back button

Back

An interpretation of Google new consent requirements for publishers

March 29, 2018byJulie Tamba

We wrote a few articles in the last months regarding consent, including on how consent should be obtained (e.g. may clicking on the website be considered a sufficient positive act ?) or why it should be obtained  (e.g. which geolocation uses or marketing communications will require consent ?). Taking into account this framework, we thought it would be interesting to take a deeper look at the Google situation which has been recently highlighted in the media, as an update of its privacy policy(ies) showed up in preparation for the GDPR entering into application next May.

To give some context, Google has been requesting publishers using its ads services (such as Adsense targeted advertisement service or Doubleclick advertising exchange service) to collect consent in relation to its cookies under the ePrivacy directive since 2015. It did not provide much help in that regard but referred to the rather simple guidance of the Article 29 Working Party, under which an unambiguous action realized in the website after being informed of the purposes and modular acceptance possibilities for the cookies was recognized a valid consent.

When things are getting complicated regarding the acquisition of consent

Now that GDPR will enter into application, consent becomes a much trickier subject that publishers will need to solve (almost) by themselves. In order to be valid, consent must indeed be a freely given, specific, informed, unambiguous and demonstrable positive act from the persons: one of the difficult parts of this challenge for validity is without doubt the fact that the purposes and data controllers (the entities – meaning named companies, not groups – determining the purposes) for which consent is required must be clearly stated before collection.

On its page called EU user consent policy, Google states that “you [the publisher] must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area“: needless to say that this statement does not help much in the process, except that it implies that the data controller is located outside of the EU as only end users in the EU are concerned (a data controller established in the EU would have to obtain consent from any individual). One could reasonably think of Google LLC which is the umbrella organization for Google services.

Google also adds “You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data“. In other words, publishers will need to mention Google and its usages of data to ensure that Google may benefit from a valid consent.

When achieving this objective seems like a guessing game

So publishers will need to obtain (and record and store) a valid consent for usages by Google of personal data collected on their website.

Yes but…

  • Google does not consider itself as a data controller in all situations (and as a processor it does not need to bother with consent);
  • When it does consider itself a data controller (especially for DoubleClick for Publishers, DoubleClick Ad Exchange, AdMob, and AdSense), it does not clarify which company of the group is bearing this responsibility;
  • The contracting entity for publishers may very well be a European Google entity for certain services (such as Adsense and Adwords) which does not in itself designate such entity as the data controller but certainly adds some complexity;
  • Google does not even state that consents must be collected by publishers explicitly on its behalf for its own usages (which may  be a way to avoid taking a clear position on whether or not Google operations of profiling and displaying targeted ads requires consent or – even worse – explicit consent under article 22 of the GDPR).

Finding out for which perimeter one is supposed to collect consent may therefore appear a challenge in itself.

When transparency is paradoxically quite blurred

In its EU user consent policy, Google states that consent is required in relation to “the collection, sharing, and use of personal data for personalization of ads or other services“. To know more about usages and other services that take place as a result of using Google tools implies to take a deep dive into the relevant terms and privacy policies pertaining to the concerned service(s).

And to make matters even worse, various other issues which remain unanswered under the GDPR will need to be addressed by publishers: to what extent may publishers incite (drive or force) individuals to give consent? How granular should collection of consent be (per purpose and/or per data controller) ? Which actions from the person (click on a button in the banner or on the website) will be considered as positive and unambiguous? What elements are required to prove the consent (its existence and validity)? If you would like to know more, you may want to take a look at the documentation published by Didomi in view of providing practical answers to these questions.

Now to be perfectly honest, other actors in the Ad tech sector are not doing better. Most of them have not – to date – finished their job on the road to compliance: publishing an article on how privacy is important and GDPR is being carefully prepared, sure ; amending a few policies and possibly auto-certifying with the Privacy Shield framework, sometimes ; specifying if they should be considered a data controller or processor and proposing adapted contractual clauses, rarely ; include these clauses in their general terms and conditions, never (but who would grant by default an audit right to its clients if they are not even asking for it?). It is worth noting though that a few entities have provided their publishers with standard quotes to be inserted in consent notices, which is certainly a relief for many publishers.

When Google may be in the process of defusing the bomb

This is just a possible interpretation yet it seems that certain facts can be deduced from the above:

  • Google is asking its publishers to obtain consents on its behalf… under cover of obtaining consents for themselves;
  • Google requests consents in relation to the use of data for personalization of ads… without explicitly stating which related uses require such consents;
  • Google adopts the point of view of entities located outside of the EU… which is not the case of all publishers or Google companies.

Yet with such an ambiguity, if the court action against the mother company kicks in, various options would be available : argue that the defendant is not the responsible entity; pretend that the considered usages do not require consents from the persons to be implemented ; or even possibly show that consents have been collected which encompass all usages of personal data by the group…

Related articles

May 25, 2018byJulie Tamba

A potential future for the Ad Tech industry: consent without tracking walls

Publishers and actors of the Ad Tech sector targeting the EU currently face one of the biggest challenges they have ever encountered, one that may require them to change profoundly their model. Namely? Unambiguous positive consent. Some background Publishers (both online and offline) have traditionally been able to provide their readers with free contents by…

Read more

Ad Tech

Consent

ePrivacy

GDPR

Publishers

April 20, 2018byRomain Gauthier

Didomi now supports the IAB Europe consent framework

Didomi is proud to announce that our Consent Management Platform (CMP) is now officially registered with the IAB Europe’s GDPR consent framework. We’re one of the first CMPs to fully support the framework. The IAB Europe Consent Framework The IAB Europe Consent Framework aims at standardizing consent flows between advertising partners. Online advertising involves a…

Read more

Consent

Cookies

ePrivacy

GDPR

Publishers

tailored advertising

targeted advertising

February 9, 2018byJulie Tamba

(French) Consentement GDPR en pratique – Partie 3: les mineurs

Consentement des mineurs : une bonne chose de faite ? Mercredi 7 février 2018 a été adopté par l’Assemblée Nationale un amendement ajoutant à la loi Informatique et Libertés un article 7-1 relatif au consentement des mineurs au traitement de leurs données personnelles. Consentement lié à l’offre directe de services de la société de l’information aux enfants…

Read more

CNIL

Consent

GDPR

Informatique et Libertés

Minors

personal data

December 13, 2017byJulie Tamba

GDPR consent in practice – Part 2: Methods

After reviewing when it is opportune to obtain consent, it is time to take a closer look at ways to obtain consent. How should consent be obtained? Consent is defined by the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement…

Read more

Consent

European Union

GDPR

Methods

personal data

December 12, 2017byJulie Tamba

GDPR consent in practice – Part 1: Opportunity

As a follow up to the article on whether collecting user geolocation require consent, it has to be examined more generally when and how consent should be obtained. The first part of this topic focuses on simple guidance regarding the opportunity to obtain consent. When should consent be obtained? It is important to underline that,…

Read more

Consent

GDPR

Opportunity

personal data