Web surfers will start to see surprising new notices come May 25, when the European Union's General Data Protection Regulation takes effect. "Welcome to BuzzFeed," one might say. "May we use your data to tailor ads for you? Our partners will collect information and use cookies for ad personalization and measurement. You can say no."

It will be a new world for everyone who has long "consented" to publishers' terms as a condition of use—a condition that's banned under GDPR. Perhaps ironically, however, publishers are now the ones feeling coerced.

That's because Google said on March 22 that publishers will need to share with it any data they get if they want to keep using its software to sell ads. Google won't disclose to publishers exactly how it uses that data, and should any GDPR violations occur, the liability will rest with publishers, not Google. Not everyone wants to say yes, but the alternative is daunting.

In its simplest form, GDPR is "setting guardrails around surveillance marketing and surveillance advertising," says Fatemeh Khatibloo, an analyst at Forrester. Most people understand that ads pay the bills for many services in a general sense, she says, but GDPR has arrived to make sure companies that "track consumers all over the web and do modeling against personal information are obtaining consent."

GDPR covers any business that operates in some way within the EU, even a U.S. publisher that gets 14 readers per month from Germany. Those found in violation face fines of around $25 million or 4 percent of annual revenue, whichever is greater.

Despite that, most companies haven't stressed: 48 percent of 1,000-plus companies surveyed say they won't make the EU's deadline, according to law firm McDermott Will & Emery. For large tech companies, it's a different story. "We all know who the EU is going to prosecute first," said one ad-tech executive, speaking on condition of anonymity to protect industry relationships. "They're going to go after Google, Facebook, Amazon and eBay."

Suddenly, though, publishers face an unexpected bind. Declining Google's offer could provoke catastrophic financial consequences. It operates DoubleClick Bid Manager, the largest platform used by marketers to buy ads; Adx, the largest exchange; and DoubleClick for Publishers, something nearly every publisher on the planet uses to sell ads.

"About 60 percent of our programmatic revenue comes from Google," says one executive at a major publishing outfit. "We effectively have no choice but to agree."

Google says its terms make sense because it acts as a controller, which the EU defines as a body that "alone or jointly with others, determines the purposes and means of the processing of personal data." Google makes "decisions on data processing to help publishers optimize ad revenue," the company explains. "That is consistent with the GDPR's definition of a controller. This designation does not give us any additional rights to data."

Under GDPR, Google says it will use data for testing algorithms, improving user experiences and ensuring the accuracy of its ad forecasting system.

Khatibloo, the Forrester analyst, says what Google is doing to publishers isn't wrong. "The way they are handling it is on point, but that also puts pubs between a rock and a hard place," she says. "Publishers are on the hook to get consent, but they don't have a ton of control over what Google does with their data after a user leaves their site. And that's the problem."

Many publishers feel Google isn't operating in the spirit of GDPR, says Jason Kint, CEO of Digital Content Next, a U.S. trade association that represents publishers such as Hearst, Gannett and Vox Media, among many others. GDPR should be "an opportunity because it allows the publisher to reassert control as the party that actually has the relationship with the user," he says. "To make matters more offensive, Google is attempting to assert they are the controller over data that they collect off the publisher site and they want to use it however they see fit, which [is on top of] putting all the liability back on the publisher for what they do."

But EU regulators keep Google under close watch, to be fair, and sketchy publishers do exist. Accepting liability on behalf of publishers would open Google to significant risk for violating GDPR, something that could cost it $4.4 billion in fines.

The EU may have overlooked the complexities of ad tech, Khatibloo says. Others agree. "The EU completely bobbled this," says an executive at one ad-tech firm. "They thought this would really punish the tech vendors, but the people with the best deployment for GDPR were Google, Facebook, Amazon and eBay. Because the exact firms the EU wanted to punish were the ones who had the tightest relationship with users, but also the ones with the lawyers and engineers to handle the changes."