The leaky nature of the real-time bidding advertising ecosystem continues to cause problems in a post-General Data Protection Regulation era.

Publishers that rely heavily on programmatic advertising bought via the open exchange as a revenue stream have always been vulnerable to sketchy ad tech vendors that drop tags on pages without the publisher’s knowledge. But when those same so-called vendors don’t have GDPR policies, they create bigger problems.

“We have yet to find one website whose CMP [consent management platform] vendor list covers all vendors that are dropping or reading cookies,” said Chloe Grutchfield, co-founder of ad tech consultancy RedBud. “And that includes publishers that opt to display the full IAB list of vendors in their CMP.”

RedBud has scanned 30 of the top U.K. publisher sites and flagged several dubious redirects occurring on a dozen sites, triggered by vendors that have no clear GDPR policy. That puts both publishers and legitimate vendors they work with at risk of penalties. Two companies flagged by RedBud have vague office addresses listed outside the European Union in countries like Israel and Russia.

Some redirects are vendors triggered by other, bona fide vendors for the purpose of cookie syncing. Some may be a little questionable and piggyback on a redirect to redirect to other smaller vendors, added Grutchfield. But in general, redirecting for cookie syncing purposes is a legitimate digital advertising method. The issue comes when the smaller players outside of Europe, that are not GDPR compliant, are triggered on U.K. browsers. There are several like this that are managing to slip through, she added.

RedBud flagged several specific companies as suspicious redirects, which are appearing on publisher sites in the U.K. One such company called “Upravel” states on its website that it has offices in Moscow in Russia and Raanana in Israel. There is only an Israeli address and one generic email listed as contact details on its site. Digiday contacted Upravel via the contact details on its site but received no reply before this article’s publication.

RedBud isn’t the first company to flag Upravel as needing further scrutiny. The Media Trust, which continuously scans publisher pages for unauthorized tags, has previously flagged Upravel as potentially an illegitimate business. A year ago, Upravel was flagged as serving tags and loading a tracking pixel onto a site, been although it doesn’t position itself as an ad server. The fact its name was nearly identical to Uprival, a legitimate business with a good reputation among publishers also roused suspicion, according to Chris Olson, CEO of The Media Trust.

“Publishers need to scan their ecosystem for any unauthorized supply chain code,” said Olson. “The rogue code could enable unauthorized data gathering or a data breach that would put a publisher at odds with GDPR.”



Despite being flagged as suspicious a year ago, the company continues to appear on sites today. Another name flagged by RedBud as suspicious and appearing on major U.K. publisher sites is “Slowplay,” which shares a domain name with “cootlogix.” A visit to its site shows no GDPR policy and three vague office addresses in Malta, London and Denver in the U.S. Digiday contacted Slowplay via the contact details on their site but received no reply.

Many media executives believe that the seemingly infinite number of vendors in the digital ad market create the perfect camouflage for fraudsters and bad practice. However, GDPR needs to be used as a tool by all legitimate players in the ecosystem to enforce cleaner practice. “It is the natural outcome of strategies and practices which are ignoring the fact that RTB is not GDPR compliant and so bundling consent,” said Alessandro de Zanche, independent media consultant and former News UK executive. “This is leaving gray areas and dodgy practices active, something which in a pre-GDPR era were ‘just’ unacceptable but today are also illegal.”

Continuously monitoring which vendors a publisher’s vendors are redirecting to is a constantly moving beast. Typically, exchanges and SSPs rotate who they redirect to. They won’t call all their partners per session because it would put too much pressure on a website. If they have more than 100 partners they sync cookies with they will use redirect rotations. That makes it tricky for publishers to see the full extent of who is dropping cookies on their sites.

That said, onus shouldn’t be just on the publishers to monitor. Ad tech vendors also share the responsibility of auditing who they are redirecting to and whether those companies have GDPR policies.

“Third-party vendors doing business with the digital publishers do have a responsibility to know where their source code is running,” said Olsen. “Though, there is a willpower issue in the digital ad ecosystem. If you shut off one company from running on your site, they will find others [vendors to piggyback on] to get them there.”