‘It’s hurting us’: Confessions of an ad tech exec on GDPR consent-string fraud

Excerpts lightly edited for clarity and flow.

How big a deal is consent string fraud?
It’s cropping up in a lot more conversations. Certain demand-side platforms are looking for consent-string anomalies by checking the different consent strings that come through different exchanges for the same domains. Those exchanges that look like they have lower levels of consent than others are being flagged by the DSPs as anomalies, but the irony is that those that stand out may not be the anomaly.

How are they not anomalies?
The exchanges that appear to have lower volumes of consented requests are only looking that way because they’re not tampering with the consent strings. The real anomalies may be those who don’t look like they have been affected, because it’s likely they’re altering the strings, or potentially behaving in a more nefarious fashion.

Are there different kinds of consent-string fraud?
Yes. We see two main types.The first type is due to a lack of interoperability between the consent strings being generated by Google’s CMP, and those that are generated via CMPs in the Interactive Advertising Bureau Europe’s GDPR framework, which use the IAB consent string. Each code is generated to do the same thing — to show a publisher’s ad tech partners which impressions have consent attached or not — but they use different codes and although everyone would like them to be interoperable, they’re not. Some DSPs don’t even know how to read the Google consent-string version. Therefore some vendors may be manipulating the strings so they can work in either environment.

That seems kind of understandable.
It is is some ways, but it’s a frustration for any exchange that’s following the rules because it puts them at a massive commercial disadvantage. We’re sticking to the IAB’s rules, but it is hurting us to do so. Those exchanges that aren’t altering them, like ours, are then hurting commercially as a result because we’re not able to monetize the same volume of inventory. Those that are tampering with the strings, are hurting less. There isn’t much visible enforcement yet from the IAB on this.

How much are we talking about being lost here?
Potentially hundreds of thousands of pounds.

What about the second type of fraud?
Some of the more murky stuff isn’t visibly happening among the tier-one vendors, but more likely with the tier-two and-three vendors and the mid to long-tail publishers. I know of one that gives publishers an option like: “tick this box if you have consent but are not using an IAB CMP,” and then the exchange is creating a string to look like they do have IAB consent from a CMP.

What does this mean for your business?
Because some of these more nefarious activities are likely to be more prevalent in the smaller exchanges, the actual impact may not be huge. There’s potentially a larger impact from anyone who is converting consent signals from one framework to another. But I see it being something we will continue to have to look into and troubleshoot well into 2019.

Are these just teething issues?
There are still technical examples of consent strings not being properly transmitted. And that’s not necessarily because of shadiness, but due to how complex our ecosystem is — there are lots of ways publishers connect to demand through containers, header bidding, tags — some things just get lost along the way. It will be extra work to ensure appropriate consent strings are passed through in the right way, and in a way that can be read.

How can this be stopped?
The problem with coming down on this issue is that it will cause pain through the value chain. It’s a little like the wider issue with ad fraud — not many businesses are incentivized to completely clamp down on it because everyone’s motivations are commercial. No one gets a bonus for being legally compliant, they get a bonus for hitting their numbers. Really, the only businesses with the incentive to want to remove fraud entirely are the advertisers because it’s their budgets.