nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Publishers tell Google: We're not your consent lackeys

}{amis}{ Silver badge
Holmes

I am Shocked I Tell You.......

That the yawning black hole for data this is Google is demanding ever more data and that someone else takes the inevitable shaft.

The Silicone Valley data hogs business model is fundamentally incompatible with GPDR.

Note to self stock up on more popcorn because this entertainment source is going to run and run.

Aitor 1 Silver badge

Re: I am Shocked I Tell You.......

You cannot ask for information that you are not going to need for a specific purpose that is revealed to the customer.

Not only that, but you must need that piece of data, and be able to justify it.

If the service does not require that piece of data and you require it, then there is no valid consent.

So yes, the big slurp is illegal.

Robin

Re: I am Shocked I Tell You.......

I've heard the view is fantastic in Silicone Valley.

Sandtitz Silver badge
Thumb Up

Re: I am Shocked I Tell You.......

"I've heard the view is fantastic in Silicone Valley."

Yes, a lovely dell indeed to spend quality time in, although I prefer the natural, untouched landscapes.

ratfox Silver badge
Angel

Re: I am Shocked I Tell You.......

Untouched landscapes tend to be smaller tracts of land...

Anonymous Coward
Anonymous Coward

Ok so this may be a stupid question but won't google need get my consent to track me via it's analytics which are embedded in most if not all websites? and if they do what happens if I say no?

I also don't see how they can push consent down the line when it's them collecting and processing the data to serve ads.

ShelLuser

@AC

Well, that would depend. To my understanding the whole regulation concentrates itself on personal data, and what Google basically gets through analytics is nothing more but an IP address and a browser stamp.

This could be theoretically linked back to you if you have a Google account, are constantly logged on and have provided Google with your personal information. But that only applies after you given them access to that data. I could imagine that your personal data does fall into this regulation but the anonymous analytics data does not. Only if you would be linked then it becomes personal.

Adam 52 Silver badge

Google issued new terms for Google Analytics at the end of last week. I haven't read them in detail yet.

Up until now Google's position has been different to the EU's Article 29 group, Google do not consider IP to be personal data and site operators are banned from passing anything that is personal to Google. GDPR cements the EU view, not Google's, into law.

Consensus seems to be that GA can be covered by offering an opt-out on a site somewhere, but nobody knows yet how the regulators will rules.

As an aside, you'll note that google.com currently drops a cookie consent=no if you refuse it permission to drop cookies. That's explicitly against the regulations and will put Google into conflict with the courts if they don't change soon.

Fazal Majid

Re: @AC

IP addresses are explicitly considered PII under GDPR. Google doesn’t get to make that determination.

Opt-out is also not sufficient, the user has to explicitly opt-in (checkboxes checked by default are considered invalid consent and still expose the data controllers to steep fines, as they should).

Daggerchild Silver badge

Uh Oh..

"google.com currently drops a cookie consent=no if you refuse it permission to drop cookies. That's explicitly against the regulations"

Hrm. Practical reality is going to want a word on that topic..

"Hi, you're new here! Do you want to join?"

"No."

"Hi, you're new here! Do you want to join?"

"No!"

"Hi, you're new here! Do you want to join?" ...

Tom 38 Silver badge

Re: @AC

To my understanding the whole regulation concentrates itself on personal data, and what Google basically gets through analytics is nothing more but an IP address

..which is PII.

Glad everyone has done their training..

big_D Silver badge

Re: @AC

@ShelLuser under GDPR an IP address is considered PII, so collecting IP addresses over analytics definitely falls under GDPR.

Current recommendations from the IETF for collecting IP addresses (locally on the server, in the logs) is that the IP address be anonymized (i.e. the full IP address is not stored) and that the data be deleted within 3 days.

I can't see Google complying with such a scheme.

big_D Silver badge

@Adma 52 an opt out for GA is contrary to GDPR, isn't it? I thought GDPR changed it to an explicit opt-in.

Adam 52 Silver badge

There are two issues:

1. The cookie drop that makes it possible. That's opt-in.

2. The lawful basis for processing the data. That can be consent or it can be legitimate business interests (and any of the other lawful basis). If consent then it needs to be explicit but if you think that you can justify one of the other lawful reasons then it's opt-out (or maybe, in extreme cases, not even opt-out; we don't have any of those).

That's what our lawyers are telling me.

Adam 52 Silver badge

Re: Uh Oh..

Hrm. Practical reality is going to want a word on that topic.."

Some sites are implementing pretty much what you propose, although not quite so repetitive. The cookie question blocks access to the site until you accept.

tiggity Silver badge

Re: @AC

@big_D

Nobody will comply with 3 days logs and anon IPS if they want to have proper forensics after maicious hack / attempted hack.

Daggerchild Silver badge

Re: Uh Oh..

The point of cookies is to distinguish the client >>with the client's co-operation<< from everyone else. Otherwise, you can only look like a blank new customer. And new customers are VERY INTERESTING to websites, and honestly, can you blame them?

But you know what isn't a cookie? An internal javascript scan of your machine to work out your fingerprint. You can delete a cookie. You can control cookies. But not if there are no cookies anymore. Devil we know?

The thing that's bothering me is 'personal data'. An IP just *isn't* actually enough to identify someone, it's just a piece of it. But GDPR says it is identifying. Do you know what else is equivalently just a piece? Just about everything! Logging the time of the request, and the time the client thinks it is, those are both *very* identifying properties of the user's information surface. Clock drift rate, and the periodic clock correction are individual to a machine.

I get worried when other people say things aren't 'identifying', just because *they* don't know how they could be used. I get worried when people say things *are* identifying, when they aren't!

And this is all wired to huge legal explosives.

fluffybunnyuk

Theres another angle to this which has been overlooked by the article writer.

That is namely that the onus is on the publishers to ensure they use companies that are GDPR compliant, if google is not fully GDPR compliant then the publisher has no choice but to move their stuff elsewhere.

The ultimate consequence of google not being fully GDPR compliant is that all EU companies will have to move elsewhere. Advertising-wise thats going to hit google really hard.

Zippy's Sausage Factory
Unhappy

The only issue... who else is there?

Seriously, they're pretty much a monopoly in online advertising these days. And all the research I've done on alternatives only comes up with companies that are US only

codejunky Silver badge

@ fluffybunnyuk

"The ultimate consequence of google not being fully GDPR compliant is that all EU companies will have to move elsewhere. Advertising-wise thats going to hit google really hard."

Thats not going to be google hit hard. I cant see google being the one to lose that contest when people actually have to do something.

fluffybunnyuk

Re: @ fluffybunnyuk

It isn't a matter of being a "contest". It is a matter of complying with the law.

I don't use american companies for business unless they are fully GDPR compliant. 95%+ arn't, so i don't use them.

Google will do something either when the ICO fines them , or their customers leave in the tens of millions in order to comply. I'm betting on the latter. Thats what happens when your an American company, and think the law doesn't apply to you. Companies like mine do business elsewhere, and the USA loses. Its not my fault the Americans don't want my business and the opportunity it represents.

Ken Hagan Gold badge

Re: Who else is there?

If the whole of Europe stops advertising online for want of a GDPR-compliant ad broker, such a thing will come into existence within months, if not weeks.

If it isn't Google, that's Google's problem.

Jack of Shadows Silver badge

Re: @ fluffybunnyuk

My read is that this is an attempt at pushback against the GDPR by Google. Now as to whether that's going to get Google anywhere is the question. I don't believe so but IANAL.

ExampleOne

Seriously, they're pretty much a monopoly in online advertising these days. And all the research I've done on alternatives only comes up with companies that are US only

I'm not sure how hard you looked if you completely missed Awin.

Their model may not be to your preference but as they are based in Germany, it's probably safe to say they are going to be GDPR compliant.

Chris Beach

That sounds entirely reasonable though, the publisher chooses what to put on their pages, so they should be responsible for all the content, and now, the corresponding consent. They choose which ad networks and trackers to link to.

Google can't ask for a users consent for a specific site, nor can they make the users consent to all sites that might use a Google backend service.

For the sites and pages Google publish on their domains then of course they are responsible.

Google might have lots to do for gdpr, but not this.

codejunky Silver badge

Re: @ fluffybunnyuk

@ fluffybunnyuk

"It isn't a matter of being a "contest". It is a matter of complying with the law."

It is a contest otherwise we would have all kinds of stupid laws because there is no push back-

https://www.theverge.com/2014/11/5/7160587/german-publisher-axel-springer-google-news

"I don't use american companies for business unless they are fully GDPR compliant. 95%+ arn't, so i don't use them."

Thats good, that is the way to do things by choice. If enough people feel the additional weight of regulation is worth it then they will do business with compliant companies, otherwise they will go to the others assuming the savings are passed on to the customer. The EU could end up improving security standards around the world. They could end up pricing themselves out of the market. it will be interesting to see.

fluffybunnyuk

Re: @ fluffybunnyuk

The cost to my business is actually profit. Spam is down 90% on our mail servers, our web sites serve less data, and less complex pages. In fact we can remove 1 server from use saving us £1000/year. not even graphable in terms of yearly IT spend but i like an efficient ship. Now if only staff paid for their own coffee/biscuits...then we could make really big savings.

Rich 2

Take the money and run

This "take the money, but accept absolutely no responsibility" thing is quite popular isn't it?

Pascal Monett Silver badge

Re: Take the money and run

Especially when you're at the top of a multinational.

Any multinational.

Mage Silver badge

Google and EU

In reality they are accumulating so much: IP, cookies, log in, APIs, fonts, analytics, scripts, adverts etc they could be breaking existing EU law.

Also their forcing acceptance of privacy policies is wrong.

Massive data scrape of browser info and previous visit etc.

They are worse than Facebook.

Pascal Monett Silver badge

"publishers are looking to force Google"

Sounds like irresistable force encountering immovable object.

Google in one corner, 4000+ media publishers in the other. The fireworks will likely be spectacular on this one.

rum032r

Opt out decloartion

Have your subscribers send the following once a calendar year to Google / Alphabet legal department

Any information collected by software provided by Google/Alphabet, it’s affiliates or content providers for the engagement of services, required to accesses services, purchase of a goods or tangible assets through or facilitated by your organization may only be used for administrative purposes as defined by commonly accepted account principles and for the delivery of the said services, goods or assets. It may not be disseminated, distributed or disclosed to any party or used for any other purpose without the prior written consent of the person the information was entered by. Consent must be in the form of a written document delivered to your CEO by registered mail the costs of which are paid in full by Google its agents, assigns, designates or affiliates. This supersedes any permissions implied or assumed that your organization feels it may have been given because a web page, e/mail, service or other electronic documents from your organization were or may be in the future accessed directly or indirectly.

They have a choice of withdrawing their services from the user, or responding in writing requesting an exemption which the user must not grant. And if they deny services to the user who has a contract with a third party who has “contracted” Google / Alphabet; Google / Alphabet is in breach of contract and action may be taken against them for that breach.

ratfox Silver badge
Paris Hilton

This is way too technical for me

Can someone give a simple example of what is going on? What Google wants the websites to do, and what the websites want Google to do?

Killfalcon Bronze badge

Re: This is way too technical for me

I think (and am open to correction) that:

Websites use Google Analytics to find out what users do, where they came from, etc. It's what tells webadmins that 3% of their traffic comes from Texans, or 22,000 people clicked the link in that one retweet by a famous person, or that 22% of visitors abandoned purchases as soon as they saw the second Captcha, or whatever.

a) Google's position is that it's the publisher using GA's service's job to get permission for this data processing - that is, when you visit a site, the *site* has to ask you if they can record a bunch of stuff and pass it to google for processing.

b) It is also google's position that they're the 'controllers' of the data. That is, once you've clicked okay to the publishers' permission box google /decide how to work with it and what to use it for/ (i.e., how to use it for advertising).

c) finally, Google doesn't want to get sued inside-out if a website does part a) wrong... which is perhaps part of why a) is even a thing. If google has to request permission itself, then Google either gets it right, or gets it /catastrophically/ wrong and is liable for as many counts of the GDPR as there are EU citizens thanks to the scale of it's business. If individual sites have to do the asking then even if Google ends up liable the scale of the damage is limited.

It's presumably the case now that a site running google analytics gets some analytical data out about stuff but doesn't get any real involvement in how the user data feeds into google's advertising, so Google is happy to recommend competitor's products after you browse a given site - I know I've gotten Zoopla adverts after gawping at unaffordable houses on RightMove, for example. Maybe that's what google is worried about.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing