Android app developers have hours left to decide whether to change their business models or leave Google's ad ecosystem because of its stubborn stance on the EU's new Global Data Protection Regulation (GDPR) regulations, due to come into effect tomorrow.
Devs tell us uncertainty over whether they comply with GDPR is forcing some difficult decisions. After 25 May, Google will continue to show personalised ads in mobile apps that haven't been updated, unless the developer turns off their AdSense/AdMob app code.
One dev wrote on Reddit: "It kills me because we comply with so much of the GDPR by design, and just had a little auditing and documentation/legal work to do, but this Google thing's a sticky wicket. We're considering turning the ads off completely right now and going to a straight paid model. It will likely kill the app once and for all, but maybe it's time."
Android devs prepare to hit pause on ads amid Google GDPR chaosREAD MORE
Twitter and other ad networks have handled the issue much more elegantly, developers told us. For example, Twitter's mobile app ad network, MoPub, will turn off non-personalised ads for mobile apps from 25 May for old SDK versions – so every app using MoPub will be compliant. Facebook handles end user data itself, so users of the ad network have nothing to worry about at all from GDPR.
Publishers have said Google's cake-and-eat-it decision to nominate itself as a data "controller" rather than a data "processor" is the problem.
"Your attempt to shift full liability onto publishers for obtaining consent on your behalf as a separate and independent controller is troubling to us," four trade groups representing 4,000 publishers wrote to Google earlier this month.
What's the beef with mobile app ads and Google?
Publishers have complained (see here and here) that Google wants to keep the valuable personal customer data, but pass over liability for data protection – and Google regards app developers as publishers, too.
First time offending companies that fail to comply with GDPR face fines up to €10m or 2 per cent of global turnover, and those that have had their wrists slapped before can be be slapped with a €20m penalty or 4 per cent of turnover. The pre-GDPR maximum fine is £500,000.
In a statement sent to The Register on 10 May, Google said:
"Every publisher that uses our ad technology has the ability to select their preferred providers. Publishers decide which providers they want to work with and the number of vendors they want to select. If they decide not to make a selection, we will apply a list of the most commonly used providers based on those that generate the most revenue for publishers."
App developers who use Google's ad ecosystem for revenue had to obtain consent for showing personalised Google ads in order to comply with GDPR – but Google waited until just three weeks before the deadline to announce a Consent SDK, which it actually released last week. Devs were advised they couldn't test it until GDPR implementation day itself.
Google's 11th-hour Consent SDK allowed app developers to present users with a pop-up requesting consent for personalised ads and non-personalised ads, or diverting the user to a paid version. Arguably this made consent a precondition of using the ad service, something the UK's Information Commissioner's Office advises against. The EU guidelines on consent emphasise that permission under GDPR must be "freely given".
The element "free" implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given.
Developers tell us it isn't easy to convert from an ad-supported Android app to a paid Android app.
And there are other issues too. Publishers and app developers can run Google ads as they are, but many use "mediation", where AdMob trawls dozens or even hundreds of ad networks to serve ads. While ad network IronSouce offers mediation, Google offers mediation of just 12 networks.
We asked Google how it plans to retain mobile app customers who use its ad network, and what happens to non-compliant apps in its mobile Play Store, but have not yet received a reply. ®
Sponsored: Ransomware has gone nuclear