The muddy waters of cookie syncing and other redirects

A BLOG PIECE BY CO-FOUNDER CHLOE GRUTCHFIELD

See it. Say it. Sorted.

In their November 2016 campaign “See it. Say it. Sorted”, National Rail and the British Transport Police encouraged visitors to report any unusual activity that they saw during their travels. In the bid to lock down on crime and illegal activities, this campaign urges everyday commuters to keep an eye on their surroundings - working together to make our city a ‘safe place’ to be.

Whilst I’m sure by ‘visitors’ they meant physical people passing through their stations, I was keen to see if their website was a “safe” place. There was only one way to find out, and that of course was by sending our DIAGNOSE tool to visit their website.

Lo and behold we saw some “unusual activities” taking place.

The question is, do we tell the ICO?

It seemed only fair to approach their website, as they would like us to approach their stations - with the See it, Say it, Sorted mindset. Let's take a look shall we?

See it

If you go to the British Transport Police website www.btp.police.uk, you’ll see a cute little cookie notice that says “Like most websites, British Transport Police uses cookies. By continuing to browse the site you agree to our use of cookies. We only use Google Analytics cookies on our site”. Their privacy policy indeed mentions them and them only.

Unfortunately this is not accurate.

On their site, you will find those little social sharing widgets that the British Transport Police have installed on their blog page (also on the See it. Say it. Sorted page, ironically). They’re funny little things those social widgets - they like to “sync cookies” - and trigger other technologies. In fact, a few data companies got triggered when I visited the website and they left me a little present: they dropped a few little cookies on my browser.

Some might say it's ironic that it would happen to a police website with no notice on any cookie beyond Google Analytics.

Say it

Since RedBud’s inception in May last year, our tool has captured a very large volume of data across the top UK websites. It’s also captured a ton of redirects/cookie syncing activities (that’s how we found our stalker : www.redbud-media.com/blog/who-are-you-pixel-s3xified-com).

Redirects and cookie syncing are a necessary “evil” in our industry. Why? Well most of the platforms (apart from those that united over universal IDs) have their own domain with their own set of cookies that no-one else can read. So, for those platforms to communicate with each other (share the availability of an impression for a particular user, share data etc.), cookie syncing is necessary. But it’s also making things a little more complex from a prior notice and consent perspective.

Let’s ‘say it’ for what it is, shall we:

Unlike the BTP police website, publishers have gone through the painful exercise of implementing a Consent Management Platform (CMP) and some have seen it impact on revenue. For the most part, they implemented a CMP that follows the IAB Consent & Transparency Framework guidelines.

Note: One of the pillars of the framework is to list all participating vendors with information on their legal approach to processing data and their purposes for doing so.

The publisher is able to customise their CMP and select a list of vendors that are part of the IAB framework and that will feature within their ‘lists’.

Now, despite users ‘accepting consent’ to those vendors, that’s not quite the end of the story.

• What about the vendors that are triggered by redirects though, drop a cookie on the browser and yet have no relationship with the publishers (and therefore may not feature in the CMP)?

• What about the 3rd party tracking systems implemented on ads that are delivered via RTB mechanics and sometimes 5 steps removed from the publisher?

• What about the vendors that are not part of the IAB framework?

• What about that Russian DSP whose tags are triggered on a large number of publishers, not in the IAB framework, who specify in their privacy policy “We collect non-personal data that allows us to determine the uniqueness of user while protecting his anonymity.” That sounds like personal data to me!

Muddy waters those redirect.

Sorted

Thinking you might be in the same position as the British Transport Police? It’s possible you are, and by no deliberate fault of your own. We’ve created such a tangled web within the adtech industry, that ensuring all GDPR bases are covered isn’t always as easy as it first seems.

The key is to monitor what’s going on, so you can decipher the vendors that are being triggered on your website and what they are doing in the background - dropping a cookie, reading an existing cookie, triggering another technology etc.

Well, you’re in luck. Our DIAGNOSE Compliance tool is exactly what you need to get is sorted. Get in touch. Rhys and I would love to grab a coffee: rhys.denny@redbud-media.com, chloe.grutchfield@redbud-media.com