There’s nothing like a deadline to spur action. The May 25 date for enforcement of the General Data Protection Regulation has led to a flurry of activity, as players large and small look to get compliant.

While attention is squarely on Facebook’s data practices, Google has raised concerns among several publishers with how it plans to make its ad services GDPR-compliant. In late March, Google announced that it will require publishers to take “extra steps” in obtaining their consent from users for the use of Google’s ad services. As part of its approach, Google has asked to be a “co-controller” of data, along with the publisher.

The idea of a co-controller scenario with Google or any other company when it comes to an asset as precious as a publisher’s audience data isn’t likely to be a popular one for any publisher. Not when first-party audience data is the lifeblood of both product and commercial sustainability. The reason Google wants this status is because under GDPR law, a “controller” is the company that determines how the personal data will be processed.

For some time now, the GDPR has been recognized by most publishers as a chance to regain their place as the custodians of audience data. That optimism is starting to falter. Some publishers have expressed frustration that players with a dominant market position are skirting the whole premise of the GDPR — to course-correct some of the bad practices that have been allowed to persist in digital advertising. “The policy work around the GDPR is not intended to allow the status quo to perpetuate. We all need to act responsibly, and we certainly did not expect it to be used to try and steal more value from publishers,” said a different publisher executive.

“This is a commercial agenda that’s being wrapped up in a GDPR and privacy-language narrative, but it looks very much like large vendors seeking to steal ground,” said the same publisher executive.

For others, it’s more that the timing is suspicious. “It would have been best to have all these conversations last year, not with weeks before the deadline,” said a publishing executive. “It’s put publishers in a bit of a tricky situation, as they look to protect themselves and ensure they can still keep working with the ad tech partners they rely on.”

Even in Germany, where publishers have been far more concerned about the potential ePrivacy Regulation’s arrival than the GDPR, Google’s latest updates have caused consternation. “Many publishers in Germany are currently unsettled by the Google push because detailed information is missing,” said Oliver von Wersch, independent publisher consultant and former Gruner + Jahr executive, “and because the legal understanding of Google toward consent under GDPR is not shared by the publishers.”

Getting large businesses compliant with the GDPR is a highly complex, arduous undertaking. The vagueness in the law around exactly how the law will be enforced hasn’t helped expedite businesses strategies on it. It’s also meant that interpretations of what’s allowed under the law are still totally confused and differ largely across the industry. The result is that everyone is rushing to update products and alter contracts that cover their own liability, to get their businesses compliant in a way that can secure their own revenue streams under the GDPR, and in the process, some publishers feel they are being thrown under the bus. GroupM is also in discussions with publishers over the terms of its own data protection contract recently pushed out to publisher partners.

The premise of the GDPR is to give consumers more transparency and control over how their personal data is used. It should, in theory, put premium publishers in a very strong position. “Because GDPR is likely to scale back the Wild West of data collection by ad tech companies and the duopoly, premium publishers are in a uniquely strong position by virtue of their direct, trusted relationships with consumers,” said Jason Kint, CEO of publisher trade body Digital Content Next.

“These ridiculous and far-fetched proposals from Google and GroupM are last-minute, desperate attempts to preserve their business models,” said Kint. “Time to pay attention to what is happening to the industry and society, and move on to a better place that actually respects the audience and the media they love.”

A legal analysis on Google’s stance conducted by law firm Frankfurt Kurnit Klein & Selz, commissioned by DCN, determined that Google’s approach has left publishers “in the lurch” by transferring the GDPR’s “heightened consent burdens” to Google’s publisher customers. The conclusion of the law firm’s analysis was that Google should modify its recent announcement.

“While it may be the case that Google is sometimes operating as a controller … that does not mean that Google has the right to make unilateral decisions about the use of personal data collected from publisher properties. … The publishers are the primary controllers of that data and, perhaps more importantly, have the direct relationship with the consumer,” the analysis read.

Google has said its intention is not to interrupt publishers’ relationships with their users. “Google already requires publishers and advertisers using our advertising services to get consent from end users to use our services, as required under existing EU law, said Carlo d’Asaro Biondo, president for Europe, Middle East and Asia partnerships, in a statement. “However, the GDPR will further refine these requirements. We don’t want to stand between publishers and their users. That’s why we are asking our partners to get consent for the way they use our services on their sites.”

Download Digiday’s complete guide to GDPR, including primary research, checklists, a GDPR dictionary and more.

  • LinkedIn Icon