Google’s delay on ads standard for EU privacy law creates compliance mess
July 3, 2018
Google’s delayed entry into the consortium of advertising technology companies has spoiled the members’ push to comply with a new European Privacy Law, leaving some firms exposed to fines, media officials said today.
Most at risk are unwitting owners of ad-funded websites and apps, which Google has said, have the responsibility of getting consent to serve targeted ads to European consumers.
The experience shows how Google policy decisions cascade through the $200 billion global online advertising industry, which is dominated in most facets, by the Alphabet Inc unit.
Data about a website visitor’s identity can pass through a dozen ad tech firms before an ad is loaded.
Each one must have user consent or another legal basis to access it under Europe’s General Data Protection Regulation (GDPR).
Hundreds of ad tech firms launched software together a month before GDPR kicked in on May 25 to verify consent before displaying ads.
Google announced on May 22 that it would not join the industry programme until August.
It devised a temporary solution that people said has been imperfect.
As a result, some of Google’s advertising clients are targeting ads to users, who have not given consent to personalised marketing.
Google declined to comment on possible policy violations, instead reiterating that GDPR “is a big change for everyone’’ and that it is working with partners on compliance.
GDPR fines can reach as high as 4 per cent of a firm’s annual revenue.
Four ad tech executives said they are counting on deference from regulators until Google supports the consortium technology.
“Once Google adopts the consent framework, much of the confusion will start to settle down a bit,’’ said Walter Knapp, Chief Executive of ad software company, Sovrn Holdings Inc.
Authorities in France and Germany said they have yet to investigate consent issues related to online ads.
Financial and legal analysts said it is a matter of time.
A crucial issue has involved Google’s DoubleClick Bid Manager (DBM), which large advertisers use to purchase ad space from ad exchanges.
Many websites now present European visitors with pop-ups, asking for consent to send identity data to exchanges and DBM as ad space with user information is far more valuable.
The issue is that DBM cannot yet accept users’ selections because it does not support the consortium standard.
Big exchanges such as AppNexus Inc and Rubicon Project Inc have worked around by guaranteeing that they will only offer ad space on DBM when users have consented.
AppNexus and Rubicon Project declined to specify how they are ensuring compliance.
They told websites it was up to them to block DBM if they cannot meet the guarantee, according to emailed notices seen by Reuters.
It is unclear how many websites have taken the precaution.
“The responsibility lies squarely on the publishers,’’ said Erin Yasgar, a team lead at online advertising advisory firm, Prohaska Consulting.
DBM data last month showed that AppNexus and Rubicon Project did not offer significantly less ad space on DBM after making the consent-only guarantee, according to official sources.
Yet, at least 10 per cent of European users are not giving consent, the executives said.
Google operates a rival exchange, which has spotty enforcement of publishers, according to a Reuter’s review last week of several websites that displayed personalised ads before obtaining permission.