Google may be hit with a 2% drop in revenue if a third of its users opt out of data sharing, Business Insider has reported today, following claims that changes in EU law are imposing on its ads business.
The company’s parent owner, Alphabet, has notified clients of its concern that GDPR is going to substantially increase its risk of doing business in Europe, and commentators expect that it can anticipate a considerable drop in ad revenue on May 25th with the deadline for compliance to the General Data Protection Regulation looming.
So why has GDPR got Google so worried?
The GDPR affects any company which does business in Europe, or markets to European customers, so will not affect Google’s approach to customers across the rest of the world. But in EEC countries, the company will have to get specific consent from its users about who it is passing their data onto. This threatens to take away the organisation’s lawful basis for requesting consent from their users to data sharing in return for free web services. It could, in the extreme, spell the end of free Google services in Europe… it could do absolutely nothing if Google’s customers simply ignore the change and carry on with the same permissions as before.
The reality of how GDPR affects Google’s ad revenues is yet to be seen, but the company has written to clients to warn that the changes will harm their ability to deliver ads.
Bosses said in a letter to clients: “Given the rollout of GDPR in Europe and ePrivacy regulations later, we see scope for changes that could affect ad efficacy and/or lead to ad buyer hesitation around certain retargeting practices that impact Google’s rapidly growing programmatic business as well as integration of certain types of data signals into core search. Given EMEA represents about 33% of revenue, a hypothetical back-of-the envelope 30% EU user opt-out of some data sharing, impacting ad efficacy by 20%, could equate to a 2ppt impact to ad revenue.”
The part of the regulation which may be so troubling to the company is in Article 7, around the requirements for consent, that it is informed, freely-given, unambiguous and can be withdrawn at any time.
When people consent to the processing of their data online, they must also be absolutely clear about what it is they are consenting to – who specifically is using their data, what the exact purposes are and who they will share it with. In Google’s position, it will need to name every ad agency it shares user data with, and point out if the reams of data users build up across their Google account – their email metadata, search data, online behaviour, is being used for marketing in addition to the purposes that users are actually concerned with – accessing their emails, calendars, YouTube – etc.
But perhaps more importantly is Part 4 of the article, which states: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
This is the part of the act which makes it illegal to say you can only use our service if you let us collect data you don’t need us to. It makes any consent given with preconditions invalid, and could be the point to attract some hefty fines.