GDPR consent-string fraud
As with the introduction of anything new, the implementation of GDPR has not only resulted in positive outcomes, but some negative ones too. For instance the development of so called consent-string fraud.

Consent string fraud is a new practice increasingly being employed by ad tech vendors to circumnavigate opt-in permission legislation set out by GDPR.

Consent strings were brought in by IAB as a way to make the delivery of personalised ads online more transparent. A consent string is a unique series of numbers generated by a publisher’s consent management platform. This string is then shared with all digital ad partners. The consent string includes information such as the identity of a vendor, whether or not they have user consent to use data to serve them personalised ads, and how any identifying personal data can be used. The most important consent data is a single bit (a “1” or a “0”) that tells an ad tech vendor whether they can serve up personalised ads. If the value is “1,” then the ad tech vendor has user consent; if the value is “0,” then the ad tech vendor does not have user consent.

Since the introduction of the new data protection regulation consumers have become increasingly clued up over their rights. They know that they have greater say over how their personal information issued. As a result more customers than ever before are choosing not to opt-in to communications and this has resulted in a significant reduction of marketing collateral being sent out – from decreased direct mail volumes, less emails and fewer personalised ads being served over the internet. For ad tech vendors this has resulted in a drop in profit and in response seemingly some practitioners are finding ways to drive volumes by changing the “0” in the consent string to a “1”. Whilst this is still very much the exception not the rule, it is growing in popularity, so much so that the ICO has started to take notice. However, the IAB believes that due to the “newness” of consent strings themselves many ad tech providers may simply be unaware of their responsibility and that they are serving ads when they shouldn’t be.

Pundits are already questioning how data protection regulators such as the ICO will deal with this issue. Some believe that they may issue a warning and give the industry time to self-correct, or that they could weigh in heavy handed and issue fines to the perpetrators. One solution to be mooted is blockchain as this will mean that it will be much harder for publishers to tamper with the consent strings.

Whatever happens, it is clear that brands wanting to serve ads online both as a publisher or advertiser must work with trusted adtech partners as under GDPR “ignorantia juris non excusat” (ignorance is no excuse) meaning that fines could be issued to any of the organisations involved; whether they knew about the fraud or not.


Emma Thwaites

Emma Thwaites

Client Services Director, Alchemetrics