Publishers tell Google: We're not your consent lackeys

Publishers have slammed Google's updated ad policies, accusing it of passing the buck – and the liability for multimillion-pound fines – onto them, while offering insufficient detail on its plans for user data.

As the European Union's General Data Protection Regulation draws ever closer, tech firms are refreshing various policies in an effort to be seen as compliant. The bigger the firm is, the more worried it will be about being made an example when the headline-making fines can be dished out.

However, the benefit to being part of the tech oligopoly is that these firms have more resources to throw at the problem, and will find it easier to push other companies around – at least that's the argument publishers are making after getting a look at Google's proposals for ad policies, which were revealed in March.

That's because – despite being intensely unhappy with the plans – many newspapers and digital media outlets get huge chunks of their programmatic advertising revenue from Google. They could switch to other vendors, but it's not likely to be an attractive alternative for the industry.

And so publishers are looking to force Google to adjust its position. In a letter (PDF) sent to Google boss Sundar Pichai yesterday, four trade associations – Digital Content Next (DCN), European Publishers Council, News Media Alliance and News Media Association – detailed their concerns about the proposal, which they claimed "severely falls short".

"[The proposal] seems to lay out a framework more concerned with protecting your existing business model in a manner that would undermine the fundamental purposes of the GDPR and the efforts of publishers to comply with the letter and spirit of the law," the letter stated.

The group represents around 4,000 newspapers and magazines, including Reuters, the Associated Press, The Guardian and Bloomberg.

They have three broad concerns, which appear to have been informed by a legal analysis (PDF) commissioned by DCN last month: Google's wish to be a controller rather than a processor; its requirement that publishers obtain consent for processing on its behalf; and that the move puts the liability for non-compliance onto publishers.

Controllers and consent

Under the GDPR, organisations can be controllers or processors.

While a processor processes data on behalf of a data controller, a controller determines the purposes for, and the manner in which, personal data is processed. Being a controller allows Google to make decisions regarding how the data that is received from publishers and collected on publishers' pages is used.

The publishers have tried to argue that it would be more logical for Google to be a processor – asking whether the firm has sought guidance from regulators on their decision – but even they acknowledged that in some cases Google will be considered a controller.

Nonetheless, they maintained: "It should not be considered a controller over all data that it receives from publishers or collects on publisher pages in connection with advertising services provided to publisher."

Underlying this complaint is what the publishers say is a lack of information about what Google plans to do with this data.

Google, they said, is claiming "broad rights over all data in the ecosystem" without full disclosure and without giving publishers the option for Google to act as a processor for some types of data. This, they added, "appears to be an intentional abuse of [its] market power".

Meanwhile, Google has proposed it will rely on affirmative, express consent as the legal basis for this processing – and that it wants publishers to obtain this from their users on its behalf.

Although publishers are currently required to get consent from their end users, the GDPR sets a higher bar for consent, requiring that it is freely given, specific and granular.

Google's new policy has stated that publishers must obtain end users' legally valid consent for the "collection, sharing, and use of personal data for personalisation of ads or other services".

But the publishers branded this as Google asking them to get "broad and blanket consent" without offering up any more detail about these "other services" – without this they question how they will be able to comply.

"Placing the full burden of obtaining new consent on the publisher is untenable without providing the publisher with the specific information needed to provide sufficient transparency or to obtain the requisite specific, granular, and informed consent under the GDPR," the letter stated.

Moreover, if Google deems publishers' consent mechanisms insufficient, it has said it may stop serving ads on the sites – but the group argued that Google hadn't been clear enough on what a valid user experience for gaining consent would be, or what processes it would use to review compliance.

A further issue is that even if Google wants to rely on consent as the legal basis for processing the data it collects, that shouldn't presuppose the legal basis a publisher might have in collecting and using that same data.

These may be different from Google's, as publishers will have different purposes and interests for participating in the digital advertising ecosystem than Google, the letter pointed out – for instance, some may want to rely on legitimate interests.

"Yet, Google's imposition of an essentially self-prescribed one-size-fits-all approach doesn't seem to take into account or allow for the different purposes and interests publishers have," it said.

The final point the publishers took issue with was Google's apparent desire to push the liability for gaining consent onto them – as this could see them facing fines that will rise to up to 4 per cent of global turnover or €20m once GDPR comes into effect in 24 May.

"Your attempt to shift full liability onto publishers for obtaining consent on your behalf as a separate and independent controller is troubling to us," the letter said.

The proposal's contractual structure "improperly reallocates responsibility and liability" onto publishers, it said, which could see them taking the "full brunt of a regulatory or private action penalties... despite the fact that the publishers must obtain such consent in the absence of sufficient information regarding Google's intended practices".

They said this amounts to a "take it or leave it" approach and called on Google to revise the proposal to include mutual indemnification provisions and limitations on liability.

Google didn't immediately respond to a request for comment. ®