Publishers Need a Better Way to Manage Privacy Risks

By John Murphy

13 May 2021

Privacy compliance is a minefield for publishers. Publishers own the relationship with their users and vendors, and are responsible for ensuring that any user tracking that occurs conforms to privacy regulations and user expectations. Compliance is no small feat, particularly given the number and variety of regulations now in effect or close to being finalized, including GDPR, CCPA, CPRA, VCDPA, and the countless other regulations that are in exploratory phase. The challenge is further exacerbated by the realities of programmatic advertising—a publisher often has little to no connection to or even knowledge of the tracking entities that could be present when an ad renders. To put it concisely (and bluntly), publishers often feel they have all the responsibility and none of the control. Faced with a barrage of privacy regulations and at the mercy of a diffuse, opaque adtech ecosystem, how is a publisher supposed to make sense of it all and protect their reputation, revenue, and resources? 

If privacy regulations were toothless, we might be tempted to dismiss compliance as yet another hoop the industry asks publishers to jump through. But the stakes are in fact quite high. GDPR allows for fines up to  €20M or 4% of a company’s gross receipts, whichever is larger. Major publishers have been fined by European regulators, including fines of €100M and €35M for Google and Amazon, respectively, for their actions as publishers by the French CNIL in December 2020. Each EU member state has the right to interpret GDPR and impose penalties via its own data protection authority, which means that a publisher might be given a pass in one EU country, but not in another. Publishers don’t have just one “boss” here; they have many to please. A review of regulatory actions against adtech platforms and publishers makes for sobering reading.

But I have a CMP

Publishers might reasonably say, “well, I have a Consent Management Platform (CMP) to handle this complicated stuff!” And while that’s true, CMPs aren’t designed to do everything that publishers need to ensure compliance with privacy laws. CMPs are great at solving a particular set of problems, namely:

  • Providing notice to users
  • Obtaining consent from the user to track
  • Packaging consent data for downstream providers
  • Maintaining robust audit trails

Put another way, CMPs focus on the collection, transmission, and tracking of user consent information. What CMPs don’t do (and to be fair, weren’t really designed to do) is ensure that each and every creative that comes back from the adtech-industrial complex is actually abiding by those signals. A few CMPs do offer rudimentary scanning at the page level, but this technique misses the vast majority of ads because—at any one time—there are literally millions of unique creatives running through programmatic advertising. A page scanner that looks at a few hundred creatives a day using a couple dozen synthetic user profiles just isn’t going to give a publisher visibility into the full breadth of demand following through programmatic pipes. This leaves publishers exposed. They are likely serving ads that violate GDPR and CCPA even if their CMP is doing everything it’s supposed to.

"A page scanner that looks at a few hundred creatives a day using a couple dozen synthetic user profiles just isn’t going to give a publisher visibility into the full breadth of demand following through programmatic pipes. This leaves publishers exposed." - Tweet this 

Confiant recognized this vital gap and the need for products that reduce privacy risk, and we set out to increase our support of publishers in this critical area. We have a very particular set of skills, acquired over a very long career in adtech: We invented real-time creative compliance, which we’ve offered for years in our security products. And now we’ve mastered IAB Europe’s Transparency and Consent Framework (TCF) so that publishers don’t have to. Because our code runs on a publisher’s site, we are able to see every outgoing consent string and every ad that’s delivered in real-time. This allows us to evaluate the full range of creatives active at any one time and to identify rogue tracking that the CMPs miss. We then take this one step further by allowing you to automatically block any non-compliant ads.

Privacy Compliance by Confiant - Get a Demo

Rogue tracking is any form of ad-based user tracking that violates privacy regulations or stated publisher and user preferences. Our technology actively protects you from:

  • Consent mismatches: We identify instances where there is no established legal basis for tracking, but it's happening anyway.
  • Browser fingerprinting: We identify this form of cookieless tracking that users can’t easily discover or opt-out of. Browser fingerprinting involves creating a unique fingerprint of a user’s computing device based on the myriad characteristics that differ from one computer to another (screen resolution, operating system, fonts installed, etc). Because this form of tracking has no need for cookies, we expect its usage to skyrocket as Chrome moves to block all 3rd party cookies. A visit to https://coveryourtracks.eff.org/ will demonstrate just how sophisticated these techniques have become. Some regulations take a stricter stance on fingerprinting than on cookies, so it’s important for publishers to know when it’s happening and ensure that they want to take the risk. 

In short, Confiant will help you make sense of the hellscape that is publisher privacy compliance and help protect you from the risk of rogue tracking. We flag risky behavior for you, and then allow you to block it at the creative level so that you can manage your own risk. We become your CMP’s loyal companion and help it work better. We’d love to show you our new system in action. Please contact us to learn more.