It’s three weeks till May 25th. And right on time, Google announced its GDPR policy to its publishing partners. We’re breaking down the policy here so publishers know what’s going on:
Google’s GDPR Gameplan
In a recent mail to all its publishing partners using DFP/AdX and AdSense, Google’s policy says:
You are not required to seek consent for a user’s activity on Google’s sites (we obtain that ourselves when users visit our sites). We are asking only that you seek consent for your uses of our ads products on your properties. We already require that certain consents are obtained from your users in the EEA, and we are updating those requirements in line with the GDPR.
ICYMI: You need explicit consent to collect and process the following data:
- Mobile device ID
- IP addresses
Google uses this (along with all the data it collects from signed-in apps like Maps, Gmail, etc) to let advertisers target their ads to users. This is called “personalization”. Google serves ‘personalized ads’ to all site visitors by default through AdSense or AdX.
Post-GDPR, publishers will need EU-user’s explicit consent to serve personalized ads.
But what if you switched to serving only contextual ads to European users? You may need some consent to store cookies or use device IDs to comply with an updated ePrivacy Directive. Here’s what Google says:
The takeaway? Google needs you to collect users’ consent. Publishers violating this term can be banned from using DFP/AdX and AdSense.
If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement.
Publishers Point Out Legal Oddity, Lack of CMP Support
Google is positioning itself as a (joint) Data Controller. This is because Google decides how it shares the impression data and with who without publisher input. One example is dynamic allocation in DFP.
Here’s a what being Controller means as per GDPR terminology:
- Controller: Someone that determines the purposes, conditions and means of the processing of personal data. In this case, it’d be the publisher.
- Processor: Someone that processes data on behalf of the Data Controller.
“Google as controller” is especially true for AdSense, where publishers get basic controls over their inventory and no way to understand what’s happening behind-the-scenes of each auction.
Some of the biggest publishers, however, are pointing out that joint controllers must know how and when the data is used/shared. Since publishers don’t always know how Google algorithms work, going for controller (instead of processor) status is strange.
Four major publisher trade bodies co-signed a letter to Google CEO Sundar Pichai, questioning the need for ‘controller’ status. Here’s an excerpt:
You assert that Google will be a controller of the personal data it receives from publishers and collects on publisher pages, and that Google will make unilateral decisions about how a publisher’s data is used.
An analysis quoted that, “This structure fails to meet the transparency, specificity, and granularity standards required by the GDPR for purposes of obtaining legally valid end user consent.” (source) Unless Google shares its data practices with its joint controllers (i.e., publishers), co-controller is an overreach.
Google, however, has already clarified its position with this disclaimer:
The designation of Google’s publisher products as controller does not give Google any additional rights over data derived from a publisher’s use of those products. Google’s uses of data continue to be controlled by the terms of its contract with its publishers, and any feature-specific settings chosen by a publisher through the user interface of our products.
Another point of contention is consent management platform (CMP) support. IAB has greenlighted CMPs to help publishers collect and pass consent signals through the supply chain. According to the publishers’ letter, Google says that it will only work with CMPs that pass its criteria.
So what are the available options?
What AdSense/AdX Publishers Should Do
If a majority of your ad revenue depends on Google’s tech stack, you have to comply. Fortunately, Google has provided the following consent controls for publishers to work with.
1. Apply for Funding Choices
Funding Choices was created to keep publishers from losing revenue due to adblock. It lets visitors choose between paying a small fee or whitelisting the site if they wanted to continue browsing the site.
Currently under works is a consent update to Funding Choices program, which will include consent messages that publishers can display on their website.
But there’s a caveat. To use Funding Choices for obtaining consent, publishers need to restrict their data sharing partners – which includes everything from SSPs, ad networks, exchanges, DSPs, DMPs, ad servers, and measurement vendors – to 12, including Google itself.
If more than 12 unique ad technology providers are specified, you’ll be unable to publish a consent message for a domain, and any consent messages that are already running will not be displayed until you reduce that number to 12 or fewer.
To put that in perspective, some of the larger publishers can have over 200 different tags on their site at any time.
The rationale behind the number is this: Google’s beta tests showed that if the number of data partners appearing in the consent pop-up is higher than 12, the likelihood of obtaining consent drops to ‘negligible’. (Source)
In any case, it is a free consent management solution for publishers. If you wish to apply for Funding Choices program, fill the form provided on this link.
2. Blocking Default Data Collection and Targeting in AdX/DFP
By default, the tags on your site pass information to Google (and other ad tech vendors) about a visitor’s session – time spent, posts they engaged with, keywords they searched, etc. Google uses this info to create and continuously refine ‘interest-based categories’. Advertisers use these categories to target ads.
Post-GDPR, you’ll need users’ explicit consent to collect and use this data for ad targeting.
Google AdX and DFP have Blocking Rules so publishers can opt-out of this default data collection/targeting. Check out the Help Center links for blocking 3rd party buyers as well as Google Demand Sources (like DoubleClick Bid Manager) for implementation.
3. Serving Ads Based on Consent
If Funding Choices doesn’t cut it for you, you can create your own consent notices and pass the signals from them to Google. But if you ask for users’ consent after the page (and the ad tags) are done loading, you’re already in violation of privacy rights under GDPR.
To make this work, you’ll have to make some changes in GPT (Google Publisher Tags), AdX, and AdSense ad tags to:
- Pause ad requests: Ad tags will wait for an explicit signal before firing ad requests. This would be useful if you need to wait for the user to interact with a consent UI before ad request is sent. This will not affect content loading (because tags are asynchronous).
- Serve personalized ads: Ad tags will issue requests for non-personalized ads if the user opts-out of personalization. This could be useful if you want to give users a choice between personalized and non-personalized ads.
Make sure to check out this Help Center page for the tags and instructions on how to implement them.
Any way you slice it, publishers will lose some revenue. It’d be best to prepare for some drop, even if most of your users opt-in to see the ads.
Excessive targeting, as we have previously mentioned, is one of the major factors that drive people to use AdBlock, so be prepared for a lot of opt-outs on ‘personalization’. The revenue drop from switching to contextual ads may be especially steep for entertainment/viral sites, which typically benefit from DSPs’ targeting algorithms.
However, publishers with quality content may be able to restrict access to it in exchange for some consent. For those publishers, the inventory and the data that goes with it could rake in a healthy premium. Just be sure not to waste the advantage of a solid connection with your visitors.