Google’s steps toward GDPR surrounded by questions
The tech giant wants publishers to get and manage user consent, which apparently Google wants to co-control.
With the EU’s General Data Protection Regulation (GDPR) coming into effect in two months, there are several new indications — none completely clear — about how Google will comply.
On Thursday, the tech giant posted on its AdWords blog its intention to make some GDPR-related changes.
Its EU consent policy will be updated so that publishers will have to take “extra steps” to obtain additional consent from users, beyond what is already required.
Those extra steps are not yet spelled out, although the post says Google will be working with IAB Europe. Earlier this month, IAB Europe released a proposed technical framework for how consent collection and distribution might work for targeted ads in a programmatic system, with a given user’s consent spec traveling inside a webpage’s ad bid request.
By May, Google said, a “solution to support publishers that want to show non-personalized ads” will be offered. Again, the particulars aren’t available, but this sounds like it might be contextual ad targeting, possibly similar to PageFair’s Perimeter initiative. This is in contrast to profile- or behavior-based targeting.
Also on Tuesday, The Wall Street Journal previewed some GDPR-related steps Google will take.
It said that a consent-gathering mechanism — and, assumedly, a consent-distribution mechanism — will be set up for the company’s own properties, like Google.com, Gmail and YouTube.
As for the zillions of third-party sites and apps that employ Google’s massive ad platform, Google is saying consent is the responsibility of those publishers.
Consent, IAB Europe
“Publishers will be able to use their own permission forms and wording,” the Journal’s story says, “but Google is asking them to keep records of consent given by users and offer them clear instructions for revoking that consent.”
Left unclear is whether Google will provide a centralized system that can exchange similar kinds of consent records. In other words, if every publisher is obtaining its own version of consent, will the consent data be communicable with Google?
Among other things, they object to publishers having to carry the weight for consent-gathering for ads, which could interfere with consent-gathering for their own needs, like email lists or content personalization. And there are major questions about data leakage, where consent specs or personal data might be shared throughout the ad tech system without authorization.
Another potential complication: The Journal says Google wants to be the “co-controller” with publishers of consent and possibly other personal data that publishers obtain from users. This means publishers will be on the front lines to obtain and handle such user data, while Google intends to partially control it in some way.
GDPR specifies that “controllers” are the companies that govern the processing of personal data, and “processors” are third-party vendors who act on that data for the controller.
In an email to publishers on Tuesday, Google said its DoubleClick for Publishers (DFP), DoubleClick Ad Exchange (AdX), AdMob and AdSense, and the customers of those services, act as “independent controllers of personal data.”
But, it added, Google operates as a processor of personal data through its Google Analytics (GA), Attribution, Optimize, Tag Manager and Data Studio.