Google: GDPR will tighten the screws on how the whole industry handles data

The digital giant is rolling out GDPR changes globally to spell out when it acts as a ‘controller’ or processor’ of data, but has its reservations around how the rules might affect the user experience.


For a giant such as Google, the new European General Data Protection Regulation (GDPR) rules might seem like a tough task to implement. Yet it believes it won’t be bearing the brunt of the complex set of changes.

Instead, the digital giant believes the correct handling of consumer data is an “ecosystem challenge”, and that advertisers are the ones facing the biggest hurdles when trying to implement the new rules.

One of the challenges it does have to tackle, however, is determining whether its services need to be labelled as ‘processor’ or ‘controller’ – while the controller obtains the consent from the end user and decides how to process personal data, the processor handles the personal data on behalf of the controller.

As a result, Google has been updating its contracts and letting every party in the ad ecosystem – whether it be advertisers, publishers or agencies – know if Google is a controller or processor when they use its services.

Speaking during a press briefing last month, Google said it hopes to have all its new contracts in place by May, and that it has started rolling them out already. One of its services, AdWords, is already GDPR-compliant, it claims.

“We’ve had to make that binary decision for every product, whether we’re a controller or a processor, and explain why that’s the case based on how we’re handling that data to our clients, agencies and any other people using those Google products,” Amanda Storey, director of EMEA partnerships solutions, said.

The digital giant says it is looking to apply the GDPR changes on a global scale, as clients and agencies need to be aware if they’re targeting anyone within the European Economic Area or handling data of those users.

“GDPR has that extra-territorial scope. Whether you’re in the Middle East, the US or Singapore, you need to be thinking about GDPR and [know] that you’re handling those users’ data in the right way,” she said.

READ MORE: Why ITV is treating GDPR as an opportunity rather than a challenge

Battling clunkiness

When it comes to obtaining users’ consent, Storey says the company is focusing on “ambient, rather than bundled” consent. Simply put, this means it will look to get users consent “in the moment” when they are using a product.

Google is currently trialing a small icon placed next to its ads, which allows consumers to see why they were served this particular ad – and how to change their preferences if necessary.

The instant nature of getting consumers’ consent while they use Google’s services does throw up problems around the user experience. Storey pointed to the previously implemented e-privacy laws, which require websites to notify their users of the fact they are being tracked using cookies, and she admitted the pop-up banners are “a bit annoying to some people”. Similar issues are likely to emerge when GDPR comes into effect.

“GDPR will require consent for much more granular information on what’s happening with that user’s data, potentially in the moment when they’re using that product, and it’s a real challenge for everyone to figure out how to do that [in a way] that is frictionless for the user and not irritating,” she explained.

When it comes to how Google is looking to meet this challenge, Storey says it “all depends on the product”, as some of its products mean Google is a processor and others a controller.

The most challenging bit is for advertisers that don’t have a relationship with the end user. Because if they don’t have that direct relationship, how will they get [consumers’] consent?

Amanda Storey, Google

That said, the company feels confident it is up to the challenge due to the high level of scrutiny it has faced over consumer privacy issues in previous years. It launched a special section on its website – – in 2015 to explain why it was good for users to share their data. For example, sharing where you work and live improves the Google Maps experience.

It believes the further transparency around personal data will only empower the end user more.

“There are a few tweaks we’re making here and there but broadly we feel we’re in quite a good place given all the scrutiny we faced in the past around privacy. We’ve been investing for quite a few years at this point to make sure our controls and our transparency for users are really top notch,” she said.

READ MORE: Shell on overcoming the B2B challenges of GDPR

Shifting power dynamics

Google is not the only player in the ad ecosystem that has to get its head around the new regulation, however; advertisers and publishers have also been thrown into the mix.

Storey believes publishers are in a somewhat better position to tackle the new regulation, due to readers visiting their site and engaging with content, allowing media brands to ask for that consent as well as providing transparency on the data they collect. Advertisers and agencies, on the other hand, face a more difficult challenge.

It’s going to be a coming together of the industry. I think it’s more of a collaboration than a shifting of power, but absolutely there will be change there.

“The most challenging bit is for advertisers or agencies that don’t have a relationship with the end user. Because if they are a controller and don’t have that direct relationship, then how will they get [consumers’] consent? In some ways, it’s a tougher challenge for the advertisers than it is for the publishers,” she explained.

And while publishers might have traditionally been more reliant on agencies and advertisers to provide them with consumer data, this could now change the dynamic between the parties. That said, Google says it will be more of a collaboration between parties than a power shift.

“It’s going to be a coming together of the industry. Everyone in the value chain has to agree to some extent to make that consent moment as clear and easy to understand to the user as possible. I think it’s more of a collaboration than a shifting of power, but absolutely there will be change there,” she concluded.

“But I think for everyone, the good thing about GDPR is that it requires cleaning house. It turns the screws on the whole industry to just tighten up on how it’s handling data, retaining data and how it’s explaining that use to the end user. That transparency is good for the industry in terms of raising user trust, ultimately.”