Is Google stressed about the EU’s big incoming privacy law? Not so much, CEO Sundar Pichai has claimed. But there may indeed be reasons for the company’s investors to be concerned about the company’s future revenues.
Speaking on Alphabet’s Q1 earnings call, Pichai noted that Google has been preparing for the General Data Protection Regulation (GDPR) for the last year and a half, being “very, very engaged on it” ahead of the law coming into effect on May 25th.
The GDPR gives Europeans powerful new rights to stop their personal data—meaning any data relating to them as identifiable individuals—being processed if they don’t want it to be. Crucially, they can demand that companies stop building profiles of them for marketing purposes.
Google is, of course, primarily an advertising company. However, Pichai said on the call that most of its ad business was “in search, where we rely on very limited information—essentially what is in the keywords—to show a relevant ad or product.”
It is true that more than 80% of Google’s ad revenues come from its own properties—search, YouTube, Maps and so on—but the remainder comes from sites that include ads from the Google network on their webpages.
This side of the business will most certainly be affected by the GDPR. The way modern advertising works, publishers put empty boxes on their pages that they direct Google (or a rival ad network) to fill with something that will be most relevant to the people viewing those pages. How do the ad networks know what to put in there? By profiling individuals. As the Wall Street Journal noted a couple days ago, Google collects way more data on people than Facebook does, despite the latter company currently being in the doghouse over privacy.
Google explained last month in a blog post that the company already requires publishers and advertisers operating in Europe to get consent from the people whose data is being processed—this is already required under existing EU privacy law.
However, the GDPR will tighten up those consent requirements, meaning publishers will have to “take extra steps” in getting their readers to agree to having their data processed. While the current regime allows for bland, vague statements about cookies and third parties, the GDPR will demand more detailed statements informing people about what happens to their data. And it won’t allow publishers to tell people they are implying their consent by using a website—users have to really opt into being profiled.
So Google is working on new mechanisms to help publishers ask for consent, and it is also promising them “a solution to support publishers that want to show non-personalized ads.” On both these fronts, the devil will be in the detail—Europe’s privacy regulators won’t take kindly to any solution that doesn’t fully comply with the GDPR. And Google is most definitely in those regulators’ sights, being one of the biggest fish in the pond.
Even if Google does manage to comply without incurring the watchdogs’ expensive wrath—flouting the GDPR comes with fines of up to 4% of global annual revenue—its solutions to the problem might end up making its ad business less lucrative. After all, the whole point of profiling consumers is to show them personalized ads that they are more likely to click on, earning Google its fee. And from a privacy-centric, consumer-choice perspective, the way to know the GDPR is working will be to witness more people asserting their right not to be profiled.
Pichai may be correct in saying Google has nothing to fear from the GDPR. But the company still has to back up that assertion.