Several publishers are pushing back on demands by agency giant Publicis that are meant to get the agency in compliance with the General Data Protection Regulation. The concerns center around Publicis’ shifting liability for the new European privacy law to publishers.

The GDPR requires companies to justify collecting people’s data for the purpose of targeting them with ads and other business objectives. Confusion and controversy have followed as players in the ad supply chain dispute who’s responsible for what. In the Publicis case, publishers say the holding company is asking the publishers to collect users’ consent to be ad-targeted and to assume all liability for collecting that consent, per its new terms and conditions. The publishers’ concern is that agreeing to this demand would leave the publisher responsible if the agency retargets users who haven’t consented to be targeted.

“The ask before was, ‘Add us to your consent form.’ Now they just reworded it to say, ‘You’re responsible for getting consent, and we aren’t,” groused one publisher that’s been presented with the demands and who, like all publishing execs in this article, spoke on condition of anonymity since they were still in talks with the holding company.

Piling on to already hefty GDPR-related agency demands, three publishers said Publicis also sent them a 56-question “Vendor Personal Data” questionnaires asking for details on how the publisher uses Publicis Groupe data. Publishers were told to complete it by June 30 to avoid any potential “cessation of spend” by Publicis.

Some sent the questionnaire said they haven’t completed it, saying they’re dissatisfied with the lack of response they’ve had from Publicis about its GDPR requirements or they’re buried by other, similar compliance documents they’ve gotten from other companies.

Publicis wouldn’t disclose how many publishers or media companies have agreed to these terms and conditions, although it is telling that most publishers have agreed to them. Some publishers tell Digiday they’re still in talks with the holding company over them, though.

Publicis Media sent over the following statement: “With the goal of GDPR ensuring the right protections are in place for consumers, the advertising industry has been working together to address the requirements under GDPR. Publicis Groupe has implemented a robust data privacy governance structure and is working closely with publishers and other media providers to execute data processing agreements, or DPAs, to make sure Publicis is addressing those requirements, knowing that all members of the industry are focused on meeting the requirements under GDPR. To manage the process as simply as possible, Publicis developed a template DPA to cover several scenarios (client data being used, publisher data being used, etc.) and the template makes clear the provisions only apply if that scenario exists. To the extent publishers are processing data in a way not contemplated by our DPA, Publicis and the publishers have been engaging in thoughtful discussions and reaching consensus to ensure compliance so no campaigns are cancelled. Publicis values the partnership that publishers and others in the media ecosystem have provided as everyone in the industry navigates through GDPR. Importantly, as part of our process, we are taking a market-by-market approach to ensure we capture local sensitivities and we will continue to work with our media vendors to resolve questions and issues around GDPR.”

Under GDPR, publishers are classed as data controllers because they are regarded as the source of the first-party audience data, which other businesses will marry advertiser data to for the purpose of targeting ads. Advertisers are also classed as data controllers, given their own customer data is sourced from them and not third parties. Agencies and vendors are typically defined as data processors, because they work with data that’s sourced either from the publisher or the client. Agencies therefore process data on behalf of their clients, but publishers don’t believe they should share accountability for whatever is done with that data on the clients’ sites, when that is controlled by the agency. The challenge to this position is that some publishers believe in being asked to be a sub-processor, they could be liable for consent on campaign data that the agency collects and for any breaches through appended data.

“They’re trying to get publishers to be responsible for their client data, but as sub-processors without full transparency of their system, that feels like they’re just passing the liability on to us,” said another publishing executive.

The issue of liability comes into play with retargeting, something agencies have been getting more forceful about lately. Shortly before the GDPR enforcement began, Publicis also started requiring publishers it buys media from to agree to a promise that Publicis will not retarget that individual publisher’s audience. On its face, the requirement seemed designed to assuage publisher fears that the agency would not create a targeting segment using that publisher’s valuable audience data. Publishers reading this were concerned that this language would allow Publicis to still retarget its audience, but just in combination with other publishers’ audiences — whether or not the publisher has gotten the users’ consent to be targeted in that way. The GDPR has had a chilling effect on audience targeting because that tactic requires people to give explicit consent, but the Publicis language shows the practice isn’t being abandoned, either.

That communication complaint isn’t isolated to Publicis, said one publishing executive. In general, only 20-30 percent of the Data Protection Addendums this publisher is getting from agencies are acceptable to the publisher, the same exec said. Publishers cried foul earlier this year when another media-buying giant GroupM made demands that would let GroupM continue targeting ads to the publishers’ audience under the GDPR. Publishers worried the demands would potentially give GroupM control of their audience data.

“So we go back and say we’re O.K. to negotiate it — to agree a data processing system, and then we’re getting radio silence,” the exec said. “We have had over a dozen from all agency groups saying, ‘Sign this or we can’t do business with you.’ It feels like their default position. Maybe this will get worked through over the next six months, but the current position is still an aggressive and absolute war of attrition.”

Another publishing exec was more charitable, saying Publicis was at least discussing the publishers’ concerns. Two publishers also noted that GroupM has shown more flexibility lately, going from refusing to amend their GDPR-related demands to agreeing to negotiate terms relating to tag placement, rich profile creation and publisher liability.



As some publishers see it, complicating the whole GDPR compliance matter is that holding groups are still so siloed that their individual agencies are all sending their own DPAs without coordinating with each other. Intentional or not, the avalanche of similar demands coming at the last minute from different agencies at the same holding company has left some publishers confused and suspicious that Publicis is trying to use the GDPR to further its commercial advantage.

Publicis has stressed that it has a single DPA that is used globally by all its agencies and is managed centrally at country level by its trading central practice Publicis Media Exchange. Not all publishers have felt the various communications around GDPR have been joined up enough however.

“With Publicis, there is no coordination within its agencies between countries — they’re not communicating at a group level. Publicis has been saying you have to sign this or we will pull money, but it’s coming from Publicis agencies rather than Publicis group. If that’s not their group position, then they need to clarify what it [their data position] is,” said a publishing executive.

“They [holding groups] don’t have a joined-up approach — everyone is working in silos at agencies,” added a different executive.

For more on the regulation’s impact on the media and marketing industry, download our complete guide to GDPR.