Google 1
Most at risk are unwitting owners of ad-funded websites and apps, which Google has said have the responsibility of getting consent to serve targeted ads to European consumers. REUTERS/Dado Ruvic

Google's delayed entry into a consortium of advertising technology companies has spoiled the members' push to comply with a new European privacy law, six people involved in the program told Reuters, leaving some firms exposed to fines.

Most at risk are unwitting owners of ad-funded websites and apps, which Google has said to have the responsibility of getting consent to serve targeted ads to European consumers.

The experience shows how Google policy decisions cascade through the $200 billion global online advertising industry, which is dominated in most facets by the Alphabet Inc unit.

Data about a website visitor's identity can pass through a dozen ad tech firms before an ad is loaded, and each one must have user consent or another legal basis to access it under Europe's General Data Protection Regulation (GDPR).

Hundreds of ad tech firms launched software together a month before GDPR kicked in on May 25 to verify consent before displaying ads. Google announced on May 22 that it would not join the industry program until August.

Google devised a temporary solution that the people said has been imperfect. As a result, some of Google's advertising clients are targeting ads to users who have not given consent to personalized marketing.

Google declined to comment on possible policy violations, instead reiterating that GDPR "is a big change for everyone" and that it is working with partners on compliance. GDPR fines can reach as high as 4 percent of a firm's annual revenue.

Four ad tech executives said they are counting on deference from regulators until Google supports the consortium technology.

"Once Google adopts the consent framework, much of the confusion will start to settle down a bit," said Walter Knapp, chief executive of ad software company Sovrn Holdings Inc.

Authorities in France and Germany said they have yet to investigate consent issues related to online ads. Financial and legal analysts said it is a matter of time.

Temporary fix

A crucial issue has involved Google's DoubleClick Bid Manager (DBM), which large advertisers use to purchase ad space from ad exchanges.

Many websites now present European visitors with pop-ups asking for consent to send identity data to exchanges and DBM as ad space with user information is far more valuable.

The issue is that DBM cannot yet accept users' selections because it does not support the consortium standard.

Big exchanges such as AppNexus Inc and Rubicon Project Inc have worked around by guaranteeing that they will only offer ad space on DBM when users have consented.

AppNexus and Rubicon Project declined to specify how they are ensuring compliance.

They told websites it was up to them to block DBM if they cannot meet the guarantee, according to emailed notices seen by Reuters. It is unclear how many websites have taken the precaution.

"The responsibility lies squarely on the publishers," said Erin Yasgar, a team lead at online advertising advisory firm Prohaska Consulting.

DBM data last month showed that AppNexus and Rubicon Project did not offer significantly less ad space on DBM after making the consent-only guarantee, according to two industry executives speaking on the condition of anonymity. Yet, at least 10 percent of European users are not giving consent, the executives said.

Google operates a rival exchange which too has spotty enforcement of publishers, according to a Reuters review last week of several websites that displayed personalized ads before obtaining permission.

Rubicon Project declined to comment, saying only that its policy is to strip identity data when it determines consent is lacking.

AppNexus said it "has turned off European traffic" from about 100 publishers. AT&T Inc, which last month agreed to acquire AppNexus for a reported $1.6 billion, said they are operating as separate companies pending regulatory approval and declined to comment on specific GDPR issues.