EU Data Privacy Regulations Could Give Google More Power

(Bloomberg) -- The disingenuous way companies are attempting to comply with the letter, not the spirit, of the European Union’s General Data Protection Regulation is only part of the problem with the new privacy rule, which goes into effect May 25. For publishers already forced to accept Google’s near monopoly on programmatic advertising on their sites, the new regulation could make things worse.

Google has altered its ad policies to comply with the GDPR. The changes affect all businesses running its ad modules or using the U.S. company’s programmatic advertising tools offered under the DoubleClick umbrella brand, which is the biggest digital advertising platform. Most publishers sell their inventory through Google, and many derive a majority of their revenue from Google-run services. Now, Google has told them it intends to act as controller of any personal data provided by the publishers under the GDPR. That means the internet giant will need publishers to obtain consent from readers or subscribers for its use of the data. The publishers will essentially have no say about how Google uses the data they hand over. The important thing is that if they fail to obtain consent, Google won’t serve ads on their sites.

The GDPR defines a data controller as an entity that decides how and for what purpose data will be processed; it can use “data processors” to do it on its behalf. For example, a publisher that has collected a detailed subscriber database and now wants to target ads to the subscribers is a data controller, and the provider of the targeted advertising solution is the processor.

That’s not how Google wants to play it: It intends to control the data. This creates a trust problem for publishers. They aim to build close, sometimes emotional relationships with readers, listeners and viewers. But under Google’s terms, they’ll have to tell these customers explicitly that their data will be handed over to a third party, Google, without specifying what Google will do with it. 

That is what happened before the GDPR, too: Publishers’ and advertisers’ troves of information about their customers have always been a major source for Google, Facebook and other data harvesters. But the customers weren’t told about it so clearly, or asked so explicitly if it was acceptable to them. Now, Google is essentially demanding a coming out about these practices. Given the indignation of media about privacy in recent months, this will look more than a little hypocritical.

Several publishers’ associations, which between them represent many of the biggest media companies with operations in Europe, have sent a letter to Google Chief Executive Officer Sundar Pichai that lays out publishers’ objections to this arrangement.

“Claiming such broad rights over all data in the ecosystem, without full disclosure and without providing publishers the option for Google to act as a processor for certain types of data, appears to be an intentional abuse of your market power,” the letter says. “At the same time, you refuse to provide publishers with any specific information about how you will collect, share and use the data. Placing the full burden of obtaining new consent on the publisher is untenable without providing the publisher with the specific information needed to provide sufficient transparency or to obtain the requisite specific, granular, and informed consent under the GDPR.”

Google, for its part, maintains that any data a publisher or advertiser provides to its marketing tools are isolated and only used to target ads for the particular client. But that doesn’t make it easier for a publisher to sell a reader on the idea of giving private information to Google, the giant information vacuum cleaner, not to her favorite news site. The search company has promised to “offer a solution to support publishers that want to show non-personalized ads,” but that solution hasn’t been presented yet. In their letter, the publishers ask Pichai to explain how it will work and whether it will allow them to run Google-served ads without obtaining consent from users.

In a way, the drafters of the GDPR deserve kudos for creating this controversy. Many internet users have given little thought to how exactly their data get harvested without their explicit consent. Now, they’ll see that even when they give information to their favorite publication (or a store they frequent, or pretty much any other organization), there is a strong likelihood it will end up with Google and Facebook. 

That, however, doesn’t make things easier for publishers, which have come to depend on Google for advertising revenues just like many ordinary users have accepted Google’s search monopoly. There aren’t many places for them to go unless they help Google comply with the GDPR.

Non-targeted advertising — yes, the kind we saw in the old days, when printed newspapers and free-to-air TV were our top news sources — is the honest solution: It could reassure readers that, to the news providers, they are valued customers, not a product to be bought and sold. But would advertisers go for it or would it mean the loss of even more advertising revenue for publishers? Advertisers are already used to the promise of targeting, even if they can’t be sure it works as well as Google and Facebook claim.

The entire ecosystem — the big data harvesters, the advertisers, the content producers — is complicit in the current privacy-destroying business model. Different models, from ad-free subscription-based options to ones that pay people to see ads, exist, but they would have to be much more broadly accepted to make them industry standards. 

In the end, the responsibility lies with us, the readers, the customers. If we refuse to endorse the prevalent business model, in which we are the product, not a principal, and if we withhold our consent to the commercial use of our data, the industries will be forced to offer us different models. The GDPR gives us the power to start changing things; it’s likely that we’ll squander it, but at least we should know we have it for a brief moment now.

To contact the author of this story: Leonid Bershidsky at lbershidsky@bloomberg.net.

©2018 Bloomberg L.P.