Google Compliance with New EU GDPR Law
May 25, 2018 is the day the EU General Data Protection Regulation (GDPR) goes into effect in Europe with significant impact on Google. Google discussed its approach in a March 22, 2018 letter, which discussed here
Under GDPR, a controller determines why and how data is processed, while processors do the actual processing on the controller’s behalf. Publishers are typically considered controllers, while third-party entities like mar tech providers are typically considered processors. Google, however, defies simple categorization. Its range of products, platforms and services means that sometimes it’s a processor, sometimes it’s a controller and sometimes it’s a co-controller, which is when two or more controllers jointly decide the manner and purpose of the processing.
Google operates as a controller for some of its most-used ad products, including AdMob, AdSense, AdWords, DoubleClick Ad Exchange (AdX) and DoubleClick for Publishers (DFP). Google classifies itself as a processor for users of tools like Google Analytics, its attribution offering, Ads Data Hub and DoubleClick Bid Manager.
For the full list, see below or at https://privacy.google.com/
Google will introduce new contract terms for DFP, AdX, AdSense and AdMob that will designate it as a co-controller of user data, meaning Google will have some control over how data is processed and share the responsibility for protecting it. Google will bear the burden of gathering consent for data collection from its own first-party users across Gmail, YouTube, and Google.com. Publishers and advertisers that use Google’s ad offerings will have to get consent from their own users to do so. Google will not be able to carry over the consent it collects from its consumer-facing products for any other purpose.
Google already required advertisers and publishers that take advantage of Google’s ad services to get consent from their own end users, but Google is now updating its EU user consent policy to reflect the more stringent legal requirements under GDPR. For example, any site, app or property that uses Google products must obtain the end user’s legally valid consent to use cookies, collect data or share data for ad personalization. The updated policy is being woven into the contracts for the majority of Google’s ad and measurement products.
Google is also rolling out several product changes to help “support your compliance,” as Google wrote in its letter There is the planned launch of a solution to help publishers show non-personalized ads to people who opt out of data collection for targeting – which sounds a lot like contextual targeting. There are new controls across AdMob, DFP and AdX programmatic transactions and AdSense for games and content that let publishers and advertisers manage which third parties can measure and serve ads for EU citizens; a tool for Google Analytics users to better manage data retention and deletion; and some unspecified “steps” to limit the processing of PII for children.
There was no mention of ePrivacy or its possible implications in Google’s note to partners, but the impact is still worth considering. E-Privacy is waiting behind the GDPR. The ePrivacy directive for electronic communications in Europe is not yet finalized. But when it does come into law, likely in the months after GDPR in May, it might remove the concept of legitimate interest as a legal basis for processing data without consent. The lack of a legitimate interest clause under ePrivacy might, for example, require cookie consent to use a third-party analytics platform like Google Analytics.
Google March 22, 2018 Letter
Dear Partner,
Over the past year, we’ve shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force onMay 25, 2018. The GDPR affects European and non-European businesses using online advertising and measurement solutions when their sites and apps are accessed by users in the European Economic Area (EEA).
Today we are sharing more about our preparations for the GDPR, including our updated EU User Consent Policy, changes to our contract terms, and changes to our products, to help both you and Google meet the new requirements.
Updated EU User Consent Policy
Google’s EU User Consent Policy is being updated to reflect the new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consents from, end users of your sites and apps in the EEA. The policy is incorporated into the contracts for most Google ads and measurement products globally.
Contract changes
We have been rolling out updates to our contractual terms for many products since last August, reflecting Google’s status as either data processor or data controller under the new law (see full classification of our Ads products). The new GDPR terms will supplement your current contract with Google and will come into force on May 25, 2018.
In the cases of DoubleClick for Publishers (DFP), DoubleClick Ad Exchange (AdX), AdMob, and AdSense, Google and its customers operate as independent controllers of personal data that is handled in these services. These new terms provide clarity over our respective responsibilities when handling that data and give both you and Google protections around that controller status. We are committing through these terms to comply with our obligations under GDPR when we use any personal data in connection with these services, and the terms require you to make the same commitment.
- Shortly, we will introduce controller-controller terms for DFP and AdX for customers who have online terms.
- By May 25, 2018, we will also introduce new terms for AdSense and AdMob for customers who have online terms.
If you use Google Analytics (GA), Attribution, Optimize, Tag Manager or Data Studio, whether the free or paid versions, Google operates as a processor of personal data that is handled in the service. Data processing terms for these products are already available for your acceptance (Admin → Account Settings pages). If you are an EEA client of Google Analytics, data processing will be included in your terms shortly. GA customers based outside the EEA and all GA 360 customers may accept the terms from within GA.
Product changes
To comply, and support your compliance with GDPR, we are:
- Launching a solution to support publishers that want to show only non-personalized ads.
- Launching new controls for DFP/AdX programmatic transactions, AdSense for Content, AdSense for Games, and AdMob to allow you to control which third parties measure and serve ads for EEA users on your sites and apps. We’ll send you more information about these tools in the coming weeks.
- Taking steps to limit the processing of personal information for children under the GDPR Age of Consent in individual member states.
- Launching new controls for Google Analytics customers to manage the retention and deletion of their data.
- Exploring consent solutions for publishers, including working with industry groups like IAB Europe.
Find out more
You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as view our data processing terms and data controller terms.
If you have any questions about this update, please don’t hesitate to reach out to your account team or contact us through the Help Center. We will continue to share further information on our plans in the coming weeks.
Thanks,
The Google Team
Google Ads Data Protection Terms: Service Information https://privacy.google.com/
Controller Terms
Controller Services
The following Google services are eligible to be in scope of the Google Ads Controller-Controller Data Protection Terms:
· AdMob
· AdSense
· AdWords: All AdWords programmes and services accessible to customers through their AdWords accounts, except for those AdWords programmes and services that can be in scope of the Google Ads Data Processing Terms, as listed below.
· DoubleClick Ad Exchange
· DoubleClick For Publishers
· Google Customer Reviews
Google may update this list from time to time, subject to the terms of the Google Ads Controller-Controller Data Protection Terms.
Data Processing Terms
Processor Services
The following Google services are eligible to be in scope of the Google Ads Data Processing Terms:
· Ads Data Hub
· AdWords Customer Match
· AdWords Store sales (direct upload)
· DoubleClick Bid Manager
· DoubleClick Campaign Manager
· DoubleClick Search
· Google Analytics
· Google Analytics 360 (formerly known as Google Analytics Premium)
· Google Analytics for Firebase
· Google Attribution
· Google Attribution 360
· Google Data Studio
· Google Optimize
· Google Optimize 360
· Google Tag Manager
· Google Tag Manager 360
Google may update this list from time to time, subject to the terms of the Google Ads Data Processing Terms.
Types of personal data
In relation to the Google Ads Data Processing Terms, Customer Personal Data may include the following types of personal data (as applicable, depending on the Processor Services provided under the Agreement).
Processor Service |
Types of Personal Data |
Ads Data Hub |
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers |
AdWords Customer Match |
Names, email addresses, addresses and partner-provided identifiers |
AdWords Store sales (direct upload) |
Names, email addresses, phone numbers and addresses |
DoubleClick Bid Manager |
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; precise location data; client identifiers |
DoubleClick Campaign Manager |
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; precise location data; client identifiers |
DoubleClick Search |
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers |
Google Analytics |
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers |
Google Analytics 360 (formerly known as Google Analytics Premium) |
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers |
Google Analytics for Firebase |
Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers |
Google Attribution |
Online identifiers, including cookie identifiers and device identifiers; client identifiers |
Google Attribution 360 |
Online identifiers, including cookie identifiers and device identifiers; client identifiers |
Google Data Studio |
Data relating to individuals provided to Google via the service by (or at the direction of) Customer, including to create and collaborate on reports, graphs and charts |
Google Optimize |
Online identifiers, including cookie identifiers and internet protocol addresses; client identifiers |
Google Optimize 360 |
Online identifiers, including cookie identifiers and internet protocol addresses; client identifiers |
Google Tag Manager |
Online identifiers, including cookie identifiers and internet protocol addresses |
Google Tag Manager 360 |
Online identifiers, including cookie identifiers and internet protocol addresses |
Google may update this list from time to time to reflect changes to the types of personal data handled by the Processor Services.
Contribution Magdalena A K Muir