There are four initials at the forefront of everyone’s mind at the moment – GDPR. The General Data Protection Regulation will affect all businesses, regardless of size, so whether you are a small business or multi-national company, it will impact your operation. As the deadline of May the 25th looms, we are receiving daily notices from some of the biggest company’s in the world, indicating how they will be making changes to comply with GDPR. But what about Google, the world’s biggest search engine, how does a company built on data collection comply with data laws? You probably use or integrate with their products and services so their policy changes will affect you.
Google & GDPR
Due to the scope and complexity of their products and global influence, everyone has been keeping a close eye on Google’s approach to GDPR. The implications of the regulation will affect products such as Search and Gmail as well as advertising and measurement services like Adwords and Analytics. Back in August 2017, Google outlined their commitment to ensuring they were compliant with GDPR and have been working in the background to make changes, keeping users and advertisers informed along the way.
One major part of GDPR relates to the issue of consent and Google has recently clarified its position on this with an updated policy. The policy makes it clear that whilst Google will be responsible for obtaining consent for its own first-party users such as Gmail and Youtube, publishers and advertisers using any of Google’s products will have to obtain consent from their own users. That means it is your responsibility to obtain consent from visitors to your website. The policy, which can be read here, outlines the following:
- You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and
- You must use commercially reasonable efforts to ensure that an end user is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the end user’s device where such activity occurs in connection with a product to which this policy applies.
Processor or Controller
Another big part of Google’s GDPR implementation has seen a clarification of their role as a data ‘processor’ and ‘controller’. The ICO define a processor and controller as:
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
Google has been updating its contracts across products to make it clear what its role is for each of its products and services. For Google Analytics, Tag Manager and tools like Optimise it defines itself as a processor and for Adwords and Double Click it is a data ‘Controller’. You can view the full list here.
If you measure anything to do with your website and online activity, chances are you will have Google Analytics installed on your website. In April, Google sent a notification out to all of its analytics account administrators with an update on the measures it is taking to make Analytics compliant with GDPR. This included:
- Granular Retention Controls – This new feature will be rolled out on May 25th and in a nut-shell will allow you choose how long Analytics retains user and event data before deleting it. Options will range from 14-50 months, or there’s also an option to not automatically expire.
- User Deletion Tool – With the ‘Right to be erasure’ coming into force with GDPR, Google is adding a user deletion tool to Analytics properties, allowing account owners to manage the deletion of all data associated with an individual. It’s an automated tool that will use any common identifiers such as first-party cookies.
- Customisable Cookie Settings: Google Analytics works using a first-party tracking cookie and under GDPR consent will be required from users. Google has provided plenty of resources to help website owners deal with this and have even built a website with help with cookie consent.
Exactly how your business fits into these changes will depend on the scope and use of Google’s products. Find out more information on Google’s data use here to see how it could affect your business.
Disclaimer: This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.