What Alphabet Won’t Tell You About the GDPR
Summary: This analysis answers the following questions:
- Search is a large driver of revenue and doesn’t require data but what other portions of Alphabet’s advertising model will be affected by the GDPR?
- How much revenue do the higher risk methods currently contribute to earnings?
- Where is Alphabet most likely to incur GDPR fines?
- How will non-personalized ads affect earnings and network sites?
Alphabet (GOOG) was announced in 2015 as a holding company to help separate Google’s advertising business from the sprawling investments in Fiber internet, cloud computing, smart home products and connected car products. While these new gadgets and the promise of AI have helped successfully rebrand Google’s search and advertising business, it’s important to remember that Alphabet is still an old-fashioned advertising company with nearly 90% of Q1 2018 revenue, or $26.6 billion, coming from advertising and only 15%, or $4.6 billion, coming from these other ambitions.
Therefore, understanding the nuances of advertising especially as it relates to data regulations is going to be key for any savvy Alphabet investor. While you can invest in Alphabet for AI or connected cars, we are in the beginning of the hype cycle for these technologies, whereas the current stock price reflects advertising. Unfortunately, top-rated analysts struggle to understand Alphabet’s business model as it relates to the GDPR and CEO Sundar Pichai did not offer any answers. In the Q1 2018 earnings call, Mark Mahaney of RBC Capital Markets asked if the “GDPR or other regulation is likely to impact materially the targeting capabilities that advertisers have on Google?” The CEO replied:
“You know, above everything else as we are working through GDPR we are making sure we are focused on getting that user experience right for our users and our partners. But to clarify your question further, you know, first of all, it’s important to understand that most of our ad business is Search, where we rely on very limited information, essentially what is in the keywords to show a relevant ad or product. And so, you know, we’ve been preparing this for 18 months and I think I think, you know, we have focused on getting the compliance right. It will be a years’ long effort and, you know, we are helping not just us, but our publishers and partners. But overall, we think we’ll be able to do all that, you know, with a positive impact for users and publishers and advertisers, and so our business.”
This answer was over-simplified at best. Yes, Search is a large driver of revenue but what are the other portions of the advertising machine which will be affected? And how much revenue do the higher risk methods currently contribute to earnings?
In addition, while Alphabet has been preparing for 18 months, they recently dropped new terms and conditions on publishers only 8 weeks before the GDPR took effect — and publishers are not happy about it.
Publishers are essential for quite a few elements to the Alphabet’s advertising machine as they provide additional surface area for ad space. By installing Google’s ad software onto websites and applications, publishers allow Google to advertise on their sites.
Most importantly, because this relates to ad revenue from networks outside of Google-owned properties, this portion of revenue is what holds the highest risk in this new era of data regulations — and the revenue is sizeable enough to lead to missed earnings in the future.
Alphabet & Data Regulations: The Good, The Bad and The Ugly
The Good: Search Doesn’t Need Data; Gmail, Chrome and Google Maps Have User Consent
Quite a few of Google’s data-driven applications and services such as Gmail, Chrome and Google Maps can easily obtain user permission in exchange for the services these applications and browser provides. In addition, Google AdWords, which is based off search intent, will provide a safe haven Google’s advertising revenue as this does not require the company to harvest private data. However, even search is not immune as it’s been enriched with data such as location to enhance search results.
The Bad: Android OS Collects Surveillance-Level Data without User Consent
In one study of 850,000 internet users last year, mainly in the U.S. and Europe, Google tracked 64% of all pages loaded by mobile and web browsers
It’s hard to know where to start when looking at Google’s sprawl of potential data regulation issues. We could start with the fact they have a deal with data brokers that gives them access to 70% of our purchases made with credit cards and debit cards (without consent). The company is literally in your bank account. This is for the purpose of letting advertisers know if you completed a sale following an ad seen on one of Google’s properties. Another place to start is implicit data for advertising purposes, which uses your search history to target ads to you outside of Google search. This is why when you privately email your friend about a trip to Rome, you mysteriously get advertisements for flights to Rome on other websites.
While online tracking and conversion tracking are both invasive, the Android operating system is a surveillance-level behemoth with over 2 billion devices in circulation while littered with millions of applications leaking data to Alphabet’s advantage. Exponentially speaking, Android is impossible to contain. One study by the French research organization Exodus Privacy and Yale University’s Privacy Lab found that more than three in four Android apps contain a third-party tracker which extracts personal information, including location and in-app behavior. The apps the trackers were discovered includes Uber, Twitter, Spotify, and Tinder. The Privacy Lab found the in-app trackers revealed “an extensive data mining market buried within the mobile app ecosystem” enabling physical surveillance including through the use of WiFi, Bluetooth and ultrasonic sound inaudible to the human ear to track geolocations in real time.
Takeaway: Android will be the most likely source for fines by the European Union as it will be challenging to partition device IDs by geographies. Some have conjectured Alphabet will risk fines before voluntarily reducing their cyber intelligence. The fines are 1.6% of annual global revenue, or $4.4 billion for Google.
The Ugly: Walking the Razor’s Edge Between Data Violations and Non-Personalized Ads
Data collected from the Android OS augments and enriches data science modeling for Alphabet to monetize the data elsewhere. That “elsewhere” is Adsense, AdX and AdMob. Google’s AdSense and AdX Networks enable non-Google websites to incorporate Google display advertising, and this is what current publishers are in an uproar about.
To summarize, Alphabet is attempting to become a co-controller for data in some instances and a processor in other instances. It’s unknown how the European Union will view data leaks from publishers to Alphabet.
The level of involvement Google has as either a co-controller or processor is important for investors to understand as these regulations continue to play out. This may be hard to imagine today, but if data collection returns to property-owned data collection only, then the premium price advertisers pay for Google ad inventory may diminish as Google will struggle to differentiate itself from other advertising options from a campaign ROI standpoint if or when it fails to get the proper consent to collect the data and broker the ads.
The worst case scenario here is that Google has to display “non-personalized” ads where consent isn’t obtained — which Google is already prepared to do: “As previously announced, we’re also launching a Non-Personalized Ads solution (DFP/AdX, AdMob, AdSense) to enable publishers to present EEA users with a choice between personalized ads and non-personalized ads (or to choose to serve only non-personalized ads to users in the EEA).”
As mentioned above, this is where the premium price can potentially recede. By being forced to serve non-personalized ads, the competitive advantage Google has will diminish in this circumstance.
While Search is intact, there are many layers to data collection and ad targeting which will lower ROI campaign performance as the data Alphabet is allowed to collect continues to wane. In this article, we’ve discussed that the Android OS is leaky and the most likely part of Alphabet’s business to be fined. As far as revenue is concerned, non-personalized ads is the potential weakness especially on network sites as $17.59 billion was earned from network sites annually in 2017.