Four publisher groups to Google: Your GDPR proposal ‘severely falls short’

In March, Google issued some indications of how it intends to comply with the EU’s General Data Protection Regulation (GDPR), going into effect in about a month.

Now, four major publisher trade groups have released a five-page joint letter to Google CEO Sundar Pichai with a basic message: nope.

The groups are Digital Content Next, European Publishers Council, News Media Alliance and the News Media Association. Their joint membership of about 4,000 newspapers and magazines, mostly in North America and Europe, includes Condé Nast, the Associated Press, The New York Times, The Guardian, Bloomberg, Thomson Reuters and Axel Springer.

Google’s intended policy is being assessed from an AdWords post in March, a preview of Google’s approach in a Wall Street Journal story, a DoubleClick for Publishers help page and a few other indications.

Essentially, the tech giant is telling publishers that they are responsible for getting consent from their EU visitors if Google ads are served on their sites. Additionally, the publisher groups say in the letter, they will have to share that personal data with Google, which won’t reveal how it intends to use that info, and liability for violations reside with the publishers.

“Your proposal severely falls short on many levels,” the letter reads in part, “and seems to lay out a framework more concerned with protecting your existing business model in a manner that would undermine the fundamental purposes of the GDPR and the efforts of publishers to comply with the letter and spirit of the law.”

‘A certain arrogance’

The letter continues to say that it is “especially troubling that you would wait until the last-minute before the GDPR comes into force to announce these terms,” leaving publishers — most of whom are heavily dependent on Google’s ad platform — with little time to assess the impact.

Some industry-watchers think Google’s upper hand in this will only be challenged by GDPR regulators.

“Google’s market dominance allows it to dictate the terms of GDPR,” Forrester Senior Analyst Susan Bidel told me via email, “and the terms it is choosing disadvantage smaller entities, like publishers, in favor of its own continued dominance.”

But, she added, unless the GDPR regulators intervene, it’s doubtful “that publisher protests will yield any measurable change in Google’s approach.”

“This indicates a certain arrogance [by Google] as being the only significant game in town for their customers,” security firm CSPi VP and GM Gary Southwell told me in an email. He noted that the audience for this letter is the GDPR regulatory structure as much as it is Google.

Google has also said it sees itself as a “controller,” which determines the means and purposes for processing the personal data, while the publishers want the tech company to qualify itself as a processor in at least some situations.

This is a key issue, Southwell points out. “If Google is the ‘processor,’ it’s hard for them to push the burden on their customers [that is, the sites] and take no responsibility as they appear to be attempting.”

‘High stakes for publishers’

Southwell said Google is “virtually begging” the GDPR administrators to issue a clarification on this, adding that it won’t likely end up in its favor. He says there is a joint responsibility for managing the data, between publishers and Google.

Digital policy consultant Kristina Podnar (who also consults for us, Third Door Media) told me that she doesn’t think “publishers have much of a choice on this matter, at least in the short term.”

“Long-term,” she added, “I think there will be different options as both Google and publishers settle into a different controller-processor-controller paradigm [than] is required under GDPR.”

Gartner VP Andrew Frank said that the publishers’ responses show the law’s ambiguities and the “high stakes for publishers,” but it’s less important to Google, “which is not highly dependent on publishers for data or even media.” Google, he said, could give publishers the option for the tech giant to act as a controller or a processor.

Google provided us with this statement:

Guidance about the GDPR is that consent is required for personalized advertising. We have always asked publishers to get consent for the use of our ad tech on their sites, and now we’re simply updating that requirement in line with the GDPR. Because we make decisions on data processing to help publishers optimize ad revenue, we will operate as a controller across our publisher products in line with GDPR requirements, but this designation does not give us any additional rights to their data. We’re working closely with our publisher partners and are committed to providing a range of tools to help them gather user consent.

Another major — and fairly last-minute —  GDPR-related release was the recently unveiled Interactive Advertising Bureau’s (IAB) framework for viewer consent to programmatically delivered ads. It similarly places the burden of obtaining consent on publishers, with each visitor’s chosen consent profile conveyed to participating exchanges and advertisers when the ad call is made from a page.

Similarly, Digital Content Next was among those blasting the IAB proposal as being an advertiser-oriented burden on publishers.