- When things get complicated regarding the acquisition of consent
To give some context, Google has been requesting publishers using its ads services (such as Adsense targeted advertisement service or Doubleclick advertising exchange service) to collect consent in relation to its cookies under the ePrivacy directive since 2015. It did not provide much help in that regard but referred to the rather simple guidance of the Article 29 Working Party, under which an unambiguous action realized in the website after being informed of the purposes and modular acceptance possibilities for the cookies was recognized a valid consent.
When things get complicated regarding the acquisition of consent
Now that GDPR will enter into application, consent becomes a much trickier subject that publishers will need to solve (almost) by themselves. In order to be valid, consent must indeed be a freely given, specific, informed, unambiguous and demonstrable positive act from the persons: one of the difficult parts of this challenge for validity is without doubt the fact that the purposes and data controllers (the entities - meaning named companies, not groups - determining the purposes) for which consent is required must be clearly stated before collection.
On its page called EU user consent policy, Google states that “you [the publisher] must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area“: needless to say that this statement does not help much in the process, except that it implies that the data controller is located outside of the EU as only end users in the EU are concerned (a data controller established in the EU would have to obtain consent from any individual). One could reasonably think of Google LLC which is the umbrella organisation for Google services.
Google also adds “You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data“. In other words, publishers will need to mention Google and its usages of data to ensure that Google may benefit from a valid consent.
When achieving this objective seems like a guessing game
So publishers will need to obtain (and record and store) a valid consent for usages by Google of personal data collected on their website.
- Google does not consider itself as a data controller in all situations (and as a processor it does not need to bother with consent);
- When it does consider itself a data controller (especially for DoubleClick for Publishers, DoubleClick Ad Exchange, AdMob, and AdSense), it does not clarify which company of the group is bearing this responsibility;
- The contracting entity for publishers may very well be a European Google entity for certain services (such as Adsense and Adwords) which does not in itself designate such entity as the data controller but certainly adds some complexity;
- Google does not even state that consents must be collected by publishers explicitly on its behalf for its own usages (which may be a way to avoid taking a clear position on whether or not Google operations of profiling and displaying targeted ads requires consent or – even worse – explicit consent under article 22 of the GDPR).
Finding out for which perimeter one is supposed to collect consent may therefore appear a challenge in itself.
When transparency is paradoxically quite blurred
In its EU user consent policy, Google states that consent is required in relation to “the collection, sharing, and use of personal data for personalization of ads or other services“. To know more about usages and other services that take place as a result of using Google tools implies to take a deep dive into the relevant terms and privacy policies pertaining to the concerned service(s).
And to make matters even worse, various other issues which remain unanswered under the GDPR will need to be addressed by publishers: to what extent may publishers incite (drive or force) individuals to give consent? How granular should collection of consent be (per purpose and/or per data controller) ? Which actions from the person (click on a button in the banner or on the website) will be considered as positive and unambiguous? What elements are required to prove the consent (its existence and validity)? If you would like to know more, you may want to take a look at the documentation published by Didomi in view of providing practical answers to these questions.
Now to be perfectly honest, other actors in the Ad tech sector are not doing better. Most of them have not - to date - finished their job on the road to compliance: publishing an article on how privacy is important and GDPR is being carefully prepared, sure ; amending a few policies and possibly auto-certifying with the Privacy Shield framework, sometimes ; specifying if they should be considered a data controller or processor and proposing adapted contractual clauses, rarely ; include these clauses in their general terms and conditions, never (but who would grant by default an audit right to its clients if they are not even asking for it?). It is worth noting though that a few entities have provided their publishers with standard quotes to be inserted in consent notices, which is certainly a relief for many publishers.
When Google may be in the process of defusing the bomb
This is just a possible interpretation yet it seems that certain facts can be deduced from the above:
- Google is asking its publishers to obtain consents on its behalf… under cover of obtaining consents for themselves;
- Google requests consents in relation to the use of data for personalization of ads… without explicitly stating which related uses require such consents;
- Google adopts the point of view of entities located outside of the EU… which is not the case of all publishers or Google companies.
Yet with such an ambiguity, if the court action against the mother company kicks in, various options would be available : argue that the defendant is not the responsible entity; pretend that the considered usages do not require consents from the persons to be implemented ; or even possibly show that consents have been collected which encompass all usages of personal data by the group...
Want to find out more? Contact us and we'd be delighted to answer any questions you might have.