Consent and bots
02 February 2019
Two kinds of web clients who it's a bad idea to serve a third-party resource to:
Users who have not given consent. We know we can't use their data. But third parties can peek at those users because their tracking script or pixel is on the page. If the first party can't have that data why should the third parties get it?
Adfraud bots. Bots come to visit legit sites to build up realistic-looking cookies so they can cash out elsewhere. Bad idea to help them.
Consent management requires some interaction with the user, which is also an opportunity to collect data for assigning a botness score.
Bots will also try to appear to be visitors who have already given consent, and go get the third-party resources anyway. This is an interesting problem because it's a game where the bot and the third party are on the same side, and the site is on the other. Impossible for the CMP to block the bot connection to the third party, but is it possible to show that consent was not in place when that connection happened? Understanding the provenance of the consent string is going to be important. An extra cookie containing a digital signature for the consent string?
New CMPs will have an opportunity to build on knowledge gained from regulator reactions to first-generation CMPs. But it's more interesting to think about sustainable advantage for the site than just about regulatory future-proofing. For example, a good consent management platform will also tie in to an objection management platform/opt-out management platform.Objection management platform and opt-out management platform both work out to OMP—anybody using that TLA?
People ask about whether consent records
obtained by conventional CMPs are even good.
(Risks in IAB Europe’s proposed consent mechanism |
click OK to make this dialog
go away and consent to everything UX is unlikely
to last, but what's next?
Design the CMP to work in the interest of the CMP customer, not third parties.
Understand the (painful, because anything touching the CMS is painful) changes involved in taking 3rd parties out of the page template entirely when the page is going to a no-consent user. No peeking!
Future-proof consent workflow to allow for adjusting for regulatory changes (boring) and revenue or data opportunities (fun)
Integrations: objection/opt-out mangagement, single sign-on, paywalls, in-browser/in-extension consent mangement.
And of course, get out in front of coming browser privacy improvements. Need an open-source strategy including participation in browser and extension projects.