Publishers tell Google: We're not your consent lackeys

GDP-argh! Trade groups say ad biz must clarify data use, take share of liability

Publishers have slammed Google's updated ad policies, accusing it of passing the buck – and the liability for multimillion-pound fines – onto them, while offering insufficient detail on its plans for user data.

As the European Union's General Data Protection Regulation draws ever closer, tech firms are refreshing various policies in an effort to be seen as compliant. The bigger the firm is, the more worried it will be about being made an example when the headline-making fines can be dished out.

However, the benefit to being part of the tech oligopoly is that these firms have more resources to throw at the problem, and will find it easier to push other companies around – at least that's the argument publishers are making after getting a look at Google's proposals for ad policies, which were revealed in March.

That's because – despite being intensely unhappy with the plans – many newspapers and digital media outlets get huge chunks of their programmatic advertising revenue from Google. They could switch to other vendors, but it's not likely to be an attractive alternative for the industry.

And so publishers are looking to force Google to adjust its position. In a letter (PDF) sent to Google boss Sundar Pichai yesterday, four trade associations – Digital Content Next (DCN), European Publishers Council, News Media Alliance and News Media Association – detailed their concerns about the proposal, which they claimed "severely falls short".

"[The proposal] seems to lay out a framework more concerned with protecting your existing business model in a manner that would undermine the fundamental purposes of the GDPR and the efforts of publishers to comply with the letter and spirit of the law," the letter stated.

The group represents around 4,000 newspapers and magazines, including Reuters, the Associated Press, The Guardian and Bloomberg.

They have three broad concerns, which appear to have been informed by a legal analysis (PDF) commissioned by DCN last month: Google's wish to be a controller rather than a processor; its requirement that publishers obtain consent for processing on its behalf; and that the move puts the liability for non-compliance onto publishers.

Controllers and consent

Under the GDPR, organisations can be controllers or processors.

While a processor processes data on behalf of a data controller, a controller determines the purposes for, and the manner in which, personal data is processed. Being a controller allows Google to make decisions regarding how the data that is received from publishers and collected on publishers' pages is used.

The publishers have tried to argue that it would be more logical for Google to be a processor – asking whether the firm has sought guidance from regulators on their decision – but even they acknowledged that in some cases Google will be considered a controller.

Nonetheless, they maintained: "It should not be considered a controller over all data that it receives from publishers or collects on publisher pages in connection with advertising services provided to publisher."

Underlying this complaint is what the publishers say is a lack of information about what Google plans to do with this data.

Google, they said, is claiming "broad rights over all data in the ecosystem" without full disclosure and without giving publishers the option for Google to act as a processor for some types of data. This, they added, "appears to be an intentional abuse of [its] market power".

Meanwhile, Google has proposed it will rely on affirmative, express consent as the legal basis for this processing – and that it wants publishers to obtain this from their users on its behalf.

Although publishers are currently required to get consent from their end users, the GDPR sets a higher bar for consent, requiring that it is freely given, specific and granular.

Google's new policy has stated that publishers must obtain end users' legally valid consent for the "collection, sharing, and use of personal data for personalisation of ads or other services".

But the publishers branded this as Google asking them to get "broad and blanket consent" without offering up any more detail about these "other services" – without this they question how they will be able to comply.

"Placing the full burden of obtaining new consent on the publisher is untenable without providing the publisher with the specific information needed to provide sufficient transparency or to obtain the requisite specific, granular, and informed consent under the GDPR," the letter stated.

Moreover, if Google deems publishers' consent mechanisms insufficient, it has said it may stop serving ads on the sites – but the group argued that Google hadn't been clear enough on what a valid user experience for gaining consent would be, or what processes it would use to review compliance.

A further issue is that even if Google wants to rely on consent as the legal basis for processing the data it collects, that shouldn't presuppose the legal basis a publisher might have in collecting and using that same data.

These may be different from Google's, as publishers will have different purposes and interests for participating in the digital advertising ecosystem than Google, the letter pointed out – for instance, some may want to rely on legitimate interests.

"Yet, Google's imposition of an essentially self-prescribed one-size-fits-all approach doesn't seem to take into account or allow for the different purposes and interests publishers have," it said.

The final point the publishers took issue with was Google's apparent desire to push the liability for gaining consent onto them – as this could see them facing fines that will rise to up to 4 per cent of global turnover or €20m once GDPR comes into effect in 24 May.

"Your attempt to shift full liability onto publishers for obtaining consent on your behalf as a separate and independent controller is troubling to us," the letter said.

The proposal's contractual structure "improperly reallocates responsibility and liability" onto publishers, it said, which could see them taking the "full brunt of a regulatory or private action penalties... despite the fact that the publishers must obtain such consent in the absence of sufficient information regarding Google's intended practices".

They said this amounts to a "take it or leave it" approach and called on Google to revise the proposal to include mutual indemnification provisions and limitations on liability.

Google didn't immediately respond to a request for comment. ®

Similar topics

Other stories you might like

  • The future: Windows streaming through notched Apple screens

    Choice is the word for Jamf's Dean Hager

    Interview As Apple's devices continue to find favour with enterprise users, the fortress that is Windows appears to be under attack in the corporate world.

    Speaking to The Register as the Jamf Nation User Conference wound down, the software firm's CEO, Dean Hager, is - unsurprisingly - ebullient when it comes to the prospects for Apple gear in the world of suits.

    Jamf specialises in device management and authentication, and has long been associated with managing Apple hardware in business and education environments. In recent years it has begun connecting its products with services such as Microsoft's Azure Active Directory as administrators face up to a hybrid working future.

    Continue reading
  • There’s a wave of ransomware coming down the pipeline. What can you do about it?

    AI can help. Here’s how…

    Sponsored The Colonial Pipeline attack earlier this year showed just how devastating a ransomware attack is when it is targeted at critical infrastructure.

    It also illustrated how traditional security techniques are increasingly struggling to keep pace with determined cyber attackers, whether their aim is exfiltrating data, extorting organisations, or simply causing chaos. Or, indeed an unpleasant combination of all three.

    So, what are your options? More people looking for more flaws isn’t going to be enough – there simply aren’t enough skilled people, there are too many bugs, and there are way too many attackers. So, it’s clear that smart cyber defenders need to be supplemented by even smarter technology incorporating AI. You can learn what this looks like by checking out this upcoming Regcast, “Securing Critical Infrastructure from Cyber-attack” on October 28 at 5pm.

    Continue reading
  • Ransomware criminals have feelings too: BlackMatter abuse caused crims to shut down negotiation portal

    Or so says infsec outfit Emsisoft

    Hurling online abuse at ransomware gangs may have contributed to a hardline policy of dumping victims' data online, according to counter-ransomware company Emsisoft.

    Earlier this month, the Conti ransomware gang declared it would publish victims' data and break off ransom negotiations if anyone other than "respected journalist and researcher personalities" [sic] dared publish snippets of ransomware negotiations, amid a general hardening of attitudes among ransomware gangs.

    Typically these conversation snippets make it into the public domain because curious people log into ransomware negotiation portals hosted by the criminals. The BlackMatter (aka DarkSide) gang's portal credentials (detailed in a ransom note) became exposed to the wider world, however, and the resulting wave of furious abuse hurled at the crims prompted them to pull up the virtual drawbridge.

    Continue reading

Biting the hand that feeds IT © 1998–2021