How the GDPR will disrupt Google and Facebook

Dr Johnny Ryan GDPR 22 Comments

Google and Facebook will be disrupted by the new European data protection rules that are due to apply in May 2018. This note explains how. 

Google and Facebook will be unable to use the personal data they hold for advertising purposes without user permission. This is an acute challenge because, contrary to what some commentators have assumed, they cannot use a “service-wide” opt-in for everything. Nor can they deny access to their services to users who refuse to opt-in to tracking.[1] Some parts of their businesses are likely to be disrupted more than others.

The GDPR Scale

When one uses Google or one willingly discloses personal data. These businesses have the right to process these data to provide their services when one asks them to. However, the application of the GDPR will prevent them from using these personal data for any further purpose unless the user permits. The GDPR applies the principle of “purpose limitation”, under which personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.[2]

Google and Facebook cannot confront their users with broad, non-specific, consent requests that cover the entire breadth of their activities. Data protection regulators across the EU have made clear what they expect:

“A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”.[3]

A business cannot, for example, collect more data for a purpose than it needs and then retroactively ask to use those data for additional purposes.[4]

It will be necessary to ask for consent, or present an opt-out choice, at different times, and for different things. This creates varying levels of risk. We estimate these risks on the “GDPR scale”, shown below.

The scale ranges from zero to five. Five, at the high end of the scale, describes the circumstances that many adtech companies that have no direct relationship with Internet users will find themselves in. They need to get the consent of the people whose data they rely on. But they have no channel of communication through which they can do so.

Four, next highest on the scale, refers to companies that have direct relationships with users, and can use this to ask for consent. However, users have little incentive to “opt-in” to being tracked for advertising. Whereas a user might opt-in to some form of profiling that comes with tangible benefits, such as a loyalty scheme, the same user might not be willing to opt-in to more extensive profiling that yields no benefit. The extensiveness of the profiling is important because, as the note at the bottom of this page shows, users will be aware of the uses of their data when consent is sought. Thus adtech tracking across the web might rank as four, but a loyalty scheme might rank as three on the GDPR scale.

A slightly more attractive prospect, from Google and Facebook’s perspective, is to inform a user about what they want to do with the personal data, and give the user a chance to “opt-out” beforehand.[5] This is two on the scale. This opt-out approach has the benefit – from the company’s perspective – that some users’ inaction may allow their data to be used. The GDPR permits the opt-out approach when the purposes that the companies want to use the data for are “compatible” with the original purpose for which personal data were shared by users.[6] In addition to the opt-out notice, users also have to be told of their right to object at any time to the use of their data for direct marketing.[7]

One on the scale refers to activities that currently involve the processing of personal data, but that do not need to do so. With modification, these activities could be put beyond the scope of the Regulation.

Activities at the zero end of the scale are outside the scope of the Regulation, because they use no personal data.


Our estimate of Google, when applied to this scale, shows a significant range of products at four on the scale, with the proviso that some part of that set of products can be modified, which would lower their score from four to one.Download PDF

All personalized[8] advertising on Google sites such as Search, Youtube, Maps, and the websites where Google provides advertising is scored four because it will require that users opt-in to extensive tracking.

If, however, users have already “signed in” to Google Search or Chrome, Google may argue that the purpose of these technologies is “compatible” with purposes users agreed to, and hope to use an opt-out rather than an opt-in. Whether this would be successful, however, remains to be seen.

The technologies that will be affected include:

  • Certain targeting features of AdWords such as “remarketing”,[9] “affinity audiences”,[10] “custom affinity audiences”,[11] “in-market audiences”,[12] “similar audiences”,[13] “demographic targeting”,[14] “Floodlight” cross-device tracking.[15]
  • “Customer Match”, which targets users and similar users based on personal data contributed by an advertisers.[16] A prospect would have had to give their consent to the advertiser for this to occur.
  • “Remarketing lists for search ads (RLSA)”, retargeting from site visitors by using Google Analytics, is likely to be prevented by the ePR.[20]

Gmail, the most popular e-mail service in the world, will also be affected. Google mines the content and metadata of each email message sent and received in Gmail to target advertising. This could not have continued under the GDPR and ePR without each sender and recipient giving their consent. Clearly, few would do so, and Gmail is at four on the scale. This may be the real reason, or at least a contributing reason, why Google has recently announced that it will stop mining people’s emails for ads.[21]

In addition, “programmatic” advertising services that Google provides to advertisers and publishers under its DoubleClick business will be affected. Operating these under the GDPR would require not only that a user consents to Google’s use of data for advertising targeting purposes, but to the many other companies such as DMPs (data management platforms), DSPs (demand side platforms), and so forth processing these data too. The DoubleClick business is therefore at four on the scale.

At two on the scale is “location targeting”,[22] and “location extensions”, technologies in Google Maps that enable advertising to target users based on geographical proximity. This score, however, is based on the assumption that advertising in map search results is accepted as a compatible purpose with the original purpose for which location data were shared by users.

Google’s AdWords product has the benefit that it can be modified to operate entirely outside the scope of the GDPR and ePR. This is why it appears at four on the scale, and at one. If Google discards personalized targeting features from AdWords, then it can continue to target advertisements to people based on what they search for.

Finally, at zero on the scale is Google’s “placement-targeted” advertisements.[23] These target only by the context of the pages they appear on, rather than by using personal data. Therefore they are out of scope of the GDPR.


Significant parts of Facebook’s business are at two and four on the scale.Download PDF

The Facebook Audience Network is scored four because it requires the processing of personal data from Facebook users to target them on other websites. It is unlikely that this will be regarded as a compatible use. If it is, Facebook will have to convince users not to opt-out.

WhatsApp advertising is also scored four on the scale because it will be necessary for users to give their consent (an opt-in, rather than an opt-out) for their personal data on WhatsApp to be processed for purposes unrelated to WhatsApp functionality on Facebook properties other than WhatsApp.[24]

Farther down the scale, at two, is Facebook’s Newsfeed, which may be able to use an opt-out approach to get some users to permit the processing of these personal data.

However, the nature of the content in the Newsfeed may limit the range of data it can process. Any information that reveals a person’s race, ethnicity, political opinion, religious or philosophical beliefs, trade union membership, or are related to a person’s sex life or sexual orientation are in “special categories of data”. These cannot be used without explicit consent, or unless they have been “manifestly made public by the data subject”.[25] Facebook may not be able to mine some posts in the Newsfeed that are not marked “public” (or, perhaps, “friends of friends”[26]). It may even be that the determination of which posts are “special categories” of data, and which are not, may itself be processing that goes to far.

The use of personal data from Instagram for advertising on Instagram may accepted as a compatible purpose, and enable Instagram to use an opt-out notice rather than request an opt-in.

Access the GDPR/ePR repository

A repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.


Both Google and Facebook have direct relationships with their users, and have a well thought out design for their current privacy requests. However, they are not immune to disruption when the new regulations apply. Indeed, some parts of their businesses may be particularly susceptible to them. While they can process personal data necessary to provide services that their users request, using these data for any other purpose requires user-permission, or inaction, in the case of out-outs. The critical question for both businesses is whether users will click “yes”, when asked to consent.

PageFair Research

We are surveying sample industry-insiders’ insights into this question. Your shared insights may illuminate this issue. Please click the button below to take the survey.

70 second survey

We have designed the survey to take 70 seconds to complete. Thank you for your input – we will share the results.

Perimeter: the regulatory firewall for online media and adtech.

Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.

Learn more


[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1. See Recital 42’s reference to “without detriment”, Recital 43’s discussion of “freely given” consent, and Article 7(2) prohibition of conditionality. See also the UK Information Commissioner’s Office’s draft guidance on consent, 31 March 2017, p. 21, which clearly prohibits so-called “tracking walls”.

[2] The GDPR, Article 5, paragraph 1, b.

[3] Article 29 Working Party, Opinion 03/2013 on purpose limitation, 2 April 2013, p. 16. This is evident in GDPR, Article 13, paragraph 1, c.

[4] The GDPR, Recital 32 notes that “When the processing has multiple purposes, consent should be given for all of them”. Recital 39 notes that “specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum”.

[5] ibid., Recital 61.

[6] ibid., Article 6, paragraph 4, and Recital 50.
The Article 29 Working Party has provided some guidance on how one should determine whether purposes are compatible. Among the issues to consider are “the impact of the further processing on the data subjects”. Article 29 Working Party, Opinion 03/2013 on purpose limitation, 2 April 2013, p. 3.
This may be a challenge for social platforms. Facebook, for example, was the subject of a scandal in May and April 2017 when a document leaked from its Australian business that described its capabilities to identify “moments when young people need a confidence boost”, or feel “worthless” or “insecure”, for marketing purposes. “Facebook targets insecure young people to sell ads”, The Australian, 1 May 2017 (URL:; see Facebook’s reply of 30 April 2017 (URL:

[7] The GDPR, Article 21, paragraph 2 and 3; see also Recital 70 on the manner in which the user is to be informed of this right.

[8] “Personalized advertising”, Google Advertising Policies Help, (URL: Note that even users who are not signed out receive personalised search results, as described in Brian Horling and Matthew Kulick, “Personalized Search for everyone”, 4 December 2009, Google Blog (URL:

[9] “About remarketing lists for search ads”, Google AdWords Help, (URL:

[10] According to Google, this is “based on their specific interests as they browse pages, apps, channels, videos, and content across YouTube and the Google Display Network as well as on YouTube search results”. See “About targeting your ads by audience interests”, Google AdWords Help, (URL:

[11] “About targeting your ads by audience interests”, Google AdWords Help (URL:

[12] “In-Market Audiences”, Think with Google (URL:

[13] “AdWords looks at browsing activity on Display Network sites over the last 30 days, and uses this, along with its contextual engine, to understand the shared interests and characteristics of the people in your remarketing list.” “About similar audiences on the Display Network”, Google AdWords Help (URL:

[14] “When people are signed in from their Google Account, we may use demographics derived from their settings or activity on Google properties, depending on their account status”, “About demographic targeting”, AdWords Help (URL:

[15] “About Floodlight”, DoubleClick Digital Marketing Partners Help

[16] “About Customer Match”, Google AdWords Help (URL:

[17] “About remarketing lists for search ads”, Google AdWords Help (URL:

[21] “Consumer Gmail content will not be used or scanned for any ads personalization after this change.” Diane Greene, 23 June 2017 (URL:

[22] “Target customers near an address with location extensions”, Google AdWords Help (URL:

[23] “Add, edit, and remove managed placements”, Google AdWords Help (URL:

[24] See the recent correspondence between the Irish regulator and Facebook “Data Protection Commissioner’s Statement on the Frequently Asked Questions published by WhatsApp”, 16 August 2017 (URL:

[25] The prohibition is in the GDPR, Article 9. See also Article 6, paragraph 4, c. The exception is Article 9, paragraph 2, e. See also Recital 71.

[26] An average user has 40,000 friends of friends, though the 99th percentile has 800,000. See Lars Backstrom, “People you may know”, 12 July 2010 (URL:


Businesses will have to provide the following information to internet users when seeking their consent.

  • Who is collecting the data, and how to contact them or their European representative. 
  • What the personal information are being used for, and the legal basis of the data processing.
  • The “legitimate interest” of the user of the data (This refers to a legal basis that may be used by direct marketing companies).
  • With whom the data will be shared.
  • Whether the controller intends to transfer data to a third country, and if so has the European Commission deemed this country’s protections adequate or what alternative safeguards or rules are in place.
  • The duration of storage, or the criteria used to determine duration.
  • That the user has the right to request rectification to mistakes in this personal information.
  • That the user has the right to withdraw consent.
  • How the user can lodge a complaint with the supervisory authority.
  • What the consequences of not giving consent might be.
  • In cases of automated decision-making, including profiling, what the logic of this process is, and what the significance of the outcomes may be.
  • Antonio Hyder

    GDPR = General Data Protection Regulation

  • Anton VS

    This is somewhat missing the point. People want better Ad’s. So they have incentive to agree. On the other hand, its a complete administrative nightmare for smaller companies.

    • To Anton VS. Let me tackle the first point you raise. There is – unless you can point to some – no evidence to support the notion that people will opt in to being tracked across the web in order to have ads fine tuned to their interests. A recent study by the adtech lobby said that “Fewer (20%) would be happy for their data to be shared with third parties for advertising purposes”, which is what behaviourally targeted advertising entails. (p. 7 of Our own research points to the same conclusion.

      • Rui Soares

        Hi Johnny I’ve enjoyed reading your post. I think the right link for the study is this one:
        Yes, one can not rely only on opt-in for getting permission. Justifying with legitimate interest for t business through explicit legal basis for it may be the best option:
        Even though not that much clarity there is one door open in Recital 47, last two line:
        “The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.

        The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

        • Dear Rui, Recital 47 refers to direct marketing, not necessarily to online behavioural advertising. We have explored this question and concluded that it is not viable. See our note on legitimate interest here.

          • Rui Soares

            So, companies on this kind of business better work hard on avoiding the risk of using personal data by, for instance, using context relevance for placing ads? As a consumer, for me it’s really annoying to have a travel ad on an unrelated site I am visiting (say a technical forum) just because I searched before for cheap tickets. It’s a distracter and actually has the opposite effect (I always avoid clicking those and it impacts my experience on that site). On the other hand showing me travel ads in the context of a blog where I am checking about a given country, that is welcome because that would be a possible action I might consider.

      • Camuso

        The link above is not working.

        • Remove the bracket at the end

          • Camuso

            Thanks! 🙂

    • I agree .

  • Andy Petrella

    Great one Johnny! There is another good one, they will have to struggle with the accountability principles (incl. transparency and process registry) which should be the main focus for enterprises — based on the G29 recommendations.

    You mentioned technologies like management, indeed they are keys, but one such technologies you won’t see a lot is data activity management that can control how processes are executed in opposite to data management that controls what data is available and accessed.

    At Kensu (, we are creating this technology (the Kensu Data Activity Manager) with a former goal to monitor data science activities (incl. lineage, accuracy and performances) across tools ; which turns to be appreciated by GDPR exposed enterprises willing to exposes and manage how data are used and automatically build transparency report and process registry.

    Sorry for the pitchy comment, but I really like your approach and thus I thought topping it with our vision makes sense.

    • Simona Galdikaite

      Hi Andy. Great product. I’m thrilled to see how many products are being created to help with automatic GDPR compliance. At we offer automatic sensitive information identification and categorisation. However, many organisations still need solutions that enable to take appropriate actions once such information is detected.

  • James Mullarkey

    Hi Johnny

    Nice post. One I’ve been pondering is when you leave Facebook they retain all your data (everything you’ve ever done ever) just in case you want to come back…apparently. Will they now be forced to forget you and everything about you if you leave Facebook do you know?



    • I would imagine so, based on the principle of data minimisation.

  • John Sharkey

    Great article, thank you. Any articles on what those of us who use Google Analytics should do? Google is being silent on this so far.

    • Analytics are currently a contested issue in the ePrivacy negotiations. Wait for the LIBE committee’s report this week to get a sense of how that will shake out. Currently it seems likely that analytics can be done by a company on behalf of a publishers provided the publisher controls the data itself.

  • John Jukams

    How can the new regulation be applied to Facebook or Google if the hardware, servers are not in the EU? Let’s say a Brazilian (non-EU citizen) creates an account, does the regulation apply? Will the regulation only apply for EU citizens? If yes, then how Google or Facebook is supposed to track who is EU citizen and who is not?

    • AB

      Hey, This is what the regulation says :

      Territorial scope
      This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

      This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

      the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

      the monitoring of their behaviour as far as their behaviour takes place within the Union.
      This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

      So according to me for a Brazilian (non-EU citizen) it would apply if he is let’s say on vacation in the EU. (point 2)

  • jf

    Will these comments be regarded as personal data under GDPR and if so, will refreshed consent be needed to display them ?

    • Good question. I think the answer is no. Looking at the ePR drafts, when one requests a service (in this case, your use of commenting) and the service has a technical need to use relevant personal data to deliver the service, then consent is not required.

      • jf

        Thanks Johnny. It’s probably a bit more complicated for a service like Facebook where a user has a myriad of personal data posted (birthday, likes, shares etc.) all of which will be available to view regardless of whether or not that user has refreshed.

  • John Francis Marshall

    Hi Johnny ( Conas ta tu  ) ( SENT THIS BY EMAIL ALSO )

    Dr Ryan, we have a couple of things in common. I’m from Dublin, studied at the Art College on Kildare St and have been in the Ad business all my life. I also lived in Rougham, Suffolk and had an office at the Innovation Centre in Cambridge UK. I now live outside Toronto, Canada.

    As an inventor of a unique Ad Technology, I have one question for you. Does my invention comply with the upcoming GDPR rules.

    Here is one of our ad units for Sotheby’s Real Estate. You can actually “opt in” to engage with the ad unit and receive an answer in real time ( still within the ad unit ), without leaving the page where the ad resides.

    If a user “opts in” to seek personalized content “inside” the ad unit, does this mean that they have agreed to be offered additional personalized content inside any future SnappSearch ad campaigns

    P.S. The Analytics are off the charts and beat the Google Benchmarks by a country mile.

    I would really appreciate an opinion.

    Gura Mile Maith Agat