“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Daniel Jaye, founder and head of product at aqfer.
Ad fraud has long been on marketers’ radar, but there is another type of overlooked fraudulent activity that carries potential regulatory and reputation-related consequences: consent fraud.
For those not in the know, the potential fraud can be traced to the consent string, a technical feature used in relation to data privacy and the General Data Protection Regulation (GDPR).
A consent string is a set of numbers generated by the consent management platform (CMP) used by a company deemed to be a data controller under GDPR. Sometimes called a “daisybit,” the consent string indicates whether a vendor has gained a consumer’s consent to use relevant data to serve personalized ads and specifies how the identifying data is used. It’s framed through single digits, or bits: a 1 means the ad tech vendor has the consent required, and a 0 means it doesn’t.
This simple algorithm goes to the heart of whether ads can be served as they have since the advent of the digital era – and that, in turn, goes to the heart of GDPR’s wide-ranging regulations. It’s why the Interactive Advertising Bureau (IAB) of Europe specifically opted to assign a consent string to all providers on its global vendor list, which is fundamental to the IAB Transparency and Consent Framework.
GDPR only went into effect last May, and we’re already hearing that some vendors are pulling the strings needed to push through unwanted ads. It doesn’t take too much technical prowess to hack the system and change daisybits, and that’s become an option for some unscrupulous players.
At the most basic level, a 0 becomes a 1, and presto, the consumer’s wishes are ignored and many more ads are allowed. To be fair, it’s only one or two bad actors so far (that I know of). But misdeeds this early send a bad signal.
Another issue may be that while IAB’s consent string is the clear standard, there’s at least one alternative: Google and its Funding Choices platform. Launched in the United States back in summer 2017 (it’s since been rolled out in other markets), it was created to help publishers get back some of the revenue they were losing to ad blockers.
This is more of an approach than a standard, but it can serve different results for the same ad bid request – and given Google’s reach, that matters. However, the company has indicated that it will accept the next iteration of the IAB standard, assuming certain adjustments are made.
But many US enterprises doing business in Europe, and even some European vendors directly in the line of fire, lack the experience and commitment to deploy the right CMPs and guarantee the integrity of the process. It’s even more troubling that although GDPR was supposed to establish a common standard, it is interpreted differently in different jurisdictions. A depressing number of companies don’t understand fundamental requirements, and a few seem to think the old cookie notices are enough.
In other words, the message that what was previously a directive is now a law – and breaking it will bring consequences – hasn’t resonated loudly enough yet.
Sure, there are nuances. Balancing a legitimate interest assessment that takes into account risks and intrusiveness makes for a complex equation. But we should be able to tell the difference between a 1 and a 0.
GDPR is real and consequential, and there are surely more privacy mandates coming. Consent fraud isn’t even a simmer yet, but anything close to a boil will hurt the whole ecosystem. It might begin with greater scrutiny and exposure, then proceed to additional sanctions and even heavier regulation.
But more than the fear of punishment, we should consider the upside. Just as attempts to do an end run around legitimate interest could backfire, gaining appropriate consent can pay rich dividends. There’s often a stigma associated with data-driven marketing. Respecting consumer preferences, remaining accountable and meeting consumer needs helps us all in the long run.
Yes, any kind of regulation can be painful. But with GDPR and other privacy mandates, playing by the rules could create big wins.