Google Announces First Changes for GDPR Compliance

Google provided further guidance on Thursday on the changes it is making to its offerings in order to comply with the European Union’s General Data Protection Regulation (GDPR). At this point, there are only two months until the GDPR implementation deadline of May 25, 2018.

In an email sent out titled “Important updates about the General Data Protection Regulation (GDPR)” as well as a blog post on Inside Adwords by the Google President of EMEA Partnerships, Google announced changes it is making both to its products as well as its agreements with Google users because of its status as either a processor or a controller under the new European law.

As a leader in the technology and advertising industry with the world’s most popular search engine, its ads displayed by two million Adsense publishers, and its Analytics solution collecting the data of more than 50% of all known websites, Google’s preparations for the GDPR are being followed closely by many businesses and the media.

Google will also be a key area of focus in Europe because of the key role it has played in the battle over the right to be forgotten. Since the European Court of Justice ruling declaring Europe’s right to be forgotten in 2014, there have been more than 650,000 requests to remove more than 2.4 million website listings in the search engine online. Google has removed more than 40 percent of the requested URLs and continues to battle individual cases where it has denied removal in European courts.

Google’s GDPR announcement came less than a week after the Cambridge Analytica data scandal broke at Facebook. Data privacy has been a key area of focus for the media and the public for the last week and businesses that rely on Google are no doubt looking to it for some answers as well. Google has been mentioned by Congressional representatives among the companies that will need to testify before Congress with Facebook on the data privacy protections of technology companies.

The highlighted changes included:

THE EU USER CONSENT POLICY

An update to the EU User Consent Policy in order to reflect the GDPR. Websites with end users in the European Economic Area (EEA) will need to obtain consent from users for legally required cookies and the collection of data for personalized ads. The new policy also requires the website publisher to retain records of consent given by end users and provide end users with clear instructions for revoking consent.

The consent must clearly identify each party that may collect, receive or use end users’ personal data as a result of using the Google product and provide prominent and easily accessible information about the party’s use of the personal data.

The policy even requires those that share information with Google via a third-party property that they do not control to make commercially reasonable efforts to ensure that the third-party complies with its duties under the GDPR to obtain consent for sharing the data with Google if it is not already required to do so by its own relationship with Google.

In other words, Google is putting the burden on publishers to collect consent for the visitors on their site. Google is not going to carry over the consent from its consumer-facing products like Gmail, Youtube and Google.com to its third-party publlishers.

Google is working with advertising industry groups such as IAB Europe to create consent solutions for publishers. If Adsense publishers do not want to obtain consent for personalized ads or the user denies the request, Google will show non-personalized ads through a newly developed advertising solution

CONTRACT CHANGES

Google products are also seeing an update to their contracts with business users to reflect its status as either a processor or controller. This is happening because GDPR requires controllers to have data sharing agreements in place with co-controllers or their processors. On its website, Google informs businesses of some of their obligations as controllers under the GDPR if they are located in the European Union or providing services to individuals located in the EU, and recommends that they further familiarize themselves with the law.

GOOGLE ANALYTICS

Because Google Analytics is an area where so many website owners capture and store data about users, it is a large area of concern for how it is going to handle data subject access rights. In its announcement, Google also said it would make changes in Analytics to allow website owners to better manage data retention and deletion. Since GDPR requires controllers to respond to DSARs in a timely fashion, this will likely need to be a part of any changes although it was not specifically mentioned.

CHILDREN’S PRIVACY

Google also announced that it will be making changes to limit the processing of personal information for children under the age of consent in Europe. It did not specifically identify what changes it will make. GDPR requires that children under the age of 16 years old (or as low as 13 years old if the member state lowers the age of consent by law) will also need to engage in additional efforts to ensure lawful processing such as gaining the consent of the holder of parental responsibility of the child.

OTHER CHANGES

The media reported that Google is making other changes to it tools to let publishers and advertisers control data sharing. Google did not address the ePrivacy directive, an upcoming law pertaining to electronic communications in Europe.

PREVIOUS GOOGLE COMMUNICATIONS

Google expressed its commitment to comply with the GDPR across all of its services in Europe last year in a posting written by William Malcolm, Director of Google’s Privacy Legal. Malcolm specifically mentioned its Adwords, Adsense, DoubleClick, Analytics and Cloud services. Malcolm also mentioned a section of the Google website concerning how they protect business data and the control they offer businesses: https://privacy.google.com/businesses/. The page is split into four sections: (1) Business control of how their data is used; (2) Google’s protection of your business’s data; (3) Google’s commitment to comply with applicable data protection laws; and (4) how Google helps businesses get more out of their data.

ADDITIONAL COVERAGE OF GOOGLE’S GDPR COMPLIANCE EFFORTS TO FOLLOW

There will obviously be more announcements from Google in the months to come as the GDPR implementation data comes closer on the horizon. We will continue to follow the changes closely here as they will likely impact so many businesses and serve as a guide for what smaller publishers, advertisers and businesses need to do to comply with GDPR.

More from Clarip:

Are you ready for the new CA privacy law? Start preparing compliance efforts with Clarip for the California Consumer Privacy Act. Enforcement starts January 1, 2020 so better start planning funding in your 2019 budget now.

Read the most recent posts on the Clarip Privacy Blog.

Learn more about the Clarip consent management solution.

Find more resources about GDPR, data privacy and the future ePrivacy Regulation.