There are many things advertisers don’t know about how cookies — the backbone of programmatic advertising — work. One of them being how they’re obtained. It turns out pretty sneakily on occasion. According to a recent audit, a large number of cookies used to target audiences on the 1,000 biggest publishers in Europe are done so without the consent of the person who would see the ad — a problem because this shouldn’t be happening since the arrival of a wide-ranging privacy law four years ago.To be clear, this isn’t a new issue by any means. Privacy experts have been sounding the alarm as far back as when that privacy law (the General Data Protection Regulation) came into effect across Europe. At the time marketers were concerned, but not alarmed. After all, publishers assured them that they wouldn’t collect Europeans’ consent without their consent. Now, they’re alarmed. They don’t know how cast iron those assurances really are — and more importantly whether they ever can be.
Cue a scramble from marketers trying to figure out what this all means for them. They want to know if the audience targeting they’re doing on publisher sites is using non-compliant cookies and if so how prevalent it is across the media they buy. For one global CPG business, these checks will start over the coming weeks.
“We’re aiming for either January or February to conduct a similar audit to the one Ebiquity commissioned,” said the advertiser’s chief media officer, who spoke to Digiday on condition of anonymity due to the sensitive nature of the topic. “If the audit confirms what has already been reported then we have to think about moving our dollars around so that we’re no longer exposed to these types of breaches.”
Opinions like this raise the question of how much advertisers really stand to lose if they reduce or pull their programmatic advertising. The audience targeting that informs where those dollars go is essentially a probability game. Making it work means scooping up ad impressions from hundreds of thousands of websites sent by as many supply-side platforms deemed necessary. Like everything else in media, however, there are trade-offs with this way of advertising. If advertisers have to constantly cast and recast a wider net over tens of thousands to millions of websites to find user IDs based on cookies then chances are they also end up buying tons of lower-quality inventory in the process.
“It’s a balancing act for marketers between reach and how respectful the publishers they buy from are of consumer data,” said Brian Kane, chief operating officer of Sourcepoint, a company that helps companies measure the privacy experience of sites. “There’s a growing realization among some of the largest companies in the world that they play a role in the quality of the media ecosystem so they want to make sure they’re doing it with a level of assurance that consumers are being respected.”
Add the senior marketer at another global CPG advertiser, who also only agreed to talk to Digiday on condition of anonymity, to this list. In fact, they’ve threatened to shut down programmatic advertising entirely if publishers can’t fix the issue. Even if doing so means pouring more of their dollars into walled gardens where they have a limited view of what that money actually buys them. It’s an option that, at least for this marketer, is the least bad one. It’s also the extreme option — especially if the issue taints large swathes of media.
Threatening to shut down programmatic spending is not a reality for many advertisers — at least not at large. In a world where digital ad spend keeps growing faster than expectations, and advertisers are fixated on the unproven allure of audience targeting, the money has to go somewhere. What’s more likely to happen, especially when it comes to ad trackers collecting people’s data without their consent on larger sites, is that it leads to conversations behind the scenes. In other words, advertisers talk to publishers about what they can do to plug these issues and subsequently secure more media dollars as a result.
“The way that programmatic works means that advertisers can’t activate activity unless a cookie consent string is in place so we’re protected to a degree when it comes to whether we’re doing the right thing,” said the senior marketer. “The real issue here is around publisher trust and the fact that it is perceived that cookies are being dropped on sites before publishers have got the consent from their readers to do so.”
Publishers are in a bind here. There are marketers who believe they view seeking consent for tracking cookies as an afterthought — something they ask for forgiveness for not doing, not ask for permission to do. Sure, there are publishers that probably have taken up this stance given the realms of money they stand to make. But there are many others that don’t. The issue, however, is that regardless of the publisher’s intent, they aren’t always in full control of the cookies on their site. So even if they wanted to ensure that all readers had provided their consent to be tracked by cookies, there are times when that wouldn’t be possible. When a cookie is loaded on a page it calls a server to then register that the cookie has been served. Sometimes that cookie doesn’t just call the server, it calls other cookies. Essentially, one primary cookie could subsequently call upon hundreds of other cookies, which is where things get tricky for publishers trying to keep track of what’s happening on their site.
Why? Mainly because ad tech companies have a higher priority economic incentive, said Tom Triscari, an economist at consulting firm Lemonade Projects. They need to constantly expand impression volume in any way possible to reduce marginal cost and get more price-competitive with Google’s own programmatic marketplace. At the same time, advertisers are putting downward pressure on their fees and commissions through procurement, which puts more pressure on ad tech vendors to find alternative ways of generating profits.
“This is the name of the game,” said Triscari. “Keep the audience-targeting belief system moving forward 24/7 365 days of the year. When all the sell-side supply chain actors have a profitable hedge in perpetual motion, everyone seems to work in concert to keep the ball in the air for as long as possible. Why would anyone expect anything different?”
In some ways, this is a problem of advertisers’ own making — one that’s being brought into sharp focus. Indeed, Ebiquity’s research isn’t the first, nor will it be the last of its kind. In fact, Adalytics published a similar report as recently as last month. Like Ebiquity, it found that ad tech vendors are still tracking people across the European Union who have not given their permission to do so. That’s raised fresh doubts over the IAB’s self-styled Transparency and Consent Framework, which is already in hot water with privacy regulators. The issue being that the TCF is a standardized way for ad tech vendors to see whether a user has provided consent for their data to be shared via cookies. Last November, however, the trade body all but said that it doesn’t always work as intended. It said that it expected the framework to be found in breach of the GDPR. It comes after Belgium’s privacy watchdog found that the framework didn’t comply with the GDPR’s transparency guidelines and processed sensitive data like political affiliation and sexual orientation without explicit consent. While the IAB maintains these loopholes can be closed, the growing body of evidence suggests doing so will be anything but straightforward.
“TCF is inherently flawed and non-compliant,” said Ruben Schreurs, group chief product officer at Ebiquity. “It’s time to wake up and smell the coffee; take responsibility for protecting people’s rights in a deeply troubled ecosystem.”
Damning as the growing evidence of malfeasance is, marketers are inclined to take it all with a pinch of salt — hence the scramble to do their own audits. The reason: more often than not the data is being reported by consent management platforms like the one Ebiquity commissioned to do its own analysis. To understand why this is a big deal, it’s important to understand what CMPs do. Simply put, they’re the technical infrastructure a business uses to collect and store what data customers have consented to be used and for what. Not all CMPs are wired the same, however. Some CMPs can prevent the firing of certain scripts based on the user’s input. Others are merely signal passers and do not block scripts from firing. The former could theoretically benefit from exposing the latter. And based on Ebiquity’s report it seems many CMP installations are grossly misconfigured. Understandably, marketers seem inclined to trust but verify the data that’s coming to light.