Considering the attention that Google gets over data privacy, it didn’t come as much of a surprise when they started warning publishers about compliance to their User Consent policy back in December. What is more surprising is why some publishers have had warning & others haven’t, even though they seem to be making the same mistakes.
Google’s EU User Consent Policy governs how any publisher with users in the European Economic Area need to deal with obtaining user permission for data storage and processing before certain Google services can be used on page. The policy doesn’t actually ask too much of publishers, but it isn’t the easiest to navigate. Any publishers not sure of how that policy applies to their website should take a look at our free guide to Google’s EU User consent policy.
What mistakes are being made by those receiving the warnings?
Warnings we have seen related to two issues, both of which are very common amongst publishers who have not received the warnings:
The domain does not request consent at all
The EU User Consent Policy requires that we inform users in the EEA about how their personal information is used and obtain their permission for this use. The first batch of warnings relate to sites where no such notice exists at all. Despite the publicity around consent notices, it is surprisingly common to still see them missing from ad serving websites.
The wording of the notice does not meet the policy
The EU User Consent policy has very specific requirements in terms of what we communicate to publishers. Where there is a CMP in place, but the wording does not meet those requirements this warning is being sent. Perhaps surprisingly, most of the domains that we see getting this warning are using some of the most popular freely available CMPs such as Quantcast Choice and the Appnexus CMP.
Why are publishers who use a popular CMP getting warnings?
The most popular CMPs use the IAB Consent Framework, which is an agreed standard for participating adtech companies to handle consent. Google is not yet signed up to this standard (and is not expected to be until version 2.0 is released). That means that IAB only CMPSs do not include Google in their providers list. These CMPs can be “hacked” to make them compliant with the policy, but they are not compliant by default.
If the big CMPs are not compliant, why are more publishers not getting the warnings?
The mistakes we have seen flagged by Google are very common amongst publisher sites and it was initially difficult to understand why some site were receiving warnings whilst others were not. We now know that Google are prioritising domains that they have received user feedback/complaints about through the ‘report this ad’ mechanism.
If you have received a warning then you can be confident that your users have flagged the issue to Google. If you have not, then it does not mean that you are compliant, just that it has not yet been bought to Google’s attention. In this case we would recommend reading the guide and starting work on becoming compliant now whilst you have time to complete the work at your own pace.
What happens if publishers ignore the GDPR warnings?
Google are definitely taking enforcement action over EU User Consent Policy compliance. Preferred action would seem to be to block the domain from serving Google ads – a process that can take time to reverse.