Four trade groups representing 4,000 publishers on Monday blasted Google’s approach to compliance with Europe’s General Data Protection Rules. The new rules are set to take effect at the end of the month.
Under its new GDPR-compliant policy, Google, as a provider of digital advertising services to publishers, will have sole control over data sent to it by publishers or collected from publishers’ websites.
What’s more, Google’s policy requires publishers to obtain legally valid consent, as required by the GDPR, for data sent to or collected by Google.
If Google finds the consent mechanism “insufficient,” it can stop serving ads on publishers’ sites, the policy states.
“Your proposal severely falls short on many levels and seems to lay out a framework more concerned with protecting your existing business model in a manner that would undermine the fundamental purposes of the GDPR and the efforts of publishers to comply with the letter and spirit of the law,” the publishers wrote in Monday’s letter to Google CEO Sundar Pichai.
The letter is signed by Jason Kint, CEO of Digital Content Next; Angela Mills Wade, executive director of the European Publishers Council; David Chavern, president and CEO of the News Media Alliance; and David Newell, CEO of the News Media Association.
The new policy could force publishers to obtain consent from data sources for Google that they wouldn’t need to obtain for themselves, the letter states.
“The act of requesting consent in the first place may not apply to us, but if we share that data with Google, then we would need consent,” Danielle Coffee, vice president for public policy at the News Media Alliance, told the E-Commerce Times.
“Google is essentially throwing all accountability to the publishers,” said Amit Dar, U.S. general manager at Taptica.
“This is another squeeze publishers are feeling between the end users and the revenue generators,” he told the E-Commerce Times.”As if they didn’t have enough to take on, now publishers must decide how to implement a strategy that adheres to how they see GDPR and balance that with how Google views GDPR.”
Publishers should obtain consent from people whose data they’re submitting to Google, maintained Josh Crandall, CEO of NetPop Research.
“Google is simply stating that the publishers that submit works to Google, presumably for additional audience aggregation, are in compliance with the GDPR requirements,” he told the E-Commerce Times. “Google is simply protecting its own business by requiring upstream publishers to comply with GDPR, where necessary.”
The new policy shows that Google is trying to be careful about adhering to the GDPR, Crandall said.
“Google and the EU already have a tense relationship around data privacy, search results, and other business practices,” he said. “Google is following the requirements of the GDPR very closely to avoid any further issues that they can.”
It’s likely that Google has other motives for its new policy, suggested Taptica’s Dar. “You can be certain that Google is more concerned about its bottom line and business model than adhering to new regulations.”
Google always has asked publishers to get consent for the use of its ad tech on their sites, and now it’s simply updating that requirement in line with the GDPR, according to spokesperson Suzanne Blackburn.
“Because we make decisions on data processing to help publishers optimize ad revenue, we will operate as a controller across our publisher products in line with GDPR requirements, but this designation does not give us any additional rights to their data,” she told the E-Commerce Times. “We’re working closely with our publisher partners and are committed to providing a range of tools to help them gather user consent.” [*Correction – May 2, 2018]
In their letter to Pichai, the publishers questioned the timing of Google’s new policy.
“We find it especially troubling that you would wait until the last-minute before the GDPR comes into force to announce these terms,” the publishers wrote, “as publishers have now little time to assess the legality or fairness of your proposal and how best to consider its impact on their own GDPR compliance plans which have been underway for a long time.”
However, nearly all advertising technology vendors are rolling out their GDPR solutions now, noted Eric Berry, CEO of TripleLift.
“While one could view this negatively, the reality is that Google would have been the only ad tech vendor to have released a solution, had they done so much before 30 days prior to GDPR’s effective date,” he told the E-Commerce Times.
Passing the Buck
Facebook recently changed its terms of service so users in Asia, Africa and Latin America, which were considered part of Facebook Ireland, would be considered part of Facebook Inc. in Menlo Park, California, a move critics see as a way to remove users in those regions from GDPR protection.
Google’s policy change appears to bear some similarities to Facebook’s approach, although Google has more to lose than Facebook.
“The majority of Google’s money comes from collecting data and distributing it for sale, so they have more at risk because of their business model than other social media platforms,” noted Gary Southwell, general manager of CSPi.
“With this policy Google is taking a hard stance and trying to pass the buck,” he told the E-Commerce Times. “I believe the publishers are posturing themselves in an open letter so the EC will review this and come down with a decision in their favor.”
*ECT News Network editor’s note – May 2, 2018: Our original published version of this story incorrectly stated that Google had not responded to our request to comment for this story.