Connect with us

GDPR: Google changes the consent policy in European Union

Data

GDPR: Google changes the consent policy in European Union

The current Google´s EU user consent policy has less than 900 characters and in bold we can read that publishers need to “obtain consent to, any data collection, sharing and usage” and “consents to, the storing and accessing of cookies.” The new Google´s EU user consent policy doubles the number of characters due to the changes on GDPR. The new Google´s EU user consent policy starts on May 25, 2018;  publishers will have to “obtain end users legally valid consent to the use of cookies or other local storage where legally required; and the collection, sharing, and use of personal data for personalization of ads or other services.” 

According to the Google Ads Data Protection Terms, Google will act as a controller or as a processor and controller, depending on the service. In these terms, Google revealed what is collecting on each service and where is acting as a controller and as a controller and processor:

Google as a Controller

AdSense; AdWords (All AdWords programmes and services accessible to customers through their AdWords accounts, except for those AdWords programmes and services that can be in the scope of the Google Ads Data Processing Terms, as listed below), DoubleClick Ad Exchange, DoubleClick For Publishers, Google Customer Reviews.

Google as a Controller and as a Processor

Ads Data Hub: Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers; email addresses;
AdWords Customer Match: Names, email addresses, addresses and partner-provided identifiers;
AdWords Store sales (direct upload): Names, email addresses, phone numbers, and addresses;
DoubleClick Bid Manager: Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers; precise location data; client identifiers;
DoubleClick Campaign Manager: Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers; precise location data; client identifiers;
DoubleClick Search: Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers;
Google Analytics: Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers; client identifiers;
Google Analytics 360 (formerly known as Google Analytics Premium): Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers; client identifiers;
Google Analytics for Firebase: Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers; client identifiers;
Google Attribution: Online identifiers, including cookie identifiers and device identifiers; client identifiers;
Google Attribution 360: Online identifiers, including cookie identifiers and device identifiers; client identifiers;
Google Data Studio: Data relating to individuals provided to Google via the service by (or at the direction of) Customer, including to create and collaborate on reports, graphs and charts;
Google Optimize: Online identifiers, including cookie identifiers and internet protocol addresses; client identifiers;
Google Optimize 360: Online identifiers, including cookie identifiers and internet protocol addresses; client identifiers;
Google Tag Manager Online identifiers, including cookie identifiers and internet protocol addresses;
Google Tag Manager 360 Online identifiers, including cookie identifiers and internet protocol addresses;

The differences between processor and controller

On the EU legislation about GDPR, we can read the differences between a controller and a processor. Google in the basic products will act as a controller and in the more advanced products will act as a controller and a processor:

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

How to ask consent?

Google still didn’t go on specifics how publishers should ask the consent, informing how users can disable personalization of ads, but in a recent product change announcement, Google said that will introduce changes on Adsense “to support publishers that want to show only non-personalized ads;”

According to EU law, “the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” And this opens the door for Google to ask publishers for the consent:

EU user consent policy until May 25, 2018

When using Google products that incorporate this policy, certain disclosures must be given to and consents obtained from end users in the European Union where EU data protection law requires such disclosures and consents.

For end users in the European Union:

  • You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and
  • You must use commercially reasonable efforts to ensure that an end user is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the end user’s device where such activity occurs in connection with a product to which this policy applies.

EU user consent policy after May 25, 2018

If your agreement with Google incorporates this policy, or you otherwise use a Google product that incorporates this policy, you must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area. If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement.

Properties under your control
For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area.

You must obtain end users’ legally valid consent to:

  • the use of cookies or other local storage where legally required; and
  • the collection, sharing, and use of personal data for personalization of ads or other services.

When seeking consent you must:

  • retain records of consent given by end users; and
  • provide end users with clear instructions for revocation of consent.

You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.

Properties under a third party’s control
If personal data of end users of a third party property is shared with Google due to your use of, or integration with, a Google product, then you must use commercially reasonable efforts to ensure the operator of the third party property complies with the above duties. A third party property is a site, app or other property that is not under your, your affiliate’s or your client’s control and whose operator is not already using a Google product that incorporates this policy.

1 Comment

Leave a Reply

To Top