GDPR FAQs

Why is Google a “controller” under the GDPR as opposed to a “processor” of data?

AdSense examined all of AdSense products and assessed whether AdSense acts as a controller or a processor for each of them. AdSense operates as a controller for AdSense publisher products because AdSense regularly makes decisions on the data to deliver and improve the product.

For example, if you’re an AdSense publisher, AdSense will serve ads to your visitors. If your site is about, say, gardening, then AdSense might infer that your visitors are gardening enthusiasts. AdSense will use that data to benefit advertisers: a maker of lawnmowers might want its ads served to garden enthusiasts, even when they’re visiting sites that have nothing to do with gardening.

AdSense uses that data, to benefit different parties, which means that AdSense is a data controller, not a processor. For a publisher using AdSense Ad Manager or Ad Exchange products, the publisher has more control over the use of data. They can opt into the same sort of data uses as AdSense and AdMob.

Or they can make choices that will limit Google’s use of the data, meaning their pages about, for example, skiing won’t inform the ads that serve on another publisher’s site. There are some limits to those controls:

AdSense use data across Ad Manager and Ad Exchange publishers for purposes of product improvement, including to test ad serving algorithms, to monitor end-user latency, and to ensure the accuracy of our forecasting system. Again, it’s for these reasons that AdSense is a controller, not a processor, for Ad Manager and Ad Exchange.

The designation of Google’s publisher products as a controller does not give Google any additional rights over data derived from a publisher’s use of Ad Manager and Ad Exchange. Google’s use of data continue to be controlled by the terms of its contract with its publishers, and any feature-specific settings chosen by a publisher through the user interface of AdSense products.

Which services require consent from end users?

AdSense EU User Consent Policy provides details on where consent is required. AdSense has also updated the AdSense help page for the EU User Consent Policy to address questions AdSense has received from AdSense customers.

AdSense EU User Consent Policy also requires publishers to give users information about how their data will be used. To explain how Google’s products use data, AdSense encourages publishers to link to this user-facing page. Doing so will meet this requirement of AdSense policy.

How does Google plan to enforce consent?

AdSense’s first priority will always be to work with AdSense customers to get compliance right. AdSense recognizes that there will be diverse approaches to gaining consent and AdSense is not prescriptive about the approach, provided AdSense policy is met.

For example, AdSense knows that publishers want to present different choices to their visitors. AdSense has offered suggestions for what consent might look like at cookiechoices.org and that reflects an approach AdSense has taken with AdSense Funding Choices consent tool, but publishers may prefer to take a different approach. AdSense doesn’t envision a one-size-fits-all approach.

AdSense policy applies to publishers and advertisers that use AdSense products and have end users in the EEA. However, as with AdSense’s enforcement of AdSense’s existing policy, AdSense’s first step is not a ‘decision’ as such; rather, AdSense contacts the customer to indicate an issue, and AdSense will try to work with them to achieve compliance.

If you find a site that does not meet Google’s EU User Consent Policy, you can let us know via the AdSense Report policy violation form.

Can a publisher use your products without gaining consent and if so, how would it work?

AdSense developed a non-personalized ads mode to allow publishers to either 1) present EEA users with a choice between personalized ads and non-personalized ads or 2) choose to serve only non-personalized ads to all users in the EEA.

Although non-personalized ads don’t use cookies for ads personalization, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Consent is therefore required to use cookies for those purposes from users in countries to which the ePrivacy Directive’s cookie provisions apply.

What is Google’s solution for non-personalized ads?

Non-Personalized Ads allow publishers to present EEA users with a choice between personalized ads and non-personalized ads, or to choose to serve only non-personalized ads to all users in the EEA. Non-Personalized Ads only use contextual information, including coarse general (city-level) location.

For non-personalized ads, isn’t Google a processor versus a controller?

Under this solution, Google will continue to serve in the role of a controller, as AdSense will continue to make decisions on the data as mentioned above to optimize across publishers and improve the product.

Google relies on legitimate interests as a legal basis when using personal data for activities such as serving contextual ads, ads reporting and to combat fraud and abuse.

Although non-personalized ads don’t use cookies for ad personalization, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. While AdSense relies on legitimate interests for this processing under the GDPR, consent is still required to use cookies for those purposes from users in countries to which the ePrivacy Directive’s cookie provisions apply.

If a publisher uses the IAB framework, what options do they have to use Google’s publisher products before full sell-side integration?

AdSense has not yet integrated with the IAB Transparency & Consent Framework (TCF). AdSense has been working with IAB Europe over the last several months to explore how AdSense products and policies can support the TCF, but AdSense full technical integration is not complete. 

Until Google’s IAB integration is complete, Google will return personalized ads for the Ad Technology Providers selected in the publisher ATP controls. Publishers will continue to have the option to include the non-personalized ad signal in their ad request or choose to serve only non-personalized ads to all users in the EEA in the Ad Manager UI. Also note that the IAB TCF technical specifications support web; the specifications for mobile app are not finalized. 

If Google makes future policy changes, how will you communicate these changes to publishers?

AdSense is sensitive to the impact of any changes AdSense makes to AdSense’s EU User Consent Policy. However, if regulatory guidance changes in some significant way (for example, if that guidance were to say that in fact, personalized ads can rely on legitimate interests), AdSense would expect to reflect that in AdSense policy.

While AdSense doesn’t give advance notice of all changes to AdSense policies, AdSense made an exception for those that AdSense is introducing to AdSense EU User Consent Policy. In the event of further significant changes, AdSense would want to do the same.

AdSense will continue to have active discussions with AdSense publisher partners, as AdSense has been doing for months, to share the latest updates and incorporate partner feedback.

Leave a Comment

Share via
Copy link
Powered by Social Snap