Ad trackers continue to collect Europeans’ data without consent under the GDPR, say ad data detectives

More than three years after Europe’s sweeping privacy law took effect, consent mismatches and illegitimate data collection continue to undermine advertisers’ and publishers’ efforts to comply with the General Data Protection Regulation. These issues bedeviled companies back in 2018, and new data shows continued gaps between the permissions people give companies to collect and use their data and what ad tech firms actually do.

On the average day between May and the end of August this year, 500,000 online ad impressions served in Europe contradicted the data-collection choices people made as required under the GDPR, according to ad security monitoring company Confiant, which sees digital ad activity across tens of thousands of websites. It’s worth noting that millions of ad requests might be processed each second by just one digital ad platform, so half-a-million ad impressions represents a miniscule portion of all the ads served every day.

We’re not alleging fraud. We’re just alleging that they’re tracking in an unauthorized fashion.

John Murphy, chief strategy officer of Confiant

“We’re not alleging fraud,” said John Murphy, chief strategy officer of Confiant. “We’re just alleging that they’re tracking in an unauthorized fashion.”

Because Confiant has its technology integrated directly with publishers’ pipes, the company can observe the actual behavior of ads and trackers in real-time across tens of thousands of websites and compare it with the information showing whether people have consented to it. Most of the allegedly unauthorized activity Confiant has detected has been enabled by lesser-known ad tech firms, according to Murphy, who declined to provide names of any vendors enabling unpermitted tracking. He added, “The vast majority of the time there is not malicious behavior.”

Sourcepoint, another privacy tech firm that helps companies assess ad tech vendors, scanned 266 publisher sites across the U.K., France, and Germany between June and September. It found that on average, around 37 vendors allowed on domains scanned in the U.K. dropped cookies before getting consent from visitors. For domains scanned in France, the average number of vendors dropping cookies without permission was around 30, and in Germany around 29. The company also declined to provide names of any of the vendors that dropped cookies without permission.

Transparency and consent framework forensics

There are lots of cogs moving at once in the digital ad machine, of course. Although the systems relied on by website publishers to manage consent are built to broadcast people’s data collection preferences throughout the ad ecosystem, those consent management platforms don’t necessarily monitor the validity of people’s data tracking choices that are being passed by other ad tech players. Those choices are reflected in the so-called consent string, which is attached to the bid requests that publishers send when an ad slot is available for advertisers to purchase through programmatic ad systems.

“The are there for information collection,” said Kaileigh McCrea, a privacy engineer at Confiant. “This is about the [ad tech] vendor who should be responding to that information accordingly.”

There is a potential for companies to misrepresent things.

Alex Cone, senior director of product management at IAB Tech Lab

The consent string passed around by consent management platforms and observed by ad fraud watchdogs can indicate when people’s choices don’t match up to actual ad tech activity, in part, because there is a standard framework for encoding and passing those signals. That’s the TCF, the Transparency and Consent Framework devised by the Interactive Advertising Bureau’s Tech Lab for its counterparts in Europe as a way to comply with the demands of the GDPR. 

The TCF has its fair share of detractors, though, and is under investigation by the Belgian data protection authority for infringing European data privacy rules. Indeed, it is not clear the technical method for passing people’s privacy choices through the programmatic ad marketplace is curbing tracking that violates GDPR. In its aforementioned study, when Confiant evaluated specific advertisements included among the ad impressions found to contain consent discrepancies, the company found that on average 51% of those discrepancies were enabled by vendors that were not registered to use the IAB’s framework. Even still, 45% of the consent mismatches were enabled by vendors who were registered with TCF, but enabled tracking for purposes those vendors did not have consent for or legitimate interest in doing.

“There is a potential for companies to misrepresent things. An ad request is just a set of fields that’s transmitted out to a bunch of different parties,” said Alex Cone, vp of privacy and data protection at IAB Tech Lab, who helped create TCF. He said that exposing inconsistencies in the consent and ad data chain “is the first step in shutting down [those problems].”

Punishing publishers and tech firms

As the face of digital media, publishers can be held liable for the shady data practices they enable on their websites. France’s data protection regulator Commission Nationale de l’Informatique et des Libertés, for example, fined newspaper publisher Le Figaro 50,000 euros for allowing third-party companies to drop tracking cookies without people’s permission. Google was also fined for violating GDPR rules around cookie tracking permissions.

“As a publisher, I feel like I was lulled into a false sense of ‘I am good because nobody’s come with an enforcement action against me, and I would probably be one of the first they’d fine,’” said a publishing exec during a closed-door discussion at Digiday’s recent Publishing Summit. The exec, who spoke on condition of anonymity, continued, “There’s definitely been a false sense of ‘we’ve done the right thing.’ I very much suspect we haven’t done the right thing. They’re just now coming to look at us, and those enforcements really are actually picking up.”

There’s definitely been a false sense of “we’ve done the right thing.” I very much suspect we haven’t done the right thing.

anonymous publishing exec

Global data protection authorities, after meeting in early September, said that the way most websites get people to agree to tracking is not good enough. They wrote, “Action is needed to ensure that web users are able to meaningfully control the processing of their personal data as they browse the internet, in tandem with promoting high standards of data protection by websites and acting to tackle harmful practices.” 

IAB Europe itself has begun to crack down on consent management platforms and other ad tech vendors for dropping cookies or firing ad tags without permission from people. The trade group in the last six months has sent warning letters and suspended consent management platforms for failing to comply with guidelines associated with the TCF, according to Filip Sedefov, legal director for privacy at IAB Europe. 

“Hopefully that can serve to tackle some of the problems around that,” said Sedefov. The organization recently launched a vendor compliance program to complement its program for monitoring compliance with TCF standards by consent management platforms, he said. 

Efforts are also underway at IAB Tech Lab to fortify the signals passed inside TCF consent strings against fraud and falsification. A recent update to the IAB’s framework for enabling buying and selling of programmatic connected TV ad inventory incorporates cryptographic security methods. Down the road, Cone told Digiday, cryptographic or tokenized security measures could be used to ensure the signals passed in TCF consent strings can prove that entities operating in the ad chain are who they say they are. He added, “We want to make privacy-signaling even more credible as a thing that companies can rely on to comply with the law.”

Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here

Related Posts
Intel Core i5-12400 CPU and MSI MAG B660M Mortar WiFi DDR5 motherboard hit our test lab thumbnail

Intel Core i5-12400 CPU and MSI MAG B660M Mortar WiFi DDR5 motherboard hit our test lab

Premiera zablokowanych procesorów Intel Core 12. generacji nieprzypadkowo została zsynchronizowana z debiutem tańszych chipsetów B660/H610, bowiem w zamyśle powinny stanowić idealne połączenie. Dosłownie na dniach możecie spodziewać się pierwszych testów tańszych modeli Alder Lake w naszym wykonaniu, natomiast w międzyczasie MSI przysłało do naszej redakcji okolicznościowy press-pack. Zestaw obejmuje procesor Intel Core i5-12400 i płytę…
Read More
Everyone needs to buy one of these cheap security tools thumbnail

Everyone needs to buy one of these cheap security tools

Whenever I'm asked for things that are a must-have, a YubiKey is on the top of my list no matter what platform or operating system people are using -- Windows, Mac, or Linux, Android or iOS.It doesn't matter.Everyone needs a YubiKey. So, what is a YubiKey?A YubiKey is the ultimate line of defense against having…
Read More
Amazon and Visa call truce on credit card fee dispute thumbnail

Amazon and Visa call truce on credit card fee dispute

jetcityimage / Getty Images Last November, Amazon warned UK customers it was going to stop accepting Visa credit card payments, blaming "high fees Visa charges for processing credit card transactions" for the change. Prior to that, the e-commerce giant encouraged its customers in Singapore and then later in Australia to stop using their Visa card…
Read More
Facebook removed anti-vaccine trucker protest groups run by overseas actors thumbnail

Facebook removed anti-vaccine trucker protest groups run by overseas actors

As anti-vaccine groups in the US attempt to stage their own version of Canada’s disruptive “Freedom Convoy,” foreign content mills have worked to bolster those efforts for their own gains. This week, Facebook parent company Meta told Reuters and NBC News it recently removed several “trucker convoy” groups and pages run by scammers in Vietnam, Bangladesh,…
Read More
Orangutans devour highly poisonous mammals thumbnail

Orangutans devour highly poisonous mammals

え、草食のイメージだったわ。オランウータンはマレーシアやインドネシアの一部の森に住み、果実色が中心で、若葉や昆虫も食べていることで知られています。時には鳥の卵も食べているらしいのですが、なんと動物の肉も食べるんですって。かなりのオランウータン好きじゃないとピンとこないかもしれないので、Madeleine E. Hardusらが撮影してアップした、ボルネオのオランウータンがスローロリスという小型哺乳類を捕獲し、食べている動画をご覧ください。学術誌「Primates」によると、研究者はボルネオ島の中央カリマンタン、カプアス地域に位置するトゥアナン・オランウータンリサーチステーションにて2003年から2017年までオランウータンの行動を観察したそう。その結果、果実61%、若葉14%、花8%、昆虫5%の割合で食していることがわかったのだとか。この動画は偶然撮られたもので、IFLSによると、そもそも研究者たちはオランウータン親子の観察をしていたんですって。しかし、オスの「モロン」が急に木から降りてスローロリスを追いかけ始めたので、急遽ターゲットを変更。結果的に、スローロリスを叩いて木から落として仕留め、慎重に扱いながら食べる映像ゲットとなったみたい。一連の行動を目撃した研究者は、さぞかし驚いたことでしょう。動物を食べたというのもそうですが、スローロリスは哺乳類でありながら毒を持っているんです。彼らは動きはゆっくりですが、肘から毒を出して唾液に混ぜ、鋭い歯で敵の皮膚を傷つけて毒を染み込ませるんですよね。もともと臆病な性格なので積極的に襲ってくることはないのですが、攻撃されたらしっかり反撃できるタイプ。体重2kg程度ですが、人間が噛まれてもアナフィラキシーショックを引き起こすくらいの強い毒らしいので、オランウータンが取り扱いに警戒するのも納得です。ちなみに、オランウータンはしょっちゅう肉を食べているわけではなく、長い調査期間で2回しか見かけることがなかったようです。2回のうちの1回がコレで、もう1回は空腹に耐えかねたオランウータンがネズミの巣を荒らしてスナックでも食べるようにしていたのだとか。研究者を増員して、長期にわたって徹底的に調査すれば、もう少し目撃することになるのかもしれません。でも、現時点の研究では「非常に稀」で、これが「野生のボルネオオランウータンがスローロリスを捕食した最初のできごと」にあたるそうですよ。Source: IFLS
Read More
OnePlus 9RT comes with Android 11 right out of the box thumbnail

OnePlus 9RT comes with Android 11 right out of the box

Inom kort förväntas OnePlus hålla ett event där tillverkaren troligtvis kommer visa upp nya OnePlus 9RT. Nu ser det ut som att det inkommit uppgifter om den här modellen. Det ser ut som att modellen kommer köra Android 11 direkt ur lådan vilket helt klart är en besvikelse nu när Android 12 finns ute. Vidare…
Read More
Index Of News
Consider making some contribution to keep us going. We are donation based team who works to bring the best content to the readers. Every donation matters.
Donate Now

Subscription Form

Liking our Index Of News so far? Would you like to subscribe to receive news updates daily?

Total
0
Share