SEO-Blog

DSGVO (GDPR)The AMP framework was established to speed up mobile websites. Normally, AMP pages are served via Google's CDN and are cached on Google's servers. Visitors who click on an AMP result in Google search seldomly recognize that they are directed to Google infrastructue, which means that their personal data like the IP address is processed by Google. The European GDPR that comes into effect on May 25th is very strict about raising, gathering and processing user data - especially when the data is sent to third-party servers. Is it still possible to use AMP according to the GDPR?

Important notice: The purpose of this article is not to give legal advice. Every implementation or change on a website according to GDPR should be checked and approved by a legal expert.
Nevertheless, my experiences in preparing for GDPR might be an inspiration for other webmasters what to look for and how to avoid or mitigate some of the risks rising from GDPR. Yet there is no claim for any kind of completeness. This article is written in English because most members of the AMP development community share their knowledge in this language. Sharing this article might help to get some more input from international AMP experts.

 

Google servers instead of domain shown in the search results

When Google introduced AMP about two years ago, only a few websites used this framework. AMP is supposed to speed up mobile websites by reducing the filesize of HTML and JavaScript. Additionally, AMP pages are delivered via Google's Content Delivery Network (CDN) and are cached on Google servers.

This is where the problems with respect to GDPR begin: If you cooperate with a partner that raises, gathers and processes user data like their IP address, you as a webmaster should have a Data Processing Agreement (DPA) with that partner. Additional requirements might be necessary (Privacy Shield, EU Model Clauses etc.). This is true if you for example have a hosting contract or if you use a CDN provided by a third party.

As to AMP, Google might be regarded as such a data processing partner - therefore it might be necessary to have a DPA with Google for that. But until now, such a DPA seems not to be available.

There has been an interesting discussion on Google's Webmaster Central Help Forum about AMP and GDPR. As it seems, currently only few people deal with the questions mentioned above. Some are of the mind that AMP can be treated like normal pages cached by Google for search results. But one big difference in my opinion is that when I request a page from Google cache I know it's delivered by Google. That's not the case with AMP results.

There is also no official statement from Google concerning AMP and GDPR. I asked John Mueller via Twitter about this, but without any response yet. Maybe he will answer in the next few days because he has to check for details with the responsible team first.

 

So what can be done in order to deal with this probem?

As long as there are no experiences from webmasters dealing with AMP and GDPR everyone has to draw his own conclusions. Webmasters who want to reduce their risk can deactivate their AMP pages - when a website is responsive or has at least a mobile friendly version this can be an alternative. The drawback would be to forego opportunities that come with AMP like prominent news carousels.

AMP also offers a new component called AMP consent. This component allows an AMP page to react according to user consent. Some page elements like tracking or ads can so be deactivated if no user consent is given. Unfortunately, AMP consent is not suited for dealing with the problems mentioned above.

One thing that might help would be some kind of notice on the Google SERPs containing AMP results that inform the users that when clicking on such a result they are taken to Google servers instead of the domain shown in the search results. In addition to this Google should provide a DPA for AMP users in order to have some kind of agreement on how Google deals with user data.

It remains to be seen if there will be some progress regarding these questions in the next four weeks. If the situation remains unclear, maybe switching off all AMP pages can be a solution.

Update: Malte Ubl, AMP Project Lead at Google, answered via Twitter and pointed to Googles help page for viewers of AMP pages. He also sent a link to a discussion on a Github page:

 

Malte Ubl: answer regarding AMP and GDPR

 

But still the answer is missing about how users can be informed about being directed to a Google server before they click on a result. There is also no information about Google providing a DPA for AMP yet.

 

Update May 3rd:

Antje Weisser, Publisher Support Manager AMP in Mountain View, suggested via Google Forum:

"For user interactions through Google's AMP Viewer we strive to ensure data sharing meets user expectations. We currently provide a link to a Help Center article that can be accessed via the Viewer to explain how data flows in the hybrid environment of the Viewer. These are some of the notable consequences of this arrangement:

During a visit to an AMP page via the Google AMP viewer, any data that the Google AMP viewer may collect, such as a record of the visit happening, is covered by Google’s Privacy Policy.

Separately, a publisher can use features in their AMP page that collect data on the publisher’s behalf. Because the publisher chooses the behaviors and vendor integrations in the page, the publisher is responsible for managing the compliance obligations that stem from those choices. Check out this post for how to implement user choice flows in AMP documents, and if you need additional features to be supported in AMP, you can suggest them in the AMP Project GitHub

A publisher may use a Google service (e.g. Google Analytics) on their AMP page and create an additional relationship between Google and the publisher concerning data. In that case, there are specific additional arrangements in place to cover the relationship between Google and the publisher with respect to that data, and scoped to the Google service involved."

It remains to be seen if reference to Google's Privacy Policy for AMP viewer will be enough to be in accordance with GDPR. Anyway, some residual legal risk will likely remain for publishers because of the resulting ambiguity between publishers and Google.

There is still no sign of Google providing a DPA or more visible hints for users on SERPs informing them about being directed to Google servers when clicking on an AMP result.

 

 

Titelbild © Matthias Enter - Fotolia.com

 

SEO-Checkliste

SEO-Checkliste

 

Anzeigen












SEO-Beratung

Suchmaschinenoptimierung und SEO-Beratung für Karlsruhe, Baden und die Pfalz

 

06340/351-943

 

info(at)seo-suedwest.de

Jetzt vernetzen

SEO-Glossar

SEO-Glossar

 

SEO-Kalender 2018

SEO-Kalender 2018

 

Onsite-Optimierung

Onsite-Optimierung

 

SEO- und Suchmaschinenblogs

Bekannt aus

Website Boosting


Internet World Business

SEO United


The SEM Post


Webselling

SEO selber machen

SEO selber machen

Sprecher auf

Auszeichnungen

iBusiness Top-100-Liste SEO-Dienstleister

SEO Südwest: Platz 5 bei den SEO-Wahlen 2014 zum besten deutschen SEO-Blog

 

SEO-united.de Tipp 12/15

SEO-Tipps und SEO-Tricks

IMAGE 'Noindex' oder robots.txt - wann ist welches Instrument das richtige?
Freitag, 09. Februar 2018
Um zu steuern, welche Seiten von Google und anderen Suchmaschinen gecrawlt und indexiert werden... Weiterlesen...
IMAGE Lighthouse: ein Top-Tool für die Performancemessung von Webseiten und PWAs
Montag, 16. Oktober 2017
Lighthouse ist ein Tool, mit dem man die Performance und die Nutzerfreundlichkeit von Progressive... Weiterlesen...
IMAGE Tipp: Reddit für den Aufbau von Backlinks nutzen
Samstag, 17. Januar 2015
Die Social-News-Plattform Reddit erlaubt den Aufbau von guten Backlinks - wenn man sich an... Weiterlesen...

 Eine Auswahl zufriedener Kunden

Rebel - Bad Küche Raum
Schöne Haare Karlsruhe
kr3m
feel-perfect.eu - Die Nährstoffexperten border=
Flintec IT GmbH
ESM Academy
Ringladen

Verbinden und Informationen zu SEO Südwest

Impressum und Datenschutz

Social Networks und RSS-Feed