For months, the digital media industry has waited with bated breath for regulators to make an example of a company for falling foul of the General Data Protection Regulation. This week the shoe dropped.
French data protection authority CNIL fined Google €50 million ($57 million) that it said would recur should Google not change how it currently gains user consent to send targeted ads. Executives across the industry are scrambling to understand the ruling and whether they’re next. CNIL’s core gripe is that Google has conflated multiple processing purposes to use personal data to target ads — a no-no under GDPR.
“The information presented to users about Google’s various data processing purposes is, as CNIL observed, a mess,” said Johnny Ryan, chief policy and industry relations officer of web browser Brave. “It is inadequately specific, and presented in such a way that a user would have to hunt for it across many different locations, and might come out none the wiser.”
“The upshot is that Google is unable to cross-use user data it is given by users to provide services for the purpose of ad targeting,” he added.
Google can appeal the ruling, though it hasn’t confirmed that it plans to. Instead, a Google spokesperson confirmed the tech giant is addressing the issue CNIL raised.
The fact that CNIL chose Google as its first target isn’t too surprising, as regulators across Europe have taken aim at U.S. tech giants and their use of data. The question remains whether CNIL will target regular publishers or remain focused on tech platforms.
“This is the regulators going for the most public — and arguably prolific — name in town when it comes to the use of consumer data,” said Jon Slade, chief commercial officer of the Financial Times. “But publishers and anyone handling data would be crazy not to look at this strong enforcement of GDPR and double-check themselves. The interpretation of GDPR has been inconsistent at best, and in some cases has willfully chosen to ignore both the letter and the spirit of the regulation. The industry now can’t say it hasn’t been warned.”
Others feel strongly that publishers are on borrowed time, having only superficially adapted their products for GDPR. For example, there are instances where publishers have supplied no option to actually deny consent, but include an “I agree” or “Accept” option for users. If the user does nothing and continues to browse the site, that notice will disappear and consent is assumed.
Truthfully, no one knows for sure where the hammer will fall, and there is some concern among publishing executives that if Google has to get stricter on how it gains consent, that this may have future ramifications for publishers generating ad revenue via DoubleClick for Publishers.
“Publishers should be worried as they have implemented it without understanding the spirit of GDPR,” said Alessandro de Zanche, independent publishing consultant and former News UK executive. “Despite some recent progress, too many publishers, instead of looking at consent as a way to rebuild their business models, strategies and the fading relationship with their users, have approached GDPR compliance as a box to tick in order to keep doing what they have been doing for years: being a cog in the programmatic ecosystem.”
However, other industry executives believe the CNIL verdict is specific to Google’s breadth of services and business model. Publishers shouldn’t have anything to fear from the news, because they don’t bundle consent for multiple different services, according to Richard Reeves, managing director of the Association of Online Publishers.
“This is about the fact they [Google] have so many spider webs out there, that they are leveraging the opportunity that provides,” said Reeves. Publishers are gathering user data in which to serve ads within their own supposedly protected ecosystems, whereas Google uses data for a mix of services — whether it’s YouTube, Maps, email — and then uses the information to send targeted ads across the web. That is the core reason why the ruling doesn’t necessarily spell trouble for publishers, added Reeves.
However, he added that publishers also have work to do to make it easier for users to view what their settings are and alter them should they wish — a similar approach taken in Germany. CNIL has ruled that Google requires users to click through too many separate pages in order to reach certain essential information that users should be able to. That layering of consent has been deemed opaque and will need to change in future, according to the regulator. “We as an industry must make that more clear,” he added.
France isn’t the only country where Google is being scrutinized by regulators. Sweden’s DPA has also demanded Google to answer specific questions relating to how it gathers consent. Meanwhile, other Silicon Valley firms could also be in for a shock, according to Brave’s Ryan.
“Similar problems apply to their [Facebook’s] use of consent. Indeed, decisions arising from NOYB’s other complaints against Facebook, Instagram, WhatsApp are still to come,” he added. “The solution is to remove personal data from the bid request and thereby enable ad targeting that has no data protection risk,” added Ryan.