Google and Facebook are Significantly Exposed to Disruption via GDPR

30 August, 2017 

Google and Facebook Substantial parts of Google and Facebook’s business will be disrupted by the EU’s new GDPR data protection rules that are due to apply in May 2018, according to Dr Johnny Ryan of PageFair, a company that specialises in helping publishers monetise their inventory in the face of ad-blocking.

Under the new rules, both Google and Facebook will be unable to use the personal data they hold for advertising purposes without user permission. Ryan says this presents an “acute challenge” as they cannot use a service-wide opt-in for everything, in spite of the fact that many commentators have suggested otherwise. Nor will they be able to deny access to their services to users who refuse to opt-in to tracking.

When a person uses Google or, they willingly disclose personal data. Both companies have the right to process these data to provide their services when one asks them to. However, the application of the GDPR will prevent them from using these personal data for any further purpose unless the user permits.

However, it depends what the data will be used for. As Ryan notes, “it will be necessary to ask for consent, or present an opt-out choice, at different times, and for different things. This creates varying levels of risk.”

To explain the varying degrees of exposure to risk, PageFair have devised “The GDPR Scale”:

Google has a Large Number of Products Exposed to GDPR

PageFair’s estimate of Google, when applied to the GDPR scale, shows a significant range of products at four on the scale. However, some part of that set of products can be modified, which would lower their score from four to one, which would put them out of the scope of the regulation.

PageFair gave all personalised advertising on Google sites such as Search, Youtube, Maps, and the websites where Google provides advertising is scored four because it will require that users opt-in to extensive tracking.

But Google might have a get-out if users have already “signed in” to Google Search or Chrome, in which case they might argue that those services are “compatible” with what users signed up for. If they were to succeed with that argument, users might have to opt-out instead of opt-in.

On the programmatic side, many of the services provided to both advertisers and publishers by DoubleClick are likely to be affected. “Operating these under the GDPR would require not only that a user consents to Google’s use of data for advertising targeting purposes, but to the many other companies such as DMPs (data management platforms), DSPs (demand side platforms), and so forth processing these data too. The DoubleClick business is therefore at four on the scale.”

Specifically, PageFair say other technologies that will be affected include:

  • Certain targeting features of AdWords such as “remarketing”,“affinity audiences”, “custom affinity audiences”, “in-market audiences”, “similar audiences”, “demographic targeting”, “Floodlight” cross-device tracking.
  • “Customer Match”, which targets users and similar users based on personal data contributed by an advertisers. A prospect would have had to give their consent to the advertiser for this to occur.
  • “Remarketing lists for search ads (RLSA)”, retargeting from site visitors by using Google Analytics, is likely to be prevented by the ePR.

Gmail might also be affected as Google mines the content and metadata of each email message sent and received in Gmail to target advertising. As Ryan notes, this could not have continued under the GDPR and ePR without each sender and recipient giving their consent, and he suggests that this might be the real reason, or at least a contributing reason, behind Google’s recent announcement that it will stop mining people’s emails for ads.

Interestingly, Google’s AdWords product has the benefit that it can be modified to operate entirely outside the scope of the GDPR and ePR, which is is why it appears at four on the scale, and at one. Ryan says that if Google discards personalised targeting features from AdWords, then it can continue to target advertisements to people based on what they search for.

Finally, at zero on the scale is Google’s “placement-targeted” advertisements. These target only by the context of the pages they appear on, rather than by using personal data. Therefore they are out of scope of the GDPR.


Significant parts of Facebook’s business are at two and four of PageFair’s scale, with the Facebook Audience Network and WhatsApp being the most vulnerable.

The Facebook Audience Network is scored four because it requires the processing of personal data from Facebook users to target them on other websites, which PageFair say means that is unlikely that this will be regarded as a compatible use. If it is, Facebook will then have to convince users not to opt-out.

WhatsApp advertising is also scored four on the scale because it will be necessary for users to give their consent (an opt-in, rather than an opt-out) for their personal data on WhatsApp to be processed for purposes unrelated to WhatsApp functionality on Facebook properties other than WhatsApp.

Facebook’s famous Newsfeed will be a bit more safe though, as they may be able to use an opt-out to persuade users to permit the processing of these personal data.

However, the nature of the content in the Newsfeed may limit the range of data it can process. As Ryan notes, “Any information that reveals a person’s race, ethnicity, political opinion, religious or philosophical beliefs, trade union membership, or are related to a person’s sex life or sexual orientation are in ‘special categories of data’.”

The use of personal data from Instagram for advertising on Instagram may accepted as a compatible purpose, and enable Instagram to use an opt-out notice rather than request an opt-in.


About the Author:

Go to Top