New Game: Consent String Fraud

Well, that didn’t take long. GDPR went into effect at the end of May, and as we all return from summer holidays we are already the victims of consent string fraud. I guess fraudsters don’t vacation. They spent the summer generating fake consent string numbers.

Digiday has already run its “WTF is a Consent String” piece, which signifies that the term has already entered the ad tech lexicon. You’re probably still applying your mosquito repellant, so here’s what it means:

A consent string, also referred to as a “daisybit,” is a series of numbers added to an ad bid request, which identifies the consent status of an ad tech vendor. That means whether or not they have a user’s consent to use their data in order to serve them personalized advertising — a stipulation now needed under the General Data Protection Regulation. The Interactive Advertising Bureau Europe has assigned a consent string to every vendor that has signed up to its global vendor list.

Of course Google does not use IAB’s consent scheme framework and has developed its own analogue for companies that use its Funding Choices platform. That makes things even more complicated.

The difficulties in achieving compliance have led many smaller vendors to write off Europe as a market until things settle out and they know how onerous the enforcement will be.

But those are the good guys. As always, the fraudsters are undeterred and while you were trying to spend quality time with the kids they were designing fraudulent GDPR consent strings.

Some ad tech vendors have already identified fake consent strings , which means they may have inadvertently served personalized ads to users who have not given their consent. This has the potential to become an escalating crisis, since once a user has decided not to give consent, she’s not expecting to have her data misused and her privacy violated.

In the nearly 20 years we’ve been in ad tech, we have seen this game of whack-a-mole over and over again. The good guys try to fix the ecosystem, and the bad guys quickly catch up and pass them. One form of fraud gives way to another.

We long ago decided to be one of the good guys, and we’re not bitter. If you are interested in compliance, Prebid.org has you covered with its GDPR Compliance Module. Prebid.org is an independent organization designed to ensure and promote fair, transparent, and efficient header bidding across the industry. Funded by dues-paying members, it manages the open source projects Prebid.js, Prebid Mobile, Prebid Server, Prebid Video, Prebid Native, and others.

The problem is that these open source industry resources, along with Github, are also accessible to people who are out to mess with the system, so now we have to develop a way to spot and expel fraudulent consent strings.

Sometimes I wish consumers understood even a little bit about how hard those of us in the industry work at combatting fraud.