Last week Google said that it wanted to have publishers solicit people’s consent to collect their information on the search company’s behalf — potentially paving the way for how other tech giants that sell ads on publishers’ sites, like Facebook and Amazon, might try to comply with the General Data Protection Regulation without significantly changing their ad tech operations.
Under the European privacy law GDPR, for Google to sell targeted ads to publishers’ European readers, it needs to obtain their permission. Legal experts said it’s legal for Google to obtain that consent secondhand.
Google also said that it would accept the role of joint controller of that data for publishers using its DoubleClick for Publishers ad server and AdX ad exchange; the publishers would also serve as controller. That joint controller role is important because it means Google is taking ownership of the data and can do what it likes with it. If Google had opted for the alternative designation, “processor,” it would only be able to use the data as prescribed by the controller — in this case the publisher.
“It probably reflects the reality that Google is going to be using the data for its own benefit, not merely servicing the publisher. I don’t think there’s any way for them to proceed differently,” said Gary Kibel, partner at law firm Davis & Gilbert.
“If an organization is willing to take on the data controller mantle, you have to raise the question of: Why are they voluntarily taking on those obligations? It must be because there are additional uses that they want to make of that data. It’s not simple processing anymore,” said Scott Lyon, partner at law firm Michelman & Robinson.
Those additional uses are likely Google’s existing ones: Being able to identify people across various sites and target them with ads based on their browsing behavior. By assuming the controller role and getting data collection consent through the publisher, Google is simply being more upfront about what it already does when people visit sites on which it can sell ads. “It’s pretty much the way things work today in the U.S. already,” said Kibel.
Google’s approach to GDPR compliance may serve as a template for others that want to sell targeted ads on publishers’ sites. But its approach is not the only one.
The digital advertising industry organization, IAB Europe, is also ironing out a way for ad tech firms to piggyback publishers in order to get people’s permission to collect their data (Google has said it is working with IAB Europe “to explore proposed consent solutions for publishers”).
An important difference between IAB Europe’s solution and Google’s appears to be that IAB Europe’s spans multiple companies whereas Google’s is specific to Google, said Kibel. That direct relationship could address the concern that IAB Europe’s solution leaves publishers vulnerable because participating ad tech vendors aren’t strictly vetted for compliance.
It’s unlikely that all ad tech companies would be able to similarly roll out their own consent solutions and gain adoption among publishers. But Google is a strong enough player that it can get publishers to comply to stay in Google’s network, said Kibel. Other ad giants such as Facebook and Amazon may follow its example.
In assuming the position of controller alongside the publisher, Google maintains autonomy in how the data is used. But in obtaining that data through the publisher, it is liable if the data is not collected correctly. By rolling out its own consent solution, Google may be better able to ensure compliance and eliminate the risk of publishers collecting data without proper consent.
In a joint controller relationship, the parties need to spell out in their agreement what the scope of their obligations are, and if one is going to obtain the consent on behalf of both, the other one needs to have confidence that the other is getting consent in a way that addresses the obligations, said Alysa Hutnik, partner at law firm Kelley Drye.
“The concern with GDPR is, everybody in the data supply chain could become liable. If the publisher fails to get sufficient consent for Google when [Google’s] tags or pixels are on [the publisher’s] site, the publisher could be potentially liable. Google, of course, could certainly be liable for collecting that data without the proper GDPR compliance process,” said Kibel.
“The way they’re solving the problem is, ‘Okay publisher, I’m going to put the burden on you. Go obtain this consent. But then I need to be able to verify it because, as a joint controller, I’m on the hook too,’” said Lyon.
It remains to be seen how fully Google will be able to ensure compliance. Google has so many publishers in its network that it’s going to be impossible to manually audit them, said Kibel.
One way that Google could get publishers to comply is by helping them serve non-targeted ads to visitors who don’t grant consent while still making money.
“The trick is going to really be the implementation,” said Lyon.
Are you ready for the GDPR? Download Digiday’s guide for research, tips, a GDPR dictionary and more.