On Monday, January 21st, the CNIL, France’s data privacy regulatory body, fined Google €50 million for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.” Importantly, per the BBC, the CNIL said that Google had “failed to obtain a valid legal basis to process user data,” and that “the option to personalise ads was ‘pre-ticked’ when creating an account, which did not respect the GDPR rules.”
What it means
The Google GDPR fine continues to make it clear that the safest and best way to legally collect and process data is by using consent as a legal basis. That means that users must give explicit consent for their data to be used, specifically by opting in to—not out of—the agreement. Basing your agreement on consent solves several important problems for publishers.
First, it ensures that you’re on the right side of the law. Even if you’re not an EU-based company, any company doing business in the EU—i.e. any publisher that has EU readership—is held accountable to the GDPR. Although legislation was passed nearly two years ago (the law went into effect on May 25, 2018), many US publishers—some of them as large as The New York Times—continue to block EU traffic entirely.
Second is that moving to consent-based data collection is the first step in preparing for future privacy laws. In the US, California was the first state to introduce regulations following in the footsteps of GDPR (they’ll go into effect in 2020), and similar discussions are underway around the world.
The final takeaway from everything we’ve seen post-GDPR is that collecting data based on consent earns publishers more money. First and foremost, publishers who’ve closed off EU traffic aren’t earning ad revenue from those readers, period. Additionally, although opt-in rates vary, publishers who take the time to communicate with their readers do see a bump in those numbers—and opted-in readers who allow for targeted ads are made immediately worth more to advertisers. By implementing a CMP, you are able to offer buyers ads with genuine consent strings, which means that your ads in the EU are more valuable as more buyers move towards only buying with consent.
Why you should care
Publishers should take note of the fine, and shouldn’t assume that Google’s size and position are the only reasons it was punished. While this is certainly marquee news, and GDPR is still in its infancy, this opens a route for future lawsuits to be levied. Similar complaints have been filed against Facebook and others, and although this is the largest GDPR-related fine to date, it also doesn’t amount to much money in the grand scheme of things. The GDPR allows for fines of up to 4% of a company’s global turnover; in Google’s case this would amount to billions.
As we’ve been saying since implementation, it’s important that publishers understand the potential effects of the GDPR, the best ways to ensure compliance, and the potential dangers of collecting data improperly. Consent-based collection continues to be the safest and most valuable way to secure permission from readers, and the easiest way to manage consent is through a Consent Management Platform. A number of companies offer free platforms, including Sovrn—ours is delivered through a single line of code, meaning that publishers won’t run into coding headaches. It’s also easy to customize, and it’s easy for readers to navigate.
Whether you’re a multi-billion dollar company, or just getting started, the lesson is clear: moving towards consent as your basis for data collection and processing is the smart move.