Ad trackers continue to collect Europeans’ data without consent under the GDPR, say ad data detectives

By Kate Kaye

More than three years after Europe’s sweeping privacy law took effect, consent mismatches and illegitimate data collection continue to undermine advertisers’ and publishers’ efforts to comply with the General Data Protection Regulation. These issues bedeviled companies back in 2018, and new data shows continued gaps between the permissions people give companies to collect and use their data and what ad tech firms actually do.

On the average day between May and the end of August this year, 500,000 online ad impressions served in Europe contradicted the data-collection choices people made as required under the GDPR, according to ad security monitoring company Confiant, which sees digital ad activity across tens of thousands of websites. It’s worth noting that millions of ad requests might be processed each second by just one digital ad platform, so half-a-million ad impressions represents a miniscule portion of all the ads served every day.

We’re not alleging fraud. We’re just alleging that they’re tracking in an unauthorized fashion.

John Murphy, chief strategy officer of Confiant

“We’re not alleging fraud,” said John Murphy, chief strategy officer of Confiant. “We’re just alleging that they’re tracking in an unauthorized fashion.”

Because Confiant has its technology integrated directly with publishers’ pipes, the company can observe the actual behavior of ads and trackers in real-time across tens of thousands of websites and compare it with the information showing whether people have consented to it. Most of the allegedly unauthorized activity Confiant has detected has been enabled by lesser-known ad tech firms, according to Murphy, who declined to provide names of any vendors enabling unpermitted tracking. He added, “The vast majority of the time there is not malicious behavior.”

Sourcepoint, another privacy tech firm that helps companies assess ad tech vendors, scanned 266 publisher sites across the U.K., France, and Germany between June and September. It found that on average, around 37 vendors allowed on domains scanned in the U.K. dropped cookies before getting consent from visitors. For domains scanned in France, the average number of vendors dropping cookies without permission was around 30, and in Germany around 29. The company also declined to provide names of any of the vendors that dropped cookies without permission.

Transparency and consent framework forensics

There are lots of cogs moving at once in the digital ad machine, of course. Although the systems relied on by website publishers to manage consent are built to broadcast people’s data collection preferences throughout the ad ecosystem, those consent management platforms don’t necessarily monitor the validity of people’s data tracking choices that are being passed by other ad tech players. Those choices are reflected in the so-called consent string, which is attached to the bid requests that publishers send when an ad slot is available for advertisers to purchase through programmatic ad systems.

“The [consent management platforms] are there for information collection,” said Kaileigh McCrea, a privacy engineer …read more

Source:: Digiday