*This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should seek professional legal advice where appropriate.*
The General Data Protection Regulation (GDPR) is a new EU regulation that will require businesses to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy. Failure to adhere by these laws can be detrimental to a business and their financial stability. GDPR fines can go up to 20 Million Euros or 4% of annual global turnover, whichever of both is highest. Companies have until May 25, 2018 to comply with the GDPR.
GDPR regulations apply regardless of your business location. If you track behavior or manage data of a EU resident, you are required to be compliant with GDPR.
At the simplest level, GDPR deals with consumer concerns about data privacy and security. While there is a plethora of sections and subsections of the entire bill, some of the most prominent areas that relate to PPC’ers and Digital Marketers:
- Personal Data can only be used with the express consent of the consumer
- Consumers have a “right to be forgotten” and a right of “data portability”
- Safe and secure administrative record – keeping requirements
“Definitions” of Personal Data and its uses
Personal data can be associated with everything from email addresses to payment information, basically anything that can tie to a person’s identity.
However, under GDPR now also categorizes cookies, IP addresses, device IDs and location data as “personal data”.
Recital 30 of the EU GDPR defines “online identifiers for profiling and identification” as such:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
So, what is “consent” for the use of personal data? Basically the user must actively agree to the way their data is collected and used. Here are some examples of things no longer acceptable as “consent” under GDPR:
- Pre-checked boxes on forms or data collection points.
- Passive “you accept cookies” notices
Customers must be able to freely give consent. No longer is implied consent acceptable. It can also not be hidden in long Terms & Conditions that uses complex legal language. Also, the customer is also given the right to remove their consent at any time.
How will this impact tactics like remarketing and behavioral campaigns in display and social? That is still not 100% clear, but… here is what we have been able to piece together from our different partners.
For data collected on advertisers’ sites/apps (e.g. Remarketing ids, conversion tracking cookies and Customer Match), advertisers are responsible for notifying users and obtaining their consent for the collection of this information.. For example, information collected on Google properties, all users are provided notice of Google’s data collection processes and the purpose for which that data is collected through Google’s terms of service and privacy policy. Users in the EU are asked to consent to Google’s uses of their data. Additionally, users are provided controls through which they can opt-in or out of the collection of certain types of data and ads personalization (e.g. Ads personalization setting, Web and App activity setting, Location History).
So, for example, if you are running a pixel based RLSA campaign, Google would be responsible for the collection and protection of data, provided that you have given clear indication of how your cookies are used, and the user accepts the terms of use. But, if you are running a customer match using a CRM email list, you are responsible for ensuring that the data you have collected was given with clear consent, and is up to date.
Right to be forgotten
The “Right to be forgotten” means that at any time, a consumer can request that their personal data be removed from any database or cookie pool.
A key takeaway for digital marketers is, those who manage consumers’ personal data must also have a process to erase any collected data should the user submit this request or withdraw their original consent.
Consumers also have the right to request, at any time, to receive any personal data that they provided a company “in a structured, commonly used and machine-readable format.”
Maintaining Data Security
If a company obtains consent from a user, they must also protect that data. Should a data breach occur, it must be, under the new law, reported within 72 hours to all consumers and respective bodies.
So… What next?
The biggest thing that GDPR is trying to achieve, from our research and partner conversations, is transparency and data security. Here are some tips that have been indicated to us are some best practices.
Cookie Data
Be extremely transparent about how you collect cookie data and provide an option for users to opt out.
Companies like OneTrust have integrations that can provide this functionality with your site and provide users with an option to remove themselves from your cookie pool.
Lead Generation and Email Collection
While it is not 100% clear if this is required, placing an empty opt-in checkbox at the end of forms etc, to allow users to choose to receive future marketing from the company, may be a good option. It may also help improve the quality of the lead scoring as they are expressing a true interest in your company beyond the existing offer. At the very least, I would suggest, provide a notice at the end of every form which states that they agree to your privacy policy. Again, this is not 100% clear, and would seek legal counsel on this area, as well as all areas of GDPR.
Data Security and maintenance
Ensure you have a strong data security process in place. This is key to success in a GDPR world.
Make sure that if you do have a breach, that you report everything in detail to the appropriate parties.
Finally, if you do have users who eventually want to be removed, do so in a timely manner, and make sure that all your appropriate data-bases are purged/cleansed on a regular basis.
Wrap Up
GDPR is going to be a process and learning curve for everyone. EU based cookie pools may shrink, but these audiences will likely improve in quality, because the user is engaged and wants to be able to shown ads relevant to them.
Ad Costs will likely go up….. particularly in Display and Social, where the shrinking cookie pools will create higher demands for more engaged users, driving auction prices up. Rethink your strategic approach to these channels and how to utilize them in the best manner. For those on the agency side, start having those conversations now, if you already haven’t, about the overarching effects that GDPR will have.
Ultimately, this will be a benefit to the industry. For too long, irrelevant ads and poor quality tracking has been the scourge in the industry. The industry is constantly being forced to evolve and improve the way it interacts with consumers. Use this as an advantage to hit reset on your strategy and focus on quality content, quality copy, and relevant targeting.
Despite the tips we laid out above, they are not valid legal advice. You should seek professional legal advice on GDPR to ensure you are in compliance with all areas of the regulation.