could be used to ensure the signals passed in TCF consent strings can prove that entities operating in the ad chain are who they say they are. He added, “We want to make privacy-signaling even more credible as a thing that companies can rely on to comply with the law.”