GroupM wants publishers to sign a new data protection contract that could force them to share control of their audience data with the agency group, letting the agency continue targeting ads after the General Data Protection Regulation kicks in on May 25.

If publishers don’t sign the contract, GroupM said it would cease trading with them, claiming it would mean they aren’t necessarily compliant with the GDPR. Some publishers fear GroupM is pushing them to cover its own GDPR compliance needs, while leaving liability for fines firmly with the publisher.

The media-buying giant has said it sent the Data Protection Addendum to all its suppliers and vendors “that touch personal data in any way” in the European Union. The DPA is a contractually binding set of data protection principles that publishers would be expected to adhere to under the GDPR. The contract is nonnegotiable, according to the document.

Publishers’ legal teams are reviewing the document, but five publishers Digiday spoke to are feeling rattled by the terminology in the contract, with some calling it a “Trojan horse” document that could result in the publisher having to share the control of their data with Group M, promoting the agency group to be more like what the GDPR calls a data controller (from its current position as a data processor), which is the source of customer data. A data controller is regarded as a stronger position to be in, because they can communicate directly with the customer about consent needs, whereas a data processor doesn’t have that direct line of access as it uses data from a third-party source.

A GroupM spokesperson sent the following statement: “GroupM has an extensive GDPR program of which the GroupM data addendum forms only one part. The GroupM Data Addendum was prepared for all GroupM suppliers processing personal data whether that personal data belonged to GroupM, its clients or the supplier in question. The intention of the Data Addendum is to clearly signal the GroupM commitment to data privacy and to ask our suppliers to demonstrate the same commitment.”

The spokesperson added that the contract does not seek to impose any greater liability than already exists in the law and that the agency will handle publisher questions on a case-by-case basis.

Asked about publisher concerns about cutting ties with GroupM if they don’t sign, a GroupM spokesperson sent the following statement: “The future of our relationships with suppliers will depend on the nature of the supplier in question and the processing activities it carries out and how it demonstrates its commitment to data privacy and in particular GDPR.”

The issue of who is expected to gain consent from users and take liability for it is becoming clouded as GDPR enforcement looms. Publishers are known consumer brands and the source of the data. That means they’re in the best position to obtain consent from users with whom they have a direct relationship. For agencies and ad tech vendors further along the ad supply chain, it’s harder to gain consent. That has essentially put a target on publishers’ backs, with ad tech vendors and agencies trying to use them as vehicles to gain consent so they can continue ad targeting under the GDPR.

Amid a long list of terms and conditions in the DPA is a section on tags and data collection, which outlines how GroupM will be allowed to drop cookies and profile audiences, along with sharing publisher data while taking no liability risk itself. The terms and conditions state that publisher sites must accept rich media tags and other ad-serving tags and that the “agency and advertiser shall have no liability for the effect of tags on the sites.”

Industry sources said GroupM is essentially asking publishers to hand over their relationship with their audience — a big ask, given audience data is a publisher’s most precious asset.

Publishers’ legal teams are reviewing the document, but so far, the general consensus is they’re unlikely to sign the DPA. “Any publisher worth their salt won’t sign it,” said an industry executive. “It flouts the spirit of GDPR and undermines the business models of most publishers.”



GroupM’s contract comes at a time when Google is reportedly asking publishers to assume a “co-controller” position in GDPR compliance, wanting them to gain consent on its behalf for third-party websites and apps that use Google’s ad technology to sell ads, according to The Wall Street Journal.

The Internet Advertising Bureau Europe’s Transparency & Consent Framework, aimed at getting the whole industry compliant before GDPR enforcement starts, also requires publishers to agree to get consent on behalf of any ad tech partners they want to trade with, though it is optional for publishers to use it.

GroupM has opted to support the IAB Europe framework after scrapping its previous attempt to get publishers across the U.K. and EU countries to gain consent on its behalf — an initiative known as “Passport” — because publishers refused to cooperate.

“[GroupM explained] it as a very fair initiative for the market and that it’s in everyone’s best interest for them to get consent this way,” said a publishing executive of the Passport initative. “But they have also said that if you [publishers] don’t share consent, then they can’t use the technology to buy it [publisher inventory] that’s needed so they’ll have to stop trading. It’s like blackmail.”

Download Digiday’s guide to GDPR for original research, myths and realities and more on what marketers, publishers and technology companies need to know.