Google held a video-conferenced meeting with dozens of publishers in five cities, including New York and London, on Thursday to address concerns about GDPR. The new regulation that governs how companies treat EU citizens’ data went into effect Friday.
The format of the meeting was an AMA (ask me anything) with legal and product executives who have been involved with Google’s GDPR compliance efforts, including attorney Struan Robertson, senior product counsel at Google, and Jonathan Bellack, director, product management, for publisher ad platforms, MartechToday has learned.
Google had organized the meeting in response to a letter from four publisher trade groups to Google CEO Sundar Pichai that argues the company’s GDPR proposal is untenable. Representatives from the four trade groups declined invitations to the meeting. Among the more than 50 that did attend were AccuWeather, BuzzFeed, Scripps and The Washington Post, MarTech Today learned from a meeting attendee.
We have also obtained a copy of the follow-up email that Google’s Bonita Stewart, vice president, global partnerships, sent to attendees along with a FAQ that answers some of the questions asked during the meeting. The full letter is below. It addresses key concerns publishers have about Google’s role as a co-controller of data along with the publishers using its ad serving products, its consent requirements and options for obtaining consent. Google has also reiterated its intention to join IAB Europe’s GDPR framework and outlined an integration timeline.
Google as co-controller
Publishers have questioned whether Google’s designation as a co-controller versus a processor of the data collected from their site visitors opens the door to Google using that data in any way it wishes while putting publishers on the hook for any GDPR violations on Google’s part. Stewart writes bluntly, “This isn’t true.”
We’ve heard concerns that acting as a controller gives Google “carte blanche” under the GDPR. This isn’t true. Acting as a controller does not give us any additional rights to your data — the contracts we have with you define our limits to use data and the GDPR doesn’t change that. Google’s publisher products have to act as a controller based on the definitions in the GDPR — we are a controller because we need to be able to make decisions on the data to make our ads product work. You also act as a controller under the GDPR, which is why we are each independent controllers.
Google’s position boils down to this: DFP and AdSense optimize ad delivery and personalization based on signals gleaned from user data. Because DFP is using the data for optimization, Google doesn’t fit under the narrower definition of a processor.
In the FAQ sent to publishers, Google provides an example of why it fits the controller designation. Say a person visits an AdSense publisher’s gardening site. Google will infer that person is interested in gardening and serve gardening-related ads on news and other sites that person visits.
Publishers using DFP or AdX have the option to limit Google’s use of data and keep it from using contextual interest signals from their site visitors to inform what ads it serves them on other sites. Yet, even if those controls are on, Google points out, “… we use data across DFP and AdX publishers for purposes of product improvement, including to test ad serving algorithms, to monitor end-user latency, and to ensure the accuracy of our forecasting system. Again, it’s for these reasons that we’re a controller for DFP and AdX, not the other way around”.
Consent requirements with personalized & non-personalized ads
Google issued new consent guidance for GDPR, along with its updated EU Consent policy earlier this spring. Under the EU Consent policy, publishers must disclose how Google will use visitor data. Linking to this page that was created to inform users about “How Google uses information from sites or apps that use our services” satisfies that requirement, says Google.
One of the industry-wide problems with implementing GDPR has been a lack of detail and further clarification on a host of issues. During the meeting and in the FAQ, Google stated that it will adjust its policies or consent requirements based on any further guidance from Data Protection Authorities (with a wishful thinking example):
If regulators update their guidance, for example if they tell us that consent is not required for personalized ads, we would expect to update our approach accordingly.
Google introduced an option for publishers to serve non-personalized ads to all visitors or give users the option to see personalized or non-personalized ads. However, the company underscored in the FAQ that consent is still required in countries to which the ePrivacy Directive’s cookie provisions apply with non-personalized ad serving because the ads still “use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse.”
Google will continue to serve as a controller when non-personalized ads are served.
Options for acquiring consent
Google reworked its Funding Choices tool to enable consent gathering (it also still in beta as an anti-ad-blocking monetization tool). Publishers have been concerned that Google was forcing publishers to use its own tool and limiting to 12 the number of vendors they can gather consent for. The company has already stated that the limit applies to all GDPR tools. Stewart reiterated that publishers are not required to use Funding Choices or the messaging suggested on its cookiechoices.org site to collect consent:
We don’t want to control how you get consent. You have many options to get consent, and pass that consent to Google. In terms of actual consent solutions, this is not a matter of one-size-fits-all. We have developed an option for publishers (Funding Choices) to consider and we are also supportive of publishers and ad technology providers using many different approaches to get consent.
Integration timeline for IAB Europe’s GDPR framework
The IAB Europe didn’t release the draft of its GDPR transparency and consent framework until the end of April. Google does plan to join the framework, but contract review and integration needs are holding things up, particularly on the sell side.
Integration on the buy side is in the final stages.
On the sell side, for publishers that want to use the IAB framework, the process will be phased because the integrations will take longer. In a couple of weeks, a manual integration should be completed to enable personalized ad serving for publishers using the IAB’s framework (the non-personalized ads solution will not support third-party buyers yet). The goal is to have API integration by August, which will allow publishers using the IAB framework to serve non-personalized ads or serve personalized ads based on consent passed by a user, per vendor. In the meantime, publishers can always use other consent solutions and continue to use Google publisher products.
This won’t be the end of the questions
The tension between publishers and Google isn’t likely to subside altogether as a result of this meeting. The lack of clarity from the DPAs, the last-minute framework from the IAB and Google’s behemoth market position all combine to make for an even more uncertain climate for publishers.
Stewart’s letter to publishers who attended Thursday’s meeting in full:
I want to thank so many of you for joining us and your peers from across the US and Europe, and for participating in this conversation on the GDPR. Today’s discussion is just one of many we’ve had in the past year with our partners and we plan to continue the conversation with you in the coming months.
A couple of key questions came up from partners and associations in the room and on video conference today, so I want to recap them here and provide additional clarity.
First — on controller vs processor. What specific activities does Google undertake that would make it a “controller” under the GDPR? We’ve heard concerns that acting as a controller gives Google “carte blanche” under the GDPR. This isn’t true. Acting as a controller does not give us any additional rights to your data — the contracts we have with you define our limits to use data and the GDPR doesn’t change that. Google’s publisher products have to act as a controller based on the definitions in the GDPR — we are a controller because we need to be able to make decisions on the data to make our ads product work. You also act as a controller under the GDPR, which is why we are each independent controllers.
Second — on consent guidance. Guidance from DPAs is that consent is required for personalized advertising. To support this, we updated our EU Consent policy to refine the way you get consent from your users on your sites and apps. If regulators update their guidance, for example if they tell us that consent is not required for personalized ads, we would expect to update our approach accordingly.
Third — on how to get consent. We don’t want to control how you get consent. You have many options to get consent, and pass that consent to Google. In terms of actual consent solutions, this is not a matter of one-size-fits-all. We have developed an option for publishers (Funding Choices) to consider and we are also supportive of publishers and ad technology providers using many different approaches to get consent.
We mentioned a few of the things we’re working on in our meeting, including choices for publishers to get consent from their users:
We created Ad Technology Provider controls so that every publisher that uses our ad technology has the ability to choose their preferred providers. If you decide not to engage with the controls, we apply a list of the most commonly used providers based on those that generate the most revenue for publishers. From tomorrow, programmatic ads will continue to serve using providers from the commonly used list or from providers you have selected in the Ad Technology Provider controls. Additionally, DFP reservations will continue to serve and you can select which tag-based line items should serve to EEA users in personalized and/or non-personalized mode.
We have also introduced Non-Personalized Ads to allow publishers to present EEA users with a choice between personalized ads and non-personalized ads, or to choose to serve only non-personalized ads to all users in the EEA.
We are eager for an industry-wide way to communicate consent between parties. We have been in discussions with the IAB Europe and IAB Tech Lab and are in the process of formalizing our participation in the Transparency & Consent framework. We’ve come a long way in a short amount of time to resolve open questions — the protocol and policies were all new in the last month — and we have more work to do.
Google’s full technical integration with the IAB Transparency & Consent Framework will come in August. We have created a short term solution that allows publishers to serve personalized ads to their users, which will be available in early June. We know how important this is to you and are working as hard as possible to enable integration as quickly as possible.
Funding Choices is another option available to publishers for obtaining user consent. It provides a streamlined consumer consent flow with multiple options for how consent is asked of users. Within this tool, there is currently a restriction on the number of ad technology partners that a publisher can ask for consent. We realize this is controversial but have selected 12 based on our own user research studies to balance the user experience with ensuring the user can make an informed choice. Funding Choices is optional — it is not the only solution you can use with Google products; you can choose a different consent solution that supports more providers. Under no circumstances do we want to tell publishers how many providers they can work with; this isn’t our decision to make.
We’re working on a few other options that we outlined previously, including a consent gathering tool for mobile apps via an SDK, a consent component for Accelerated Mobile Pages and updates to suggested consent language at cookiechoices.org (where we also list alternative consent solutions).
The GDPR is a big change for everyone, including us. As you’ve likely heard, read and seen, the entire ads industry and online advertising community are still working to understand the impact of the GDPR and to interpret guidance from DPAs. We’re committed to complying with our legal obligations, and supporting our partners like you. In addition to the resources we’ve shared, I’m also attaching a FAQ for easy reference.
I hope you’ve seen over the past fifteen years how serious Google is about supporting publishers, including our latest efforts around the Google News Initiative. I want to thank you again for joining me and our team at Google today and I look forward to continuing our conversation on this important topic.
Best Regards,
Bonita
Bonita C. Stewart
Vice President, Global Partnerships
[This article originally appeared on MarTech Today.]