Industry News & Views

Google’s AdSense Changes Do Not Automatically Protect You or Comply with GDPR

By June 29, 2018 No Comments

You have no doubt seen the blizzard of announcements from Google – updates covering the General Data Protection Regulation (GDPR) and the e-Privacy Directive. These include their new EU User Consent Policy, support center documents and FAQs.

Google of course has worked to ensure their own conformance and while claiming to have done the same for their publishing and advertising customers and partners, gaping holes remain. On a macro level, these are evidenced by the new tensions between Google and France’s media and advertising industries following Google’s last-minute changes to its GDPR policy which caused havoc in the European ad market. These have now escalated to the point where the French media plan to meet with government over Google-GDPR concerns.

On a micro level, if you’re a digital publisher using Google AdSense, you’ll be required by your contract with Google to fulfill regulatory obligations, giving visitors to your site or apps, information about the use and sharing of their personal data, about the use of cookies, tags or code from third-party advertising services and gain explicit consumer consent for these as well as your use of Adsense on your site(s).

What you need to know specifically however, with respect to AdSense, is that it can be configured to use both behavioral and contextual targeting but that the default is behavioral. In other words, Adsense by default collects information on an individual’s web-browsing activity to select which advertisements to display to that individual. The data captured is not only accessible by you but of course by Google, as well some 199 Google partners.

So if you have relied on Google to take care of this, they have not. It’s down to you to configure your own use of Adsense to ensure you are conforming to GDPR regulations. And take it from me; that’s no small task to get right:

  • In addition to disclosing all the other businesses that potentially have access to personal information and getting consent to record it, you also have to provide a way to revoke that consent, and a way to delete all that information on demand. In other words, to become GDPR compliant, you need to implement additional new features that allow users to delete their personal information such as their email address along with any links or other information the consumer wants removed. In essence allowing the consumer to be “forgotten”. This is not easy to do.
  • Then, if you use plugins for tools such as marketing automation, customer support or chat widgets, etc. you will have to go through this whole process again with each of these products to again give consumers a way to delete their personal information and all other data such as support tickets.

In totality, it’s a huge amount of work. Getting the initial consent up front is trivial by comparison!

So what are the options for Adsense users. As highlighted by an article in Digiday from Jessica Davies, you can join others who have switched their advertising strategy to use contextual targeting.  Contextual uses things like keyword analysis and word frequency in order to determine what a webpage is about and matches ads to each page. Its way less onerous in Adsense from a GDPR perspective as compared too behavioral advertising as its non-personalized. Ads do not use cookies for personalization but they still use cookies for other reasons including combating fraud and abuse. Remember under GDPR, consumer consent is still required to use these cookies in countries where the ePrivacy Directive’s cookie provisions apply.

That said, there can be a severe revenue hit using contextual over behavioral targeting, especially if your business is primarily EU based. Behavioral targeting can double or triple ad revenues or more. So even with GDPR, behavioral targeting  can be critical for the very survival of many businesses. If you choose to take this route, I would urge you to undergo a data mapping exercise to understand what personal data you capture, how it flows through your systems and how it is used. You can then take the necessary steps to cover any GDPR requirements that are uncovered. Until this exercise is complete, I would recommend you switch your Adsense default to use contextual targeting. Though painful, it’s the only way you can guarantee that you don’t run afoul of the regulations.

Leave a Reply

Share This