7 min Reading time

Google Customer Match: without permission, dubious from a privacy view point.

Widely used and valuable: Google Customer Match. But often permission is required, due to privacy regulations. When this is required and it is lacking, Google Customer Match is against the law.

Google Customer Match. A useful system to approach one’s own customers through Google. It makes advertisers’ customers see their ads when they type a search request that is related to the advertisers’ products. That is, if they are Google subscribers. These customers/Google subscribers are already their customers, so it is likely that they feel less hesitant than non-customers about entering into a new agreement with the advertiser.

Besides, the advertiser can make a tailor-made offer, that suits his customer perfectly: after all, he knows his customers. In short: many advantages. Rumour has it that the conversion is beyond good. All understandable. And great, of course, but there is one downside: to be able to do this, Google needs to get access to the email addresses of the customers. And that’s a sensitive issue. With respect to privacy, Google is hardly a saint.

How does it work?

An advertiser uploads his customers’ email addresses to Google. It could be all email addresses or a selection; that depends on the purpose of the upload. Google checks which of the uploaded email addresses are subscribers of Google/youtube. The advertiser manages the file, which is hosted by Google. He can add email addresses and other datato this file, or delete the email addresses.

Next, the advertiser shows his customers who are also Google subscribers, tailor-made ads through Google Adwords campaigns. This means that when his customers search with a word (an adword) on Google that the advertiser has ‘claimed’  (that he pays the most for), they will be shown ads that have been selected for them.

If the advertiser deletes email addresses from the list, Google will delete the data that indicate that they are customers of this advertiser.

Another option is that Google analyses the uploaded file. The goal is to find characteristics that the people in the file have in common. Characteristics  that are, in addition, specific to that file. The reasoning: this is a customers’ file, so it is likely that people who are not customers, but share these characteristics, will become customers sooner than those who do not share these characteristics. The advertiser can then target his Adwords campaigns on these non-customers . These are the look-alike audiences.

The look-alike audiences remain the property of Google. Google only uses the file to, if the advertiser so indicates, send ads from the advertiser to the people in the file. This blog is not about the look-alike audiences. Only question is whether the addition of the characteristic ‘look-alike of customers of advertiser X’ does not constitute an violation of customer privacy. That doesn’t (easily) seem to be the case.

It’s different for the Adwords campaigns.

What is the problem?

First of all, the division of roles. Who is responsible for what? In privacy law, the one called responsible is the party who is ‘responsible’ towards the people in the file (the customers) for the correct and proper handling of their data. With every act (uploading, selecting, adding, storing, serving ads) it needs to be decided who is responsible for that.

The advertiser is responsible for uploading to Google. He needs to make sure that he is allowed to do so. Next, the uploaded customers who are also Google subscribers are being tracked on Google. This is to see which search word they submit. Is that a search word the advertiser has claimed, then Google will show the customer an ad which has been selected by the advertiser.

Who is responsible for the following/tracking and the showing of ads through Adwords? Google is commissioned to do this by the advertiser. One could say that the advertiser is solely responsible. That Google is only acting on behalf of the advertiser, somewhat like a DM mailing house for hard-copy mail is also only executing the wishes of the advertiser. It is however questionable if Google can really minimise its role like that.

I would say that Google’s role is bigger than that of a mailing house. In the system set up by Google (on which advertisers have no influence whatsoever) the advertiser only directs the choice of Adwords and the choice of selection from his customer base. All other elements of the process, the tracking, the bidding process, the determination of order of who gets to see which ads, etcetera, is Google’s work. It’s then not a fair assessment to say that Google is only doing things for these advertisers and that Google itself, like an inanimate tool, is only executor. Google has an independent position. That makes Google co-responsible, alongside the advertiser.

The customer has a relationship with the advertiser. He left his data with the advertiser. That could be for multiple reasons: for instance, to be able to work on a contract with the advertiser. In principle, the advertiser may use the customer’s data to send the consumer ads. The customer understands that third parties can obtain his data to let him receive the advertiser’s ads: an email platform, a mailing house for hard-copy mail, an external call enter. All this under direction from the advertiser. But does he understand Google?

Google, which receives his data (his email address and the fact that he is a customer of the advertiser) to show him ads from the advertiser? That doesn’t go without saying. Especially when the advertiser’s control is limited with Google. And Google itself is co-responsible. That makes Google’s relation to the customer not that of a powerless extension of the advertiser, but an outsider, a third party, who receives the customer’s data. That has consequences.

In any case, when asking for customer data the advertiser should in his privacy statement mention that he will provide Google with certain data. Google itself also states this in its terms and conditions. The customer of Google (the advertiser) will have to include in the statement about the purpose of the use of email addresses, that they may be provided to social media, with the intention to recognize the customers on those social media as customers of the advertiser and to serve them with relevant information based on that.

Is that enough? Or should the advertiser obtain permission from the customer first, before he can share his email address with Google? I tend to think so. Fact is, that the advertiser of whom the customer is a customer, ‘keeps an eye’ on the customer via Google. For this, his data is being shared with Google.

That the advertiser keeps an eye on the customer as he strolls around on his website, comes as no surprise to the customer. Perhaps he has given permission for that via a cookie. And that Google keeps an eye on the customer, he also knows (they are, after all, customers who are Google-subscribers). But that the advertiser /tracks the customer via Google, that he does not have to expect. And customers can experience that as a violation of their privacy. In that case, just mere informing does not suffice and permission needs to be obtained.

Moreover, providing data to Google as such, whether Google is responsible or just a powerless tool, is not acceptable for everybody. Up until the new regulation on data transfer to the US, the highest European Court also did not think it was acceptable (related to the lack of respect for privacy by the US government). Also because of this, it may be necessary to obtain permission for providing data to Google.

If advertisers don’t inform and/or obtain permission for Google Customer Match, they act against the law. Google may also be acting against the law. To dodge this, Google mentions in its terms and conditions that if it is necessary to ask permission, the advertiser should do this. Google herewith places the ball in the advertiser’s court. But that doesn’t necessarily absolve Google. First of all, because Google itself is also responsible. But also because a party such as Google cannot keep claiming innocence if it transpires that the majority of the advertisers who use Google Customer Match, do this against the law. This burying-one’s-head-in-the-sand strategy will only keep things afloat briefly.

16 January 2017 - ICT recht, Privacyrecht, Reclamerecht

About Jetse Sprey

Jetse is associated with our office as legal counsel. Jetse finds solutions instead of problems and is able to break stalemates again and again. He speaks his mind and is not guided by what he thinks his clients want to hear.

He writes sharp, readable contracts. He has extensive experience with Blockchain and is an entrepreneur in this field himself. He writes convincing procedural documents and advice. He is knowledgeable in intellectual property, privacy and corporate law.

More about Jetse Sprey