May 25, 2018 is the day the EU General Data Protection Regulation (GDPR) goes into effect in Europe with significant impact on Google. Google discussed its approach in a March 22, 2018 letter, which discussed here

Under GDPR, a controller determines why and how data is processed, while processors do the actual processing on the controller’s behalf. Publishers are typically considered controllers, while third-party entities like mar tech providers are typically considered processors. Google, however, defies simple categorization. Its range of products, platforms and services means that sometimes it’s a processor, sometimes it’s a controller and sometimes it’s a co-controller, which is when two or more controllers jointly decide the manner and purpose of the processing.

Google operates as a controller for some of its most-used ad products, including AdMob, AdSense, AdWords, DoubleClick Ad Exchange (AdX) and DoubleClick for Publishers (DFP). Google classifies itself as a processor for users of tools like Google Analytics, its attribution offering, Ads Data Hub and DoubleClick Bid Manager.

For the full list, see below or at https://privacy.google.com/businesses/adsservices/

Google will introduce new contract terms for DFP, AdX, AdSense and AdMob that will designate it as a co-controller of user data, meaning Google will have some control over how data is processed and share the responsibility for protecting it. Google will bear the burden of gathering consent for data collection from its own first-party users across Gmail, YouTube, and Google.com. Publishers and advertisers that use Google’s ad offerings will have to get consent from their own users to do so. Google will not be able to carry over the consent it collects from its consumer-facing products for any other purpose.

Google already required advertisers and publishers that take advantage of Google’s ad services to get consent from their own end users, but Google is now updating its EU user consent policy to reflect the more stringent legal requirements under GDPR. For example, any site, app or property that uses Google products must obtain the end user’s legally valid consent to use cookies, collect data or share data for ad personalization. The updated policy is being woven into the contracts for the majority of Google’s ad and measurement products.

Google is also rolling out several product changes to help “support your compliance,” as Google wrote in its letter There is the planned launch of a solution to help publishers show non-personalized ads to people who opt out of data collection for targeting – which sounds a lot like contextual targeting. There are new controls across AdMob, DFP and AdX programmatic transactions and AdSense for games and content that let publishers and advertisers manage which third parties can measure and serve ads for EU citizens; a tool for Google Analytics users to better manage data retention and deletion; and some unspecified “steps” to limit the processing of PII for children.

There was no mention of ePrivacy or its possible implications in Google’s note to partners, but the impact is still worth considering. E-Privacy is waiting behind the GDPR. The ePrivacy directive for electronic communications in Europe is not yet finalized. But when it does come into law, likely in the months after GDPR in May, it might remove the concept of legitimate interest as a legal basis for processing data without consent. The lack of a legitimate interest clause under ePrivacy might, for example, require cookie consent to use a third-party analytics platform like Google Analytics.

 

Google March 22, 2018 Letter

Dear Partner,

Over the past year, we’ve shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force onMay 25, 2018. The GDPR affects European and non-European businesses using online advertising and measurement solutions when their sites and apps are accessed by users in the European Economic Area (EEA).

Today we are sharing more about our preparations for the GDPR, including our updated EU User Consent Policy, changes to our contract terms, and changes to our products, to help both you and Google meet the new requirements.

Updated EU User Consent Policy

Google’s EU User Consent Policy is being updated to reflect the new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consents from, end users of your sites and apps in the EEA. The policy is incorporated into the contracts for most Google ads and measurement products globally.

Contract changes

We have been rolling out updates to our contractual terms for many products since last August, reflecting Google’s status as either data processor or data controller under the new law (see full classification of our Ads products). The new GDPR terms will supplement your current contract with Google and will come into force on May 25, 2018.

In the cases of DoubleClick for Publishers (DFP), DoubleClick Ad Exchange (AdX), AdMob, and AdSense, Google and its customers operate as independent controllers of personal data that is handled in these services. These new terms provide clarity over our respective responsibilities when handling that data and give both you and Google protections around that controller status. We are committing through these terms to comply with our obligations under GDPR when we use any personal data in connection with these services, and the terms require you to make the same commitment.

• Shortly, we will introduce controller-controller terms for DFP and AdX for customers who have online terms.
• By May 25, 2018, we will also introduce new terms for AdSense and AdMob for customers who have online terms.

If you use Google Analytics (GA), Attribution, Optimize, Tag Manager or Data Studio, whether the free or paid versions, Google operates as a processor of personal data that is handled in the service. Data processing terms for these products are already available for your acceptance (Admin → Account Settings pages). If you are an EEA client of Google Analytics, data processing will be included in your terms shortly. GA customers based outside the EEA and all GA 360 customers may accept the terms from within GA.

Product changes

To comply, and support your compliance with GDPR, we are:

• Launching a solution to support publishers that want to show only non-personalized ads.
• Launching new controls for DFP/AdX programmatic transactions, AdSense for Content, AdSense for Games, and AdMob to allow you to control which third parties measure and serve ads for EEA users on your sites and apps. We’ll send you more information about these tools in the coming weeks.
• Taking steps to limit the processing of personal information for children under the GDPR Age of Consent in individual member states.
• Launching new controls for Google Analytics customers to manage the retention and deletion of their data.
• Exploring consent solutions for publishers, including working with industry groups like IAB Europe.

Find out more

You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as view our data processing terms and data controller terms.

If you have any questions about this update, please don’t hesitate to reach out to your account team or contact us through the Help Center. We will continue to share further information on our plans in the coming weeks.

Thanks,
The Google Team

 

Google Ads Data Protection Terms: Service Information  https://privacy.google.com/businesses/adsservices/

Controller Terms

Controller Services

The following Google services are eligible to be in scope of the Google Ads Controller-Controller Data Protection Terms:

·         AdMob

·         AdSense

·         AdWords: All AdWords programmes and services accessible to customers through their AdWords accounts, except for those AdWords programmes and services that can be in scope of the Google Ads Data Processing Terms, as listed below.

·         DoubleClick Ad Exchange

·         DoubleClick For Publishers

·         Google Customer Reviews

Google may update this list from time to time, subject to the terms of the Google Ads Controller-Controller Data Protection Terms.

Data Processing Terms

Processor Services

The following Google services are eligible to be in scope of the Google Ads Data Processing Terms:

·         Ads Data Hub

·         AdWords Customer Match

·         AdWords Store sales (direct upload)

·         DoubleClick Bid Manager

·         DoubleClick Campaign Manager

·         DoubleClick Search

·         Google Analytics

·         Google Analytics 360 (formerly known as Google Analytics Premium)

·         Google Analytics for Firebase

·         Google Attribution

·         Google Attribution 360

·         Google Data Studio

·         Google Optimize

·         Google Optimize 360

·         Google Tag Manager

·         Google Tag Manager 360

Google may update this list from time to time, subject to the terms of the Google Ads Data Processing Terms.

Types of personal data

In relation to the Google Ads Data Processing Terms, Customer Personal Data may include the following types of personal data (as applicable, depending on the Processor Services provided under the Agreement).

Processor Service	Types of Personal Data
Ads Data Hub	Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers
AdWords Customer Match	Names, email addresses, addresses and partner-provided identifiers
AdWords Store sales (direct upload)	Names, email addresses, phone numbers and addresses
DoubleClick Bid Manager	Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; precise location data; client identifiers
DoubleClick Campaign Manager	Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; precise location data; client identifiers
DoubleClick Search	Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers
Google Analytics	Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers
Google Analytics 360 (formerly known as Google Analytics Premium)	Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers
Google Analytics for Firebase	Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers
Google Attribution	Online identifiers, including cookie identifiers and device identifiers; client identifiers
Google Attribution 360	Online identifiers, including cookie identifiers and device identifiers; client identifiers
Google Data Studio	Data relating to individuals provided to Google via the service by (or at the direction of) Customer, including to create and collaborate on reports, graphs and charts
Google Optimize	Online identifiers, including cookie identifiers and internet protocol addresses; client identifiers
Google Optimize 360	Online identifiers, including cookie identifiers and internet protocol addresses; client identifiers
Google Tag Manager	Online identifiers, including cookie identifiers and internet protocol addresses
Google Tag Manager 360	Online identifiers, including cookie identifiers and internet protocol addresses

Google may update this list from time to time to reflect changes to the types of personal data handled by the Processor Services.

Contribution Magdalena A K Muir