← Back to Commonplace

Link: Adtech not checking user consent

Adalytics asked the advertiser how they felt about this situation, when they noted that their ad tech vendors had reported “gdpr=0” whilst many of the receiving users were clearly in the EU. The advertiser responded (in writing):

“I would be worried about my compliance risk as an advertiser. After all, my ads were shown and regulators will think I was in breach of privacy regulations. I had trusted the network to take care of all of this, like other basic things (e.g., verifying ads.txt entries). Their lack of basic diligence puts me in jeopardy. If the exchange is not doing basic checks for something so simple, you’d wonder what else they are not doing well, or at all, to protect advertisers from fraud and other issues.”

An EU citizen with a German IP address installs Google Chrome on their desktop for the first time. This new instance of Chrome is not logged into any accounts or emails, and has no cookies or local storage.

The user visits a article, and is shown a consent banner.

Before this user has an opportunity to click on any specific consent icons or buttons, the user’s browser makes dozens of HTTP requests to third party domains, belonging to companies such as Google, Adobe, New Relic, Cxense, and The Trade Desk.

Many of these HTTP requests contain response headers that set tracking cookies in the user’s browser. For example, an HTTP request made to sets a cookie in the user’s browser called “TDID”; this cookie is set to expire in 365 days.

This example with and a German IP address user shows that several ad tech vendors are sending and receiving data, and storing cookies, without consent or legitimate interest. These patterns are observed even after the user has navigated through several pages on the website post-consent selection.