In a blog post a few weeks ago, Google announced how its ad-serving technologies will comply with the EU’s GDPR. In short, Google will control all the data on the publisher site (not just data related to serving an ad) and their publisher “partners” will take all the liability for getting consent from consumers. Oh, and by the way, Google won’t provide any specificity (as required by GDPR) about how they intend to use the consumer’s data. “Google can demand such lopsided terms because they, along with Facebook, dominate the ad-serving marketplace.” But really: This is just another example of monopolists doing what monopolists do.
Looking past the strong-arm tactics of Google, however, this is a deeply flawed approach that does not meet the spirit or letter of the GDPR. We commissioned a legal analysis of the Google proposal, which you can read in depth here.
Let’s touch on the key points:
Google as a Controller
Under GDPR, there are “controllers” and “processors.” A Controller alone or jointly with others, “determines the purposes and means of the processing of personal data” (see GDPR Article 4(7)).
Processors have no independent right to use data because they only process data on behalf and at the direction of a controller. (This is a gross oversimplification of the terms and there are a host of obligations on both kinds of companies. To read the actual text of the GDPR, go here. In the meantime, for the purposes of this post, we’ll move on.)
Controller companies need to rely on one of six legal bases to process personal data of an EU citizen. The most talked-about legal basis is consent. Under GDPR, a company can legally process personal data if it gets clear, affirmative, opt-in consent from a consumer for each data use. Google’s proposal claims they will be a “controller” of data in their capacity of serving ads, which probably makes sense since they hold an enormous amount of data that they use to personalize ads and they would like to continue collecting data as they serve an ad to help target ads to the consumer in the future.
However, Google’s proposed terms go a step further by claiming that it will be a “controller” of all the data on a publisher’s site (not just what they need to serve the ad). By declaring itself a controller over all the data on a publisher’s site, Google is asserting independent control of a publisher’s audience data. This is a massive land grab by the already-dominant Google.
Google’s proposal also requires publishers to get consent from consumers for Google’s activities. Let’s put aside the fact that Google has its own consumer-facing properties where it could get consent. Google says it won’t serve ads on a publisher’s site if the publisher doesn’t get consent for Google and do so in any way that Google likes.
There are multiple problems with this heavy-handed approach. As noted above, the GDPR requires companies to obtain clear, affirmative, opt-in consent for each data use. Yet, Google provides no information about how it would use the data and, thus, publishers are left in the dark while shouldering all of the liability. Even if they could get consumers to give their consent for Google, the consent would surely be ruled invalid because the publisher can’t provide the consumer any transparency about how their data will be used. Only Google can do that, but they won’t – likely for competitive reasons.
The other problem is that this approach conflates consent for Google with consent for other purposes that consumers might be more likely to provide. In practice, when an EU citizen visits a site, the publisher would have to ask consumers for consent for Google (and all the as-yet-unknown data uses) along with consent for email marketing or location information for the purposes of personalizing news. Lastly, under Google’s terms, they re-assign all of their liability for GDPR compliance (and the fines of up to 4% of global revenue) to the publisher. Google is trying to have its cake and eat it too and then send the bill to publishers.
Non-Personalized Ad Solution
In a tiny footnote of the Google announcement, Google promises to roll out a solution for serving non-personalized ads. Presumably, under this solution, Google would simply serve contextual ads at the direction of the publisher. Perhaps they would even relegate themselves to the role of a processor. It’s unclear whether they think they have a “legitimate interest” (another legal basis to process data) to collect data for other purposes. Suffice to say there are a lot of questions about this solution and whether publishers could rely on it.
With a mere six weeks left until GDPR enforcement, Google has unilaterally rolled out terms at the last minute that it hopes the industry will simply accept. Instead of acting like a good partner, Google is offering a “take it or leave it” approach while prioritizing its dominant marketplace position. The GDPR was not intended to be used as a tool to further entrench Google’s dominance, it was intended to provide greater transparency and choice for consumers over how their data is collected and used. Publishers and regulators should call them out and demand terms that meet the spirit and letter of the law.
Note: Opener art adapted from an original created by Tdorante10 and is used under a Creative Commons license.