The Privacy Blindspot: How Publishers Can Protect Against Non-Compliant Cookie Dropping

padlock pinned to wall

By Chloe Grutchfield, Senior Vice President Product Management at Sourcepoint

In July 2021, the Société du Figaro was fined €50,000 (£42,546) following an investigation by the privacy-focused French regulatory body, CNIL. The investigation revealed that the publisher was depositing non-essential third-party tracking cookies on users’ computers without securing their consent, violating CNIL’s cookie guidelines. The case marks one of the first instances of a publisher being fined under the new privacy regulation.

While the entire digital advertising industry is on a journey to compliance, publishers, in particular, are going through an awakening. Publishers are rapidly trying to adapt their monetisation processes to be aligned with existing and new regulations, but the regulations themselves could impact revenue, creating a catch-22 for publishers.

The reality is that most publishers lack the in-house resources necessary to surveil their web properties for non-consented cookies dropping and adequately reviewing vendor lists to avoid suffering a similar fate. Since Google recently announced a nearly two-year delay of its plan to phase out third-party cookies, it appears as though publishers are stuck in a hard place.

The Société du Figaro’s predicament suggests that — more than three years after the GDPR went into effect — regulators are now ready to enforce the consequences of non-compliance.

This development in the privacy landscape makes it apparent that publishers not only have to monitor their web properties — they also have to ensure that their partners and the third-party vendors they work with aren’t putting cookies onto users’ devices without their consent.

Rightly or wrongly, the risks and responsibilities of noncompliance are landing firmly on publishers. Therefore, they must do everything they can to stay up to date with the latest privacy regulations and ensure they collect user consent properly and efficiently during each session.

Why Privacy Matters

In the grand scheme of things, Société du Figaro’s €50,000 (£42,546) fine was nowhere as bad as it could have been. Under the GDPR, companies can be fined as much as €20 million (more than £17 million) or 4% of annual global turnover, whichever is higher.

In terms of monetary considerations, if vendors are processing data on publisher websites, publishers could be missing out on an additional source of revenue if they aren’t collecting consent for those vendors.

Most importantly, customers have been shown to care a lot about privacy and what companies do with the data they collect. The EU Agency Fundamental Rights survey found 55% of consumers fear criminals or fraudsters are accessing their personal data.

Another factor that can make users nervous is when they see a very long list of vendors, as they believe their data is being sold to hundreds of different companies. Publishers must take the time to purge their vendor list and ensure all remaining partners are only working with the approved vendor list on the publisher’s CMP. This helps create a less intimidating volume of vendors for consumers, helping them feel more confident in their choice to consent.

Furthermore, 30% worry advertisers, businesses, and foreign governments access information without them knowing. So, if publishers want to avoid GDPR fines, unlock additional revenue streams as well as earn and keep consumer trust, then privacy and the responsible use of user data needs to be a top priority – it’s that simple.

In other words, consumers believe that publishers who protect personal data value the consumer relationship. On the flip side, they think that publishers who mishandle data aren’t taking privacy concerns seriously enough. So, if publishers want to avoid GDPR fines, unlock additional revenue streams as well as earn and keep consumer trust, then privacy and the responsible use of user data needs to be a top priority – it’s that simple.

Shining a Light on Privacy Blind Spots

If you’re like most publishers, chances are it’s been a while since your team scrutinised your CMP’s vendor list. And, you may be under the false belief that vendors will not drop cookies without a consent signal — but you’d be wrong. Not every site follows the IAB Transparency and Consent Framework, which would create an IAB consent signal to trigger a cookie drop. This means that vendors will automatically drop a cookie when triggered by an alternative signal unless there is a mechanism in place to “withhold” it until consent is acquired.

To avoid falling victim to this process, ensure proper CMP and tag management configuration, particularly if tag management governs third-party cookie dropping. Additionally, it would be wise to implement a monitoring tool to ensure ongoing compliance. This is necessary as scripts on a page may change frequently, and it could be that third-party cookies are triggered without consent, unintentionally.

However, with the right tools in place, you can determine at a glance whether vendors are jumping the gun and firing off cookies before getting permission from users. Equipped with that data, you can proactively reach out to questionable vendors and either have them resolve the problem or block them from accessing your web properties altogether.

Making Privacy Your Top Priority

Unless you are regularly and proactively monitoring your AdTech stack, it’s simply not possible to be completely confident that your sites are compliant. In fact, as part of the GDPR, it’s required that you disclose all data controllers at the point of collection within the CMP. To fulfill this requirement, publishers must understand which vendors are being triggered — directly or indirectly — on their site.

However, by implementing a monitoring tool, publishers can gain visibility on all of the vendors triggered on their site to decide which vendors to keep and which to cut. This process will help publishers remain in control of vendors acting on their site and, in turn, keep consumers’ privacy safe.

In the world of cookies, third parties are often the most significant source of risk for a business. By making it a point to analyse what’s happening on your website, you better understand the third parties you’re working with — both directly and indirectly — and are better positioned to protect your brand from bad actors.

Technology products are available that enable you to identify illegal cookie dropping and other risky behavior. You can start surfacing a list of unauthorised vendors processing personal data and identify vendors that are creating fraudulent consent strings or dropping cookies with long lifespans. You will also be better equipped with global testing capabilities that make it easy to understand what you need to do to achieve compliance in regions worldwide.

In today’s privacy-conscious age, it’s clear that consumers are demanding increased protection and control of personal data. While this responsibility doesn’t solely fall to publishers, as gatekeepers of vast amounts of personal data, it’s crucial that publishers continue to make investments to ensure compliance and flowing revenue streams.

It’s essential to recognise that improving privacy protection is a process and an evolving ideology that will require time to perfect. However, the entire industry, including publishers, must continue to take positive steps forward on this journey to privacy, compliance, and respect.

Got a Question? We’ve Got Answers.