Contact UsWDN News & more...

To comply with GDPR, Google asks publishers to manage user-data consent for ad targeting in EU

Google is asking publishers in Europe to obtain consent for data use and ad targeting under the new General Data Protection Regulation (GDPR) privacy rules, which go into effect May 25. Companies operating in Europe are required to gain opt-in consent for collection and use of personal data under the new regulation.

“To comply, we will be updating our EU consent policy when the GDPR takes effect and the revised policy will require that publishers take extra steps in obtaining consent from their users,” wrote Carlo D’Asaro Biondo, Google President of EMEA Partnerships, in a blog post published Thursday.

Use of personal data cannot be based on implicit or opt-out consent. There must be “a statement or a clear affirmative action” indicating a willingness to share the information. Google will reportedly be capturing that consent for properties that it controls, such as and YouTube. But the company is asking third-party publishers to collect consent in situations where Google’s technology and ad targeting are behind the scenes (see below). This is somewhat analogous to what Google did in 2008 with AdSense, when it required publishers to “notify their users of the use of cookies and/or web beacons to collect data in the ad serving process.”

As part of this proposed consent arrangement, Google reportedly wants publishers to maintain records of consent and provide opt-out instructions for users who later change their minds, according to the Wall Street Journal. Much is at stake in how these policies are implemented, because failure to comply with GDPR could bring severe financial penalties of up to 4 percent of annual global turnover (revenues) or €20 million, whichever is greater. 

Additionally, Google is developing technology to serve “non-personalized” ads in cases where consent hasn’t been obtained. This is another AdSense analogy: The program originally matched ads with the content on a page, without regard to individual users or their online behavior.

“Before May, we will launch a solution to support publishers that want to show non-personalized ads, and we are working with industry groups, including IAB Europe, to explore proposed consent solutions for publishers,” wrote Biondo.

Google provided a statement to WSJ which says that the company wants publishers to ask for consent because it doesn’t “want to stand between publishers and their users.”

There’s considerable exposure under the new privacy framework in Europe for companies that rely on personalized targeting. Surveys of European internet users collectively argue that substantial numbers of people may decline to give consent for personal data use. A UK survey by media agency The7Stars found that more than a third of respondents were hostile to the use of their personal data. And 60 percent were being sensitized to the amount of data being collected about them.

The issue of who captures consent and who gets to use the data is central to the new regulations. Some marketers and experts have gone so far as to argue that programmatic advertising won’t work at all under GDPR. In addition, recent research from PageFair asserts that under 20 percent of the European population is willing to allow online tracking for advertising purposes.

Others have suggested that GDPR makes “personalized” approaches to advertising unworkable in general and that personal data must be abandoned entirely in favor of new methods of targeting that don’t rely on it.

The following is the text of an email that went out to some Google publisher partners on Thursday:

Dear Partner,

Over the past year we’ve shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force on May 25, 2018. The GDPR affects European and non-European businesses using online advertising and measurement solutions when their sites and apps are accessed by users in the European Economic Area (EEA).

Today we are sharing more about our preparations for the GDPR, including our updated EU User Consent Policy, changes to our contract terms, and changes to our products, to help both you and Google meet the new requirements.

Updated EU User Consent Policy

Google’s EU User Consent Policy is being updated to reflect the new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consents from, end users of your sites and apps in the EEA. The policy is incorporated into the contracts for most Google ads and measurement products globally.

Contract changes

We have been rolling out updates to our contractual terms for many products since last August, reflecting Google’s status as either data processor or data controller under the new law (see full classification of our Ads products). The new GDPR terms will supplement your current contract with Google and will come into force on May 25, 2018.

In the cases of DoubleClick for Publishers (DFP), DoubleClick Ad Exchange (AdX), AdMob, and AdSense, Google and its customers operate as independent controllers of personal data that is handled in these services. These new terms provide clarity over our respective responsibilities when handling that data and give both you and Google protections around that controller status. We are committing through these terms to comply with our obligations under GDPR when we use any personal data in connection with these services, and the terms require you to make the same commitment.

  • Shortly, we will introduce controller-controller terms for DFP and AdX for customers who have online terms.
  • By May 25, 2018 we will also introduce new terms for AdSense and AdMob for customers who have online terms.

If you use Google Analytics (GA), Attribution, Optimize, Tag Manager or Data Studio, whether the free or paid versions, Google operates as a processor of personal data that is handled in the service. Data processing terms for these products are already available for your acceptance (Admin → Account Settings pages). If you are an EEA client of Google Analytics, data processing will be included in your terms shortly. GA customers based outside the EEA and all GA 360 customers may accept the terms from within GA.

Product changes

To comply, and support your compliance with GDPR, we are:

  • Launching a solution to support publishers that want to show only non-personalized ads.
  • Launching new controls for DFP/AdX programmatic transactions, AdSense for Content, AdSense for Games, and AdMob to allow you to control which third parties measure and serve ads for EEA users on your sites and apps. We’ll send you more information about these tools in the coming weeks.
  • Taking steps to limit the processing of personal information for children under the GDPR Age of Consent in individual member states.
  • Launching new controls for Google Analytics customers to manage the retention and deletion of their data.
  • Exploring consent solutions for publishers, including working with industry groups like IAB Europe.

Find out more

You can refer to to learn more about Google’s data privacy policies and approach, as well as view our data processing terms and data controller terms.

If you have any questions about this update, please don’t hesitate to reach out to your account team or contact us through the Help Center. We will continue to share further information on our plans in the coming weeks.

The Google Team

About The Author

Greg Sterling is a Contributing Editor at Search Engine Land. He writes a personal blog, Screenwerk, about connecting the dots between digital media and real-world consumer behavior. He is also VP of Strategy and Insights for the Local Search Association. Follow him on Twitter or find him at Google+.