Alexian Chiavegato 2022-02-02

Marfeel’s Response to Confiant’s Privacy Policy Violation Allegations


Confiant published an in-depth analysis 2 on 19 January 2022 and detected cases where Marfeel advertising product was using a default consent string if a consent string was not found. The issue didn’t affect any of the SaaS product lines neither global Web traffic.

Marfeel always respected the user consent choice if accepted or rejected. A default consent string was only used in the few cases where there was an empty consent string in AMP pages with header bidding and in an experimental product Marfeel was testing on a few customers’ Ad Servers. The following situations are those that could trigger an empty consent situation:

  1. No issue: When a CMP is displayed but the user doesn’t take any action. In this case the default consent string was not used, the described issue did not apply to Marfeel operated sites. Marfeel uses data-block-on-consent:_till_responded on AMP and in WEB Marfeel waits for an explicit consent. The issue would apply on publisher properties not operated by Marfeel that where not blocking advertising until consent was given or rejected.

  2. When there is no CMP or a CMP does not show in the host page. This would happen in sites owned by companies and sessions in non-regulated countries or regions. A couple of examples:

    1. No issue: For a company based in NY (non-regulated) with a visitor from France (regulated). There was no issue here since a CMP exists and the user consent string is respected.

    2. Issue affectation: For a company based in NY (non-regulated) with a visitor from Mexico (non-regulated). No CMP shows and creates an empty consent situation.

The described issue was due to a Marfeel incomplete development that was depending on the Ad Manager ${GDPR_CONSENT_XXXX} macro, not available by the time the development was initially done. Marfeel decided to use a default consent string explicitly signed by Marfeel CMP in the meantime. Due to internal desynchronization we missed the announcement about the macro being generally available.

The incidence reported by Confiant was notified by the IAB to Marfeel on 6 December 2021. We got the IAB acknowledgment that the issue had been successfully addressed on 13 December 2021.

Marfeel takes and will always take User Privacy very seriously and has acted accordingly by completing certification processes to become GDPR, CNIL, CCPA, Popia and LGPD compliant. Marfeel has received several IAB certifications and also has a public DPIAS document.

Marfeel never had any consent string tampering intention and we sincerely apologise to our customers and the industry for any inconvenience the issue described above may have caused. We will continue working hard to deliver world class products with a user privacy by design and by default approach. 

Latest Articles

‹ Back to Blog Home

Get the headlines

Sign up to get the best headlines direct to your inbox

Your name
Your email