All eyes have been on Google as May 25 draws near. That’s the day the General Data Protection Regulation goes into effect in Europe, where Google has a target on its back.
Google laid out its GDPR prep plan Thursday in a letter to partners after months of playing its cards close to the vest.
Here’s how Google is getting its house in order before what’s arguably the most significant change to data protection in decades hits the books in just two months.
Processor or controller … or co-controller?
Under GDPR, a controller determines why and how data is processed, while processors do the actual processing on the controller’s behalf. Publishers are typically considered controllers, while third-party entities like mar tech providers are typically considered processors.
Google, however, defies simple categorization. Its constellation of products, platforms and services means that sometimes it’s a processor, sometimes it’s a controller and sometimes it’s a co-controller, which is when two or more controllers jointly decide the manner and purpose of the processing.
Google operates as a controller for some of its most-used ad products, including AdMob, AdSense, AdWords, DoubleClick Ad Exchange (AdX) and DoubleClick for Publishers (DFP).
Google classifies itself as a processor for users of tools like Google Analytics, its attribution offering, Ads Data Hub and DoubleClick Bid Manager. [Click here for a full list.]
But Google is planning to introduce new contract terms for DFP, AdX, AdSense and AdMob that will designate it as a co-controller of user data, meaning Google will have some control over how data is processed and share the responsibility for protecting it.
Google will bear the burden of gathering consent for data collection from its own first-party users across Gmail, YouTube and Google.com. That shouldn’t be overly difficult, considering that most consumers consider these to be indispensable utilities.
But publishers and advertisers that use Google’s ad offerings will have to get consent from their own users to do so. Google will not be able to carry over the consent it collects from its consumer-facing products for any other purpose.
This isn’t new. Google already required advertisers and publishers that take advantage of Google’s ad services to get consent from their own end users. But Google is now updating its EU user consent policy to reflect the more stringent legal requirements under GDPR.
The updated policy is being woven into the contracts for the majority of Google’s ad and measurement products.
Publishers aren’t likely to risk their first-party relationships for just any data partner or ad tech vendor. There’s been a concerted effort in the publisher community in particular to shore up the supply chain and work with fewer parties.
But it’s unlikely as publishers and advertisers whittle down their ad stacks and scrutinize their supply chain that Google products won’t make the cut.
In the meantime, the ad tech industry has been toiling away – others would argue that they’ve been spinning their wheels – working with IAB Europe on a framework that would allow publishers to collect consent for multiple ad tech vendors in one go.
In its letter to partners, Google said it’s “exploring solutions for publishers, including working with industry groups like IAB Europe,” but didn’t go into detail on what that will look like.
Google is also rolling out several product changes to help “support your compliance,” as Google wrote in its letter.
The most interesting offering on the agenda is the planned launch of a solution to help publishers show non-personalized ads to people who opt out of data collection for targeting – which sounds a lot like contextual targeting.
Also on the agenda are new controls across AdMob, DFP and AdX programmatic transactions and AdSense for games and content that let publishers and advertisers manage which third parties can measure and serve ads for EU citizens; a tool for Google Analytics users to better manage data retention and deletion; and some unspecified “steps” to limit the processing of PII for children.
There was no mention of ePrivacy or its possible implications in Google’s note to partners, but its potential impact is still worth considering.
EPrivacy is waiting in the wings behind GDPR, which could blow up the ad industry’s spot.
The ePrivacy directive, which pertains to electronic communications in Europe, is not yet finalized. But when it does come into law, likely in the months after GDPR hits in May, it might remove the concept of legitimate interest as a legal basis for processing data without consent.
The lack of a legitimate interest clause under ePrivacy might, for example, require cookie consent to use a third-party analytics platform like Google Analytics. Until ePrivacy is enacted, enforcement remains a gray area.
Here is the letter in full:
Over the past year we’ve shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force on May 25, 2018. The GDPR affects European and non-European businesses using online advertising and measurement solutions when their sites and apps are accessed by users in the European Economic Area (EEA).
Today we are sharing more about our preparations for the GDPR, including our updated EU User Consent Policy, changes to our contract terms, and changes to our products, to help both you and Google meet the new requirements.
Updated EU User Consent Policy
Google’s EU User Consent Policy is being updated to reflect the new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consents from, end users of your sites and apps in the EEA. The policy is incorporated into the contracts for most Google ads and measurement products globally.
We have been rolling out updates to our contractual terms for many products since last August, reflecting Google’s status as either data processor or data controller under the new law (see full classification of our Ads products). The new GDPR terms will supplement your current contract with Google and will come into force on May 25, 2018.
In the cases of DoubleClick for Publishers (DFP), DoubleClick Ad Exchange (AdX), AdMob, and AdSense, Google and its customers operate as independent controllers of personal data that is handled in these services. These new terms provide clarity over our respective responsibilities when handling that data and give both you and Google protections around that controller status. We are committing through these terms to comply with our obligations under GDPR when we use any personal data in connection with these services, and the terms require you to make the same commitment.
- Shortly, we will introduce controller-controller terms for DFP and AdX for customers who have online terms.
- By May 25, 2018 we will also introduce new terms for AdSense and AdMob for customers who have online terms.
If you use Google Analytics (GA), Attribution, Optimize, Tag Manager or Data Studio, whether the free or paid versions, Google operates as a processor of personal data that is handled in the service. Data processing terms for these products are already available for your acceptance (Admin → Account Settings pages). If you are an EEA client of Google Analytics, data processing will be included in your terms shortly. GA customers based outside the EEA and all GA 360 customers may accept the terms from within GA.
To comply, and support your compliance with GDPR, we are:
- Launching a solution to support publishers that want to show only non-personalized ads.
- Launching new controls for DFP/AdX programmatic transactions, AdSense for Content, AdSense for Games, and AdMob to allow you to control which third parties measure and serve ads for EEA users on your sites and apps. We’ll send you more information about these tools in the coming weeks.
- Taking steps to limit the processing of personal information for children under the GDPR Age of Consent in individual member states.
- Launching new controls for Google Analytics customers to manage the retention and deletion of their data.
- Exploring consent solutions for publishers, including working with industry groups like IAB Europe.
Find out more
You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as view our data processing terms and data controller terms.
If you have any questions about this update, please don’t hesitate to reach out to your account team or contact us through the Help Center. We will continue to share further information on our plans in the coming weeks.
The Google Team