Google’s GDPR Policy Delays Throw Digital Media Into Disarray

Since GDPR came into effect last year, Google has been at the center of two connected issues around resolving identity in digital marketing.

First, it planned to remove the DoubleClick ID (now the Google ID) from its log files, preventing ad tech and analytics companies from using the ID to track campaigns across the web. Google is critical there because it serves most online ads. The policy is enforced in Europe for GDPR compliance and was initially set to roll out worldwide by the start of this year, but last September Google quietly pushed its enforcement deadline to 2020 at the earliest.

The second problem is Google’s incompatibility with the IAB Europe’s Transparency and Consent Framework (TCF), which publishers and mar tech companies have backed as a way to pass consent and privacy notices up the ad supply chain. When GDPR became law last May, Google said it would integrate with the TCF by the end of the summer. But Google missed its self-imposed deadline, and now seems further from reaching an agreement with the industry group.

This holding pattern is comfortable for Google, which maintains its unchecked share of the European ad market – both as a supplier and ad buyer – and allows consent to be passed seamlessly within its tech stack. (Though the French enforcement agency CNIL is challenging that supposition.)

But for publishers, ad tech vendors and agencies, Google’s delays mean chaos and confusion.

ID … or not ID?

Google’s decision to restrict its identity technology to Ads Data Hub (ADH), a cloud product where marketers can use the Google ID but can’t extract any data, is beset by competing interests.

It makes sense for Google to globalize its GDPR policy as more countries adopt privacy laws that enable people to access their online ad data or prevent targeting without consent.

But Google has continuously postponed its global ID policy. Initially set for early 2019 so as not to upend the Q4 holiday season, Google then pushed it back another year to minimize ad server losses and give privacy laws a chance to materialize.

The online advertising ecosystem is using that year to prepare for a world without the Google ID.

“The uncertainty around the [Google ID delay] has created a push for people running big mar tech stacks to diversify so they don’t have too much exposure to a Google policy change,” said Bill Simmons, dataxu’s co-founder and CTO.

Salesforce went the partner route, integrating with ADH as the only API that can pipe Google Analytics data out of the Google cloud – an agreement that works because Salesforce doesn’t serve ads or compete with Google’s ad tech. Adobe expanded its first-party identity last year with the acquisitions of Marketo, a B2B data company, and the ecommerce platform Magento. And agency holding companies beefed up their data assets too, like IPG’s $2.3 billion deal for Acxiom Marketing Solutions or Dentsu building the Merkle M1 identity data business.

Executives from independent ad servers Flashtalking, Sizmek and Thunder said they have all seen a swell of advertisers layering third-party tags into Google campaigns, keeping duplicate measurement tags to ensure some continuous identity data after the Google ID is revoked.

“That kind of backup tracking is popular now because people don’t know what Google will be doing,” said Victor Wong, Thunder’s founder and CEO. When Google cuts off the ID or if a brand decides to switch from Google’s ad server, the backup analytics will still be running.

The consent conundrum

Google faces an even thornier challenge integrating its identity-based consent with the IAB consent framework.

Google and the IAB Europe’s GDPR consent policy working group spent months last summer circling an agreement to standardize consent across Google and the open ecosystem. But the two sides weren’t able to meet in the middle, largely because the industry group has more flexible interpretations of legitimate interest, when publishers can claim the right to use data as a core part of their service.

For instance, all sides agree that fraud detection is legitimate grounds to collect user data without explicit consent. But many publishers consider legitimate interest a basis for things like contextual ad targeting or campaign measurement, while Google does not. Some IAB publishers interpret someone scrolling a page as consent even if they don’t click “Yes” on a pop-up request.

Google isn’t going to connect with the IAB if publishers and vendors in its framework could expose the company to GDPR violations.

Google and the IAB Europe reached an informal consensus last year, said Somer Simpson, Quantcast’s director of product and privacy and member of the GDPR policy working group.

But that delicate balance was upset by the addition of news companies. The initial TCF didn’t include provisions for legitimate interest that publishers wanted, so last fall the working group added Axel Springer, the largest European news company, distancing the group from Google.

The 50 million euro fine levied last month by the CNIL, the French data protection authority, won’t shift Google’s bottom line or its data collection, but it does shift the odds against Google integrating with the IAB Europe framework, which only looks riskier now that EU regulators are sharpening the definitions of legitimate interest and consent.

Will it ever happen?

Publishers and ad tech vendors have won GDPR policy concessions from Google before. Google initially capped the number of tech vendors a publisher could collect consent data for at 12, but reversed course when publishers demanded more flexibility.

But Google hasn’t budged on issues where its compliance standards don’t sync with the rest of the industry (having dozens of ad tech vendors will lower a publisher’s consent rate, but it isn’t necessarily a GDPR violation).

“These should be short-term discomforts,” wrote Ivan Ivanov, COO of the European publisher ad tech startup PubGalaxy, in an AdExchanger column last September. “Once Google is included in the IAB vendor list and the industry begins to get a handle on the consent process, the way forward should be smoother and the GDPR can begin to take effect in the way it was intended.”

It’s impossible to predict when and how Google will rationalize its data and identity policies. And another GDPR penalty or new law like those passed in California and Vermont could shake up Google’s deadlines yet again. But like a horse shaking off its rider, it isn’t Google that suffers, even when Google pays the fine.

This post was syndicated from Ad Exchanger.