Google has started implementing major policy, contractual, and product changes in preparation for the soon-to-be-enforceable General Data Protection Regulation (GDPR). The changes largely reflect Google’s status as either data controller or processor in regards to their products; sets out your responsibilities in light of the new legal requirements and includes product and network modifications.
Google’s EU User Consent Policy is being updated to better reflect the new legal requirements. Central to these policy changes is the statement of your responsibilities in regards to disclosures to and obtaining consent from EEA users.
In regards to sites/ apps or other “properties” under your control that make use of Google services, you are required to:
- acquire legally valid consent for the processing of personal data for ads personalization of ads or remarketing services;
- keep records of consent given by end users;
- provide end users with clear instructions for the withdrawal of consent; and
- identify and disclose details of all third-parties involved in the processing of the personal data of end users, in an easily accessible and visible way
Google has stated that failure to comply may lead to limited or suspended accounts and/termination of your agreement.
Google is including the new GDPR terms as a supplement to your contract with Google. These modifications will come into force on 25 May 2018.
Currently, these contract changes will affect AdWords, DoubleClick, and the Google Analytics suite. The terms will be incorporated into your terms of service (also known as the terms and conditions) agreement with Google and you may be required to log-in and accept the new terms in your account if you haven’t already.
In order to comply with the GDPR, Google is making product changes across their global network of publisher sites, which:
- give publishers the ability to select which third-party ads get displayed to their end users and give them the ability to show non-personalized ads;
- limit the processing of personal information for children under the GDPR Age of Consent;
The company has also stated that they are “exploring consent solutions for publishers” and launching new controls that give Google Analytics customers the ability to manage the storage and deletion of their data.
Update:You can read more about the specific changes to Google Analytics and Analytics 360 here.
Here’s the full email text from Google:
- For AdWords customers globally, our GDPR terms are incorporated into the terms of service, which (if you’ve not done so already) you can accept in your account. In the case of AdWords Customer Match and Store Sales Direct, Google acts as a processor; for the rest of AdWords we act as a controller.
- For customers using DoubleClick and the Google Analytics (GA) Suite, processor terms are available for you to review and accept from within your account. If you are an EEA client of GA, data processing terms will be included in your terms shortly. GA customers based outside EEA and all GA 360 customers may accept the terms from within GA.
- If you don’t contract with Google for your use of Google products, you should seek advice from the parties with whom you contract.
Product changes To comply, and support your compliance with GDPR, we are:
- Making some changes across the network of publisher sites on which your ads may appear – enabling publishers to show non-personalised ads and to select which third parties measure and serve ads for EEA users on their sites and apps.
- Taking steps to limit the processing of personal information for children under the GDPR Age of Consent in individual member states.
- Unifying our ads data retention practices; and launching new controls for Google Analytics customers to manage the retention and deletion of their data.
- Exploring consent solutions for publishers, including working with industry groups like IAB Europe.
Find out more You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as view our data processing terms and data controller terms. If you have any questions about this update, please don’t hesitate to reach out to your account team or contact us through the Help Center. We will continue to share further information on our plans in the coming weeks. Sincerely,
The Google Team
Here’s what you can do right now to comply with Google’s GDPR-based consent policy requirements:
- Implement a method of obtaining verifiable and valid consent. For consent to be valid, it must be informed, freely-given and verifiable. This means that your end users should know precisely and honestly, exactly what they’re consenting to and the consent must be based on an explicit affirmative uncoerced action.
- Implement a “cookie consent solution” that allows you to obtain valid, verifiable explicit consent BEFORE installing cookies on the end users’ device. Our cookie solution simplifies this process -end users are informed via a customizable cookie banner; active consent is facilitated via either clicking or scrolling, and user consent settings are remembered.
- Keep clear records of the consent attained. Your records of consent should at least include the identity of the user giving consent; when they consented; what disclosures were made (what they were told) at the time they consented; methods used for obtaining consent (e.g., newsletter form, during checkout etc.); whether they have withdrawn consent or not.
Looking for more in-depth information on the GDPR? You’re welcome to join us at our up-coming webinar. It’s free to attend and you can have your most pressing questions answered. You can use this link to sign-up NOW as our webinars often fill up quickly.