Posts

New Game: Consent String Fraud

Well, that didn’t take long. GDPR went into effect at the end of May, and as we all return from summer holidays we are already the victims of consent string fraud. I guess fraudsters don’t vacation. They spent the summer generating fake consent string numbers.

Digiday has already run its “WTF is a Consent String” piece, which signifies that the term has already entered the ad tech lexicon. You’re probably still applying your mosquito repellant, so here’s what it means:

A consent string, also referred to as a “daisybit,” is a series of numbers added to an ad bid request, which identifies the consent status of an ad tech vendor. That means whether or not they have a user’s consent to use their data in order to serve them personalized advertising — a stipulation now needed under the General Data Protection Regulation. The Interactive Advertising Bureau Europe has assigned a consent string to every vendor that has signed up to its global vendor list.

Of course Google does not use IAB’s consent scheme framework and has developed its own analogue for companies that use its Funding Choices platform. That makes things even more complicated.

The difficulties in achieving compliance have led many smaller vendors to write off Europe as a market until things settle out and they know how onerous the enforcement will be.

But those are the good guys. As always, the fraudsters are undeterred and while you were trying to spend quality time with the kids they were designing fraudulent GDPR consent strings.

Some ad tech vendors have already identified fake consent strings , which means they may have inadvertently served personalized ads to users who have not given their consent. This has the potential to become an escalating crisis, since once a user has decided not to give consent, she’s not expecting to have her data misused and her privacy violated.

In the nearly 20 years we’ve been in ad tech, we have seen this game of whack-a-mole over and over again. The good guys try to fix the ecosystem, and the bad guys quickly catch up and pass them. One form of fraud gives way to another.

We long ago decided to be one of the good guys, and we’re not bitter. If you are interested in compliance, Prebid.org has you covered with its GDPR Compliance Module. Prebid.org is an independent organization designed to ensure and promote fair, transparent, and efficient header bidding across the industry. Funded by dues-paying members, it manages the open source projects Prebid.js, Prebid Mobile, Prebid Server, Prebid Video, Prebid Native, and others.

The problem is that these open source industry resources, along with Github, are also accessible to people who are out to mess with the system, so now we have to develop a way to spot and expel fraudulent consent strings.

Sometimes I wish consumers understood even a little bit about how hard those of us in the industry work at combatting fraud.

 

Agencies Merging in the Face of GDPR

One of the ways agencies grow is by buying smaller agencies. In theory, that gives them access to more clients, a fresh creative staff, and a way to create scale to ward off competitors. However, mergers and acquisitions are only as good as their integrations into the mother ship.  According to an article in AdExchanger,

There were 398 acquisitions in 2016 with a total investment of $14 billion.  The Big Six – WPP, Dentsu, Havas, Publicis, IPG and Omnicom – were responsible for 89 acquisitions, at a value of more than $3.3 billion.

Figures through September showed 291 acquisitions this year. And in this game of agency supermarket sweep, many of the targets come from the data, digital and programmatic aisle.

This could prove tragic in the long run. The good news is that at long last agencies seem to understand that digital, data and programmatic are capabilities they need to have. But they are one step behind in the race to the future. As a result of coming new data privacy regulations, such as the European GDPR (Global Data Privacy Regulations), many marketers have data at the forefront of their minds, but for the wrong reasons. They know they are going have difficulty using it the way they did in the past, because now the consumer will be in control of her data.

What the big agencies really should be doing is studying up on those regulations and coming to grips with the limits that will be placed on the use of data in the future. Agencies are usually headed by people who may know the creative side of the house but don’t keep very good tabs on data. There will be an amazing culture clash when the data-driven geeks arrive in the house. There will be equally big problems because programmatic itself is coming under scrutiny for brand safety issues and ad fraud. So far, the geeks and the creatives have been kept separate, in separate companies. If they come together under one roof, that holding company will have to tighten its controls to make sure that the data flowing through its acquisitions is in compliance with the new regulations, or the fines will be significant.

So what the agencies will need now is a new cadre of management familiar with aspects of the business that have been lumped into a separate bucket called “martech.” And they will probably have to beef up their compliance departments as well.

In the rush to integrate acquisitions and learn more about how to manage data, guess what will get short shrift again? True creative, the kind that makes advertising users want to see.

2018: The Year of Data Security

It doesn’t take much to predict that 2018 will be the year of enhanced online security. We were headed toward more emphasis on consumer privacy anyway, but the massive Equifax data breach forced every consumer to face what geeks have known for ages: that left to their own devices, the companies that collect, handle and sell our data do not care about keeping us safe. We have to be in charge of our own data security. This event will change the thinking of just about every American on the internet, and since the Europeans already relish their privacy and have begun to take steps to enhance it, we can look forward to a real difference in how marketers, developers, and publishers operate online.

Here’s what we think will happen in 2018:

  1. Apple, which has made security a differentiator in its products for a long time, will block cookies automatically in Safari 11.  All the major marketing trade groups are fighting this, saying they are “deeply concerned” with Apple’s plan to override and replace user cookie preferences with a set of Apple’s own standards. This is called “Intelligent Tracking Prevention,” will provide consumers the gift of a 24-hour limit on ad retargeting. So that pair of shoes can only follow you around on the internet for 24 hours.
  2. A new browser, Brave, developed by the inventor of Javascript and the former CEO of Mozilla, loads news sits two to eight times faster than Chrome or Firefox by blocking ads and trackers by default. Through Brave’s use of blockchain technology, it pays content creators viewed through its browser in micro payments.  The block chain is coming to advertising in other use cases as well, mostly to make the digital media supply chain more transparent. We predict Brave will catch on with the geeks who favor ad blocking and security, although the general public probably won’t know it exists.
  3. The big Kahuna of changes is the launch of the Global Data Privacy Regulation in May 2018.  The GDPR, as it is lovingly referred to, affects how marketers can interact with European consumers: they can only market to a consumer who gives permission. Because this regulation was passed by the European Commission, it carries the force of law and if you violate its terms you can be liable for a hefty fine.

Although the UK is in the process of Brexiting the EU, because its companies handle so much data from EU members it will follow the conventions of the GDPR.  America will be dragged along kicking and screaming, because most online businesses do not have a convenient window into where every data point comes from, it will be easiest simply to comply.

4. There will be a major business opportunity here as small businesses who haven’t paid much attention to these issues in the past re-examine how they handle customer data or who they partner with.

5. And then there’s the obvious windfall for companies that sell data security solutions, which will not be far more appealing.

There may also be a change in advertising from an emphasis on performance ads based on data to brand ads, which do not involve having to violate privacy by tracking consumers around the web.

 

 

 

 

Brexit Won’t Change Treatment of Data

The Brexit caught many people unaware and forced them to think through some digital media issues in rather a hurry. The UK has just released new privacy and security guidelines– based on the UK’s understanding of the General Data Protection Regulation (GDPR)– that will take effect in 2018, the year the Brexit is actually supposed to occur. The UK and EU have already diverged from the US by requiring all sites that use cookies to announce the policy on first visit.

British data security experts have told us privately that most visitors just click right through and accept the use of cookies, however. The practice of announcing that a site uses cookies is becoming more widespread in the US as well, and does not seem to be the reason the US is seeing the spread of ad blocking.

So cookies are not the major issue: then what are the important components? For the US, the most important issue seems to be on the security side, as US and state regulators try to prevent hacking and release of potentially personal information.  One of the problems with the US is that security is handled by the states. And the US first amendment freedoms create issues with the EU’s laws.

The EU comes at privacy and security by emphasizing the privacy side — the right of individuals to control their own data, and a prohibition against collecting data without a “legitimate purpose.” It also provides no threshold for the right to be forgotten, which is in direct conflict with the freedom of speech guarantees in the US.

If you then throw in the Brexit, the UK, which is the center of digital publishing and advertising in the EU, would have much to do complying on the one hand with US regulations and on the other with EU laws, especially when dealing with so many other potentially difficult issues.

Thus, the UK is expected to ignore the Brexit for purposes of data privacy and security, and throw its lot in permanently with the EU. It makes little sense to do otherwise, as for the next two years the UK will have to go along with everything the EU is doing to get ready for the new regulation anyway.

Moreover, companies that offer cloud-based services, no matter where they are based, will have to comply with the most stringent regulations or face fines.

What do these new regulations mean for publishers and marketers? Well, for starters the new regulations are predicted to create 28,000 new Chief Privacy Officer jobs over the next two years. Both publishers and marketers will have this window of opportunity to figure out how to serve their own ends and still operate within the EU’s GDPR.