Ad trackers continue to collect data from Europeans without consent under GDPR, ad data detectives say
More than three years after the sweeping European privacy law came into effect, consent gaps and illegitimate data collection continue to undermine efforts by advertisers and publishers to comply with the General Privacy Regulation. data protection. These issues plagued businesses in 2018, and new data shows persistent gaps between the permissions granted to businesses to collect and use their data and what ad technology companies actually do.
On average between May and the end of August of this year, 500,000 online ad impressions served in Europe contradicted the data collection choices made by people in accordance with the GDPR, according to ad security monitoring company Confiant, which sees the digital advertising activity on tens of thousands of websites. It should be noted that millions of ad requests can be serviced every second by a single digital ad platform, so half a million ad impressions is a tiny fraction of all ads served each day. .
We are not alleging fraud. We are simply alleging that they are stalking in an unauthorized manner.
John Murphy, Chief Strategy Officer of Confiant
“We are not alleging fraud,” said John Murphy, director of strategy at Confiant. “We are simply alleging that they are tracking in an unauthorized manner.”
Because Confiant has its technology built right into publishers’ tips, the company can observe the actual behavior of ads and trackers in real time on tens of thousands of websites and compare it with information showing whether people have consented to them. Most of the allegedly unauthorized activity that Confiant detected was activated by lesser-known ad technology companies, according to Murphy, who declined to provide the names of any vendors that allowed unauthorized tracking. He added: “The vast majority of the time there is no malicious behavior.”
Sourcepoint, another privacy technology company that helps businesses assess ad technology providers, scanned 266 publisher sites in the UK, France and Germany between June and September. It found that, on average, around 37 providers allowed on scanned domains in the UK abandoned cookies before obtaining consent from visitors. For the domains analyzed in France, the average number of providers who set cookies without authorization was around 30, and around 29 in Germany. The company also refused to provide the names of vendors who have placed cookies without authorization.
Transparency and consent framework
There are of course many cogs moving in the digital advertising machine at once. While the systems that website publishers rely on to manage consent are designed to disseminate people’s data collection preferences across the advertising ecosystem, these consent management platforms do not monitor necessarily the validity of the choices for tracking personal data that are transmitted by other players in advertising technology. These choices are reflected in the so-called consent string, which is attached to auction requests that publishers send out when ad space is available for advertisers to purchase through programmatic ad systems.
“The [consent management platforms] are there for information gathering, â€said Kaileigh McCrea, privacy engineer at Confiant. ” It’s about the [ad tech] supplier who should respond to this information accordingly.
It is possible that companies are twisting things.
Alex Cone, Senior Director of Product Management at IAB Tech Lab
The chain of consent conveyed by consent management platforms and observed by ad fraud watchdogs may indicate when people’s choices do not match the actual activity of ad technology, in part because there is a standard framework for encoding and transmitting these signals. This is the TCF, the Transparency and Consent Framework designed by the Tech Lab of the Interactive Advertising Bureau for its counterparts in Europe to comply with GDPR requirements.
However, the TCF has its fair share of detractors and is the subject of an investigation by the Belgian data protection authority for breach of European data privacy rules. Indeed, it is not clear that the technical method for conveying people’s privacy choices via the programmatic advertising marketplace limits tracking that violates the GDPR. In its aforementioned study, when Confiant assessed specific ads included among ad impressions that contained consent discrepancies, the company found that on average 51% of those discrepancies were activated by vendors who weren’t registered to use. under the IAB. Even still, 45% of the consent mismatches were activated by providers who were registered with the TCF, but allowed tracking for purposes for which those providers did not have consent or had no interest. legitimate to do so.
“There is the potential for companies to twist things. An ad request is just a bunch of fields that get passed out to a bunch of different parties, â€said Alex Cone, senior director of product management at IAB Tech Lab, who helped create the TCF. He said exposing inconsistencies in the consent and publicity data chain “is the first step in shutting down [those problems]. “
Punish publishers and tech companies
In the face of digital media, publishers can be held accountable for questionable data practices they allow on their websites. The French data protection regulator, the National Commission for Informatics and Freedoms, for example, fined newspaper publisher Le Figaro € 50,000 for allowing third-party companies to quit tracking cookies without people’s permission. Google was also fined for violating GDPR rules regarding cookie tracking permissions.
“As a publisher, I feel like I’ve been cradled by a false sense of ‘I’m fine because no one came up with any enforcement action against me, and I would probably be one of the first. to get by, “said a publishing director. in a closed-door discussion at Digiday’s recent Publishing Summit. The executive, who spoke on condition of anonymity, continued,” There is certainly had a false sense of “we did the right thing”. I strongly suspect that we did not do the right thing. They just watched us, and these executions are really escalating. “
There was certainly a false sense of ‘we did the right thing’. I strongly suspect that we did not do the right thing.
anonymous publication director
Global data protection authorities, after meeting in early September, said the way most websites trick people into agreeing to tracking is not enough. They wrote: “Measures are needed to ensure that web users are able to significantly control the processing of their personal data while browsing the internet, while promoting high standards of data protection by websites. and taking action to combat harmful practices.
IAB Europe itself has started cracking down on consent management platforms and other ad technology providers for setting cookies or triggering ad tags without people’s permission. Over the past six months, the business group has sent out warning letters and suspended consent management platforms for non-compliance with guidelines associated with TCF, according to Filip Sedefov, privacy legal director at IAB Europe.
“I hope this can serve to resolve some of the issues around it,” Sedefov said. The organization recently launched a supplier compliance program to complement its program for monitoring compliance with TCF standards through consent management platforms, he said.
Efforts are also underway at the IAB Tech Lab to strengthen the signals transmitted in TCF consent chains against fraud and forgery. A recent update to the IAB framework to enable the buying and selling of an inventory of programmatic connected TV ads incorporates cryptographic security methods. Eventually, Cone told Digiday, cryptographic or token security measures could be used to ensure that signals passed through TCF consent chains can prove that the entities operating in the ad chain are who they claim to be. He added, “We want to make privacy flagging even more credible as something businesses can rely on to comply with the law. “