Google Changes Web Ad Policies to Comply With EU’s GDPR

Publishers and advertising partners will need to obtain informed consent from users in the European Union before they can share any data for ad targeting.

Google GDPR Ad compliance

Google is changing its ad polices in the European Union to comply with the requirements of the General Data Protection Regulation (GDPR) that goes into effect May 25. 

Under the new policies, publishers and advertisers that use Google's advertising services to deliver targeted messages to Internet users in the EU will need to obtain informed consent from them first. 

Unlike opt-out models, where consent is assumed by default unless a user specifically opts out of sharing their information, Google's new policies in EU will require publishers to show that users have specifically agreed, or opted-in, to sharing their browsing data. 

EU privacy law already requires companies like Google to obtain such consent. However, the GDPR further refines these requirements, said Carlo Biondo, president of EMEA partnerships at Google in a blog March 22. 

So Google is updating its EU consent policy for when GDPR goes into effect. The revised policy will require publishers to take extra steps to in obtaining user consent, Biondo said without elaborating on what those additional requirements would be. 

But according to a report in Search Engine Land, publishers and advertisers will be required to obtain formal affirmative consent from EU residents in all situations involving the use of Google's services to deliver targeted ads. Publishers will reportedly be required to maintain records of user consent and be required to provide EU residents with clear instructions for opting out. 

"We’re aware that our customers and partners—European and international—have significant obligations under these new laws, as does Google," Biondo said. Google will be providing publishers and advertisers more updates on the policy changes in coming weeks, he said. 

GDPR requires all entities handling certain personally identifiable information belonging to EU residents to implement demonstrable controls for protecting the privacy of the data. It gives EU users a lot more control over how their personal data—including that gathered from online browsing—is collected, stored and used. 

The statute gives users the right to ask entities like Google for any data of theirs that might have been collected and to request changes in the data, if inaccurate. Under the law, informed user consent is fundamental to almost any collection and sharing of personal data. GDPR provides for fines of up to 4 percent a company's global revenues up to a maximum of around $25 million, for non-compliance. 

In order for Google—and other Internet companies—to be able to deliver targeted ads to users based on their browsing histories, the company and its partners need to ensure they have obtained consent first. 

Google is currently working on technology to support publishers that want to display non-personalized ads to EU residents. The tool will be available before GDPR goes into effect. In addition, "we are working with industry groups, including IAB Europe, to explore proposed consent solutions for publishers," Biondo said. 

Jaikumar Vijayan

Jaikumar Vijayan

Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.