In an effort to get around some of the more onerous provisions of the European General Data Protection Regulation (GDPR), which went into effect in May 2018, some ad tech vendors appear to be engaging in a form of data privacy fraud known as “consent string fraud.” If this type of data privacy fraud becomes rampant and European regulators begin to assess fines against ad tech companies knowingly circumventing the GDPR, it could bring down the whole ad tech ecosystem. At the very least, it could have a chilling effect on the entire digital advertising industry as publishers and advertisers decide to scale back their activity.
What is a consent string and why does it matter?
A consent string is a unique series of numbers generated by a publisher’s consent management platform (CMP) and then shared with all digital ad partners. The consent string includes information such as the identity of a vendor, whether or not they have user consent to use data to serve them personalized ads, and how any identifying personal data can be used. The most important consent data is a single bit (a “1” or a “0”) that tells an ad tech vendor whether they can serve up personalized ads. If the value is “1,” then the ad tech vendor has user consent; if the value is “0,” then the ad tech vendor does not have user consent.
Sounds simple enough, right? The idea of the consent string was created by the Interactive Advertising Bureau (IAB) Europe for its global vendor list, and was designed to make online personalized advertising a relatively easy, streamlined process, even after the introduction of the GDPR. A new GDPR transparency and consent framework was created to simplify and streamline compliance. Any time an ad tech vendor wants to serve up an ad to an online user (as part of a real-time bidding system for online ads), all they have to do is check the consent string, and they will immediately know what they can – and cannot do. As such, the consent string is really designed to answer just one single question: Does a vendor have the consent of the user to serve them a personalized ad?
However, if a lot of European online users begin to check a little box that says something along the lines of “do not use my personal data for ads,” then that is going to be bad news for ad tech vendors. They will be able to serve up fewer personalized ads, and that means less money in their pockets. In the old way of doing business, they didn’t have to take into account the wishes of the consumer, and could just show any ad they wanted. That meant the digital ad business could flourish.
Thus, some ad tech vendors have apparently been looking for a way to circumvent the GDPR. In a classic example of consent string fraud, an ad tech vendor will knowingly tamper with the consent information found in a publisher’s consent string, in order to give them the ability to deliver personalized ads. In some cases, it might be as easy as switching a “0” (do not use personal data) to a “1” (use personal data). Hacking the consent string may be a relatively easy (although illegal) way to serve up more ads. Thus, even if a user has specifically marked that they do not wish to be tracked and do not wish to have their personal data used, unscrupulous online advertisers may still refuse their request and still serve up ads.
Confusion in the industry about GDPR consent strings
The term “consent string” has only been around since the launch of the GDPR in 2018, so it’s quite possible that some of the ad fraud that is taking place in the industry is simply a case of ignorance and not actual criminal intent. In other words, it may not be a case that ad tech vendors are deliberately trying to hack consent strings to change key values – it might be the case, rather, that they simply don’t understand the system and have not yet figured out the nuances of a consent management platform (CMP). As proof of this fact, consider that Digiday published an article called “WTF is a GDPR Consent String?” over the summer. That tells you all you need to know about the level of comfort that publishers and advertisers have with the whole consent string concept.
It certainly does not help matters – at least, from the perspective of ad tech vendors – that there are now two competing standards for consent strings. On one hand, you have the consent string version developed by the IAB, and on the other hand, you have the consent string version developed by Google (which obviously has a very real, vested stake in the future of digital advertising). And, as might be expected, these two consent strings are not interoperable. In other words, there’s no way to convert a consent string from the IAB into a consent string from Google (or vice versa). The numbers added to an ad bid request for a digital ad are going to be different if they are coming from the IAB or from the Google Funding Choices platform.
Thus, couldn’t it theoretically be the case that an ad tech vendor has consent from Google, and not the IAB, and then unwittingly shows a personalized ad that it shouldn’t, believing that it has consent from both? In other words, an ad tech vendor might just decide that consent from Google implies consent from the IAB. That might help to explain at least a few cases of consent string fraud that were never even imagined by the technical working groups of the IAB and Google.
How will European regulators react?
In the lead up period to the GDPR going into effect, some analysts warned of the potential chilling effect that the regulation might have on global business. In certain industries that are heavily reliant on user data – such as the digital advertising industry or the supply chain industry – the need to obtain user consent before undertaking just about any form of online personalization might be seen as some companies as overly onerous. Companies would have two relatively unpalatable options – either scale back their activities if they cannot deal with the compliance requirements of the GDPR, or find subtle ways to exploit loopholes and weaknesses in the system (i.e. commit fraud).
And now we are beginning to see signs of this in the ad tech industry. For now, there have only been a handful of articles about “GDPR consent string fraud,” and many in the industry genuinely appear confused about what it all means. The big question, of course, is how European regulators will view this matter. Will they essentially give ad tech vendors a “free pass” and let them sort things out on their own, or will they step in with a heavy hand and start levying penalties and fines if they have identified fake compliance? How that question gets answered might tell us a lot about the state of the digital advertising ecosystem going forward.