The trade associations—Digital Content Next, European Publishers Council, News Media Alliance and the News Media Association—say Google is putting their members in a corner as it implements the European Union's General Data Protection Regulation, or GDPR, which takes effect May 25.
Google updated its policy roughly one month ago, saying publishers will use certain data for purposes beyond simply serving ads to their sites, such as testing algorithms, improving user experiences and ensuring the accuracy of its ad forecasting system. Google also spells out certain things it won't do, but publishers say Google hasn't provided enough information for them to solicit consumer consent that meets GDPR criteria, potentially exposing them to liability.
Those found in violation under GDPR face fines of roughly $25 million, or 4 percent of global revenue, whichever is greater.
"Your proposal severely falls short on many levels and seems to lay out a framework more concerned with protecting your existing business model in a manner that would undermine the fundamental purposes of the GDPR and the efforts of publishers to comply with the letter and spirit of the law," the groups say in the letter.
Google says its terms will let it continue to use publishers' consumer data to test algorithms, maximize publishers' ad income, improve user experiences and ensure the accuracy of its ad forecasting system.
Google operates the largest platform used by marketers to buy ads, the largest ad exchange and the largest platform used by publishers to sell ads. One publishing exec at a major media company told Ad Age that 60 percent of the company's revenue comes through Google; many have built their entire technology around the tech titan's offerings.
"As the major provider of digital advertising services to publishers, we find it especially troubling that you would wait until the last-minute before the GDPR comes into force to announce these terms as publishers have now little time to assess the legality or fairness of your proposal and how best to consider its impact on their own GDPR compliance plans which have been underway for a long time," the letter says. "Nor do we believe that this meets the test of creating a fair, transparent and predictable business environment."
There's not much time left to settle the dispute. Many publishers were waiting on the Interactive Advertising Bureau Europe to release its standards around consumer consent to use their data, a critical aspect of GDPR; the IAB Europe released its standards last week, about one month before the EU deadline for compliance.
Some publishing executives told Ad Age that they had anticipated a cushion of about 6 months after May 25 to become fully GDPR compliant with consent, which is significantly different than the "check this box" process that consumers have become accustomed to. London-based McDermott, Will and Emery said last Monday that 48 percent of survey respondents would not be GDPR compliant by May 25.
Townsend Feehan, CEO of IAB Europe, tells Ad Age there was no consensus that there would be any grace period for publishers to abide by GDPR and notes that it was announced two years before the implementation that now looms.
"The issue of transparency and consent in the digital advertising space is a complex one, and while the Transparency and Consent Framework has been made available quite late in the 24-month grace period, it has not been made available too late," Feehan says. "It has been made ready just in time."
"This doesn't mean however, that companies who have not achieved compliance by May 25 shouldn't strive to implement solutions after the deadline," she adds.
Controller versus processor
Under GDPR guidelines, Google says it acts as a "controller" of personal data, which the EU defines as a body that "alone or jointly with others, determines the purposes and means of the processing of personal data."
In a response to the letter, Google said Monday that its request doesn't give it any more data access than it already has:
Guidance about the GDPR is that consent is required for personalized advertising. We have always asked publishers to get consent for the use of our ad tech on their sites, and now we're simply updating that requirement in line with the GDPR. Because we make decisions on data processing to help publishers optimize ad revenue, we will operate as a controller across our publisher products in line with GDPR requirements, but this designation does not give us any additional rights to their data. We're working closely with our publisher partners and are committed to providing a range of tools to help them gather user consent.
Fatemeh Khatibloo, an analyst at Forrester, tells Ad Age that Google isn't doing anything wrong. "The way they are handling it is on point, but that also puts pubs between a rock and a hard place," she says. "Publishers are on the hook to get consent, but they don't have a ton of control over what Google does with their data after a user leaves their site. And that's the problem."
In their letter, the publishing trade groups suggest that Google should act as a "processor" for certain types of data instead of being a controller. In short, a processor is an organization that deals with personal data as instructed by a publisher for specific purposes and services.
"Your proposal should include full disclosure of the use and purposes of the data received and collected by Google to preserve a true partnership with publishers," the letter says. "Claiming such broad rights over all data in the ecosystem, without full disclosure and without providing publishers the option for Google to act as a processor for certain types of data, appears to be an intentional abuse of your market power."
~ ~ ~
CORRECTION: An earlier version of this article said Google wants publishers using its ad systems to share any consumer data they get and to bear the liability for any GDPR violations. Under the terms, publishers don't need to share all their data and don't necessarily bear full liability for GDPR violations involving Google and their data.