Bridging the Privacy Compliance Gap

Privacy is top of mind for all businesses, but especially for publishers who are about to undergo a dramatic shift in how user data is collected and managed — negatively impacting revenue.

Between mounting privacy regulations and privacy enforcement measures being taken by big tech, publishers are in need of simple solutions that ensure consent compliance (and that they can trust). And even when publishers are doing the right thing and following the law, they may find themselves liable for a non-compliant partner.

Publishers also need insight into their partners’ regulatory compliance, especially when it comes to creative. Publishers need a bridge. This is why Confiant has launched Privacy Compliance as a complement to CMPs providing end-to-end privacy compliance coverage in real-time.

Confiant is a cybersecurity company that protects publishers and supply-side platforms from malicious actors and puts the control back in their hands to ensure the ads delivered to a website are safe and secure.

AdMonsters spoke with John Murphy, Chief Strategy Officer, Confiant, about how the company’s new tool helps publishers, as well as why publishers need to monitor each creative to ensure compliance, how privacy regs and platform changes are impacting publishers’ bottom lines, the growing problem with browser fingerprinting and much, much more.

Lynne d Johnson: As privacy regulations like GDPR, CCPA, and CPRA heat up and big tech like Apple and Google make sweeping changes to protect consumers’ privacy, what are some of the biggest challenges that publishers face? Also, how are all of these changes impacting publisher revenue?

John Murphy: Publishers are responsible for ensuring that user tracking that occurs on their properties conforms to privacy regulations and user expectations. However, these regulations are complex and becoming ever more varied as new laws are adopted. GDPR was complex but at least has the benefit of covering a vast region. The situation in the U.S. is becoming much more challenging.

California has CCPA, which is already being superseded by a new regulation, CPRA. Virginia has a new privacy law called VCDPA that’s going into effect at the beginning of 2023. Colorado is poised to announce their own regulations. There is considerable activity at the Federal level as well.

It’s quickly becoming alphabet soup, testing the capabilities and patience of even the most sophisticated publishers. The challenge is further exacerbated by the realities of programmatic advertising—a publisher often has little to no connection to or even knowledge of the tracking entities that could be present when an ad renders. So publishers often feel they have all the responsibility and none of the control. The risks to publishers are profound: if they are found to be non-compliant, publishers may be on the hook for up to 4% of global revenues, a truly enormous sum.

LdJ: The liability for user consent seems to fall solely on publishers even when it’s their partners who might be practicing non-compliance. How can publishers get ahead of this?

JM: Publishers can get ahead of this by evaluating the risks posed by their own tracking activities as well as those of their vendors and partners. Consent Management Platforms (CMPs) can assist in this exercise, but they leave a gap when it comes to digital advertising, which by its very nature is very dynamic. For this sector, a publisher needs to put monitoring in place that evaluates each creative as it renders to ensure compliance with privacy law.

LdJ: You guys have a new tool called Privacy Compliance that complements a publisher’s CMP by identifying privacy issues in real-time at the creative level. Why is it important to identify consent mismatch at the creative level and not just at the page level?

JM: CMPs focus on the collection, transmission, and tracking of user consent information. What CMPs don’t do (and to be fair, weren’t really designed to do) is ensure that each and every creative that comes back from the adtech ecosystem is actually abiding by those signals. A few CMPs do offer rudimentary scanning at the page level, but this technique misses the vast majority of ads because—at any one time—there are literally millions of unique creatives running through programmatic advertising.

A page scanner that looks at a few hundred creatives a day using a couple dozen synthetic user profiles just isn’t going to give a publisher visibility into the full breadth of demand following through programmatic pipes. This leaves publishers exposed. They are likely serving ads that violate GDPR and CCPA even if their CMP is doing everything it’s supposed to.

LdJ: Browser fingerprinting, a method of collecting data about individuals, is a growing concern for publishers as they prepare for the cookiepocalypse. How is this harmful to publishers and users, and what can publishers do about it and better protect their audiences?

JM: Browser fingerprinting involves creating a unique fingerprint of a user’s computing device based on the many characteristics that differ from one computer to another (IP address, user-agent, screen resolution, operating system, fonts installed, etc). Because this form of tracking has no need for cookies, we expect its usage to skyrocket as Chrome moves to block all 3rd party cookies.

A visit to Cover Your Tracks will demonstrate just how sophisticated these techniques have become. Some regulations take a stricter stance on fingerprinting than on cookies, so it’s important for publishers to know when it’s happening and ensure that they want to take the risk. Confiant’s Privacy Compliance solution allows publishers to detect and block client-side browser fingerprinting in real-time, protecting themselves and their audiences from this invasive technique.

LdJ: One would think that better consumer privacy in the advertising ecosystem would mean that publishers and consumers are also better protected from cybercriminals. But this isn’t exactly the case, is it? How are publishers and consumers still at risk? 

JM: Privacy is clearly an important consideration for publishers and users, but it’s not the only risk that they face. Publishers and users are continuously inundated with disruptive, offensive, and dangerous ads. Our research indicates that roughly 1 in every 150 ad impressions delivered to users is either malicious or disruptive. Privacy laws do nothing to protect users from these threats.

Cybercriminals take advantage of the fragmentation within adtech to infiltrate the ecosystem and leverage its immense reach and precision to target users with malware and all manner of scams. While governments have recently focused on the privacy risks to users, little has been done to address these other risks