Behind the Curtain is a monthly column from Redbud, digging deep each month to discover what’s really going on buried deep in the adtech layers around publishers’ sites.
By Chloe Grutchfield, Co-Founder, RedBud
The adtech industry never ceases to amaze me. Somehow technologies will find creative ways to address a problem which is impacting revenue, even if it means bending the rules a little bit (or should I say, a lot).
Have you heard of consent string fraud?
We’ve seen it with our very own eyes through our proprietary platform DIAGNOSE. Rest assured, we won’t name and shame you (as I am sure you know who you are) but we will name and shame the practice itself.
Here’s a friendly warning: If you’re doing it, stop it. You’re giving this industry which we love a bad name, and you will be caught out sooner rather than later.
Over the last 18 months, since our inception, our proprietary scanning tool has captured data across numerous European publishers using a range of residential IP addresses. One of the use cases that is getting the most traction at the moment is Compliance: the action of complying with GDPR or with an advertiser’s and/or vendor’s business rules.
Our publishers want to understand – quite rightly – where privacy vulnerabilities lie:
- Is their CMP vendor list capturing an exhaustive list of 3rd party cookies dropped on their site (99% of the time it isn’t)?
- Have they implemented their CMP and tag management solutions to work hand in hand to prevent 3rd party scripts from loading before the user has consented?
- Are any questionable vendors dropping cookies on their site? (And before you ask, yes – some small vendors’ privacy policies continuously make us giggle: copy/paste GDPR template errors…)
Recently DIAGNOSE captured a very creative practice, which some will call ‘consent string fraud’.Let’s take a deeper look, shall we?
- The user (in our example a test cookie-virgin browser on a rotating UK IP address) is visiting a client website and emulating a “reject all” behaviour on a CMP (giving consent to no purpose and no vendor)
- The CMP is creating an IAB TCF consent string and storing it in a 3rd party (consensu.org IAB sub-domain) cookie and 1st party cookie. When decoded, that consent string has the CMP ID that matches the CMP and no vendors and purposes listed for consent. So far, so good as you can see from the screenshot below.
- That consent string is shared with the ecosystem – that consent string is essentially saying to the demand partners: “Nope, can’t process my data guys”
- Now we have a few very resourceful vendors who just ignore that entirely. Do they simply “assume” that all users consent? They create their own ‘consent string’ (once decoded, it features their own CMP ID and all the vendors and purposes consented for – see anonymised screenshot below). How convenient is that!
- That consent string gets shared with a few very large demand players in the market, therefore creating a deep tangled web of fraudulent compliance.
Now that, is taking the mickey, right? When I consent, whether it be because I want to consume that content or simply love that brand, it’s my choice to dictate who and who does not utilise my data.That’s what GDPR is all about, surely?
So, when I say “No”, it means No! Don’t mess with my consent string! (Pretty please!)
So what do we do about it?
Well, we’re calling this practice out, through the medium of articles such as this, and also through deep discussions with our trusted publisher partners and large associations across the industry. Yep, that’s right, we are giving visibility to our clients so they can take back control of their digital assets.
So why not contact us to find out more.