The Ultimate Guide to GDPR for Advertising
The customer journey is changing quickly, and it’s not all because of technology. Big data and the necessary legal regulations that follow have a huge impact as well. The General Data Protection Regulation (GDPR) is a new regulation that’s changing the way marketers can advertise to EU citizens. It’s the biggest regulatory change in data privacy in decades, and the deadline for compliance is fast approaching. Companies that don’t comply by May 25th, 2018 can face fines of up to 20 million Euros or 4% of annual global turnover.
Despite these threats, many businesses have done little or nothing to comply to GDPR. Hubspot did a survey in November and found that only 15% of companies had done anything to become compliant.
That’s likely because they don’t know anything about GDPR (36% of marketers hadn’t even heard of it in November) or they think it doesn’t apply to them and their business. That’s why we created this guide, to detail exactly what GDPR is, how it affects advertisers, and what changes you need to make to be in compliance.
The GDPR is a 200-page document that covers data privacy reform for companies in a variety of contexts. Our guide is meant to illustrate how it can impact advertisers, but it’s not meant to be a complete resource on GDPR compliance. Use this guide as a starting point, then enlist the help of legal professionals to ensure your business is in full compliance.
What is the GDPR?
The GDPR is a regulatory act adopted by the European Parliament in April 2016. It’s aimed at protecting data and privacy for all individuals within the European Union, and addresses the export of personal data outside the EU.
Many advertisers make the mistake of thinking the GDPR doesn’t apply to them if they don’t have a business presence within the EU. But if your business processes any personal data of European residents, the GDPR will affect you.
Here are some of the main points businesses will need to address when managing the data of EU citizens:
Businesses must comply to strict record keeping requirements when handling personal data
Businesses must conduct privacy impact assessments
Personal data can only be used with the express (not implied) consent of consumers
Consumers have the right to be forgotten and a right of data portability
Businesses must adhere to communication protocols if consumer data is breached
Essentially, businesses need to get consent to collect personal data from their audiences, then take steps to ensure they handle it properly.
What is personal data?
GDPR’s definition of personal data is very broad, including a number of online identifiers for profiling and identification that advertisers use. Here’s their own wording on the topic:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. 2This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
For your purposes, you can assume personal data to include:
- Email addresses
- IP addresses
- Payment information
- Device IDs
- Location data
- RFID tags
Broadly, any information that can tie to a person’s identity is personal data. This includes information advertisers use to segment audiences based on interests, political leanings, ethnicity, etc.
What is consent?
Marketers are no longer allowed to use passive methods that imply consent for data use. Now consumers must take an action indicating that they are okay with their data being collected and used.
You can’t bury consent in the Terms & Conditions. It must be up front and center so consumers understand they’re giving consent.
No more pre-checked opt-in boxes that consumers can overlook. They must take action to opt in.
Consumers must be able to quickly and easily revoke their consent at any time.
Businesses must also be prepared to provide individuals with their personal data upon request.
The impact of GDPR on advertising
For advertisers, GDPR impacts the personal data you can collect on consumers for ad targeting, how you store and use that data, and how you get permission to use it in the first place. Advertisers who use data science for search engine marketing need to take special care to ensure they’re in compliance.
The GDPR assigns responsibility for compliance to three main roles:
Data controller — Responsible for defining how and for what purpose personal data is processed.
Data processor — Groups that maintain and process personal data.
Data protection officer (DPO)
The data controller is responsible for ensuring outside contractors comply with GDPR when handing data, while the data processor is also liable for non-compliance with GDPR guidelines. Essentially, both you and the advertising platform you work with have obligations for data protection. For companies that store and process large amounts of personal data (e.g. banks or hospitals), a DPO is also necessary within the organization. This doesn’t apply for most advertisers.
Whether your organization is considered a data controller or processor depends on where the data came from. It’s an important distinction to make as it affects your responsibilities under GDPR.
If you’re advertising through Adwords or Facebook using data they collected from consumers for ad targeting, then they’re both the data controller and processor, and you have no additional obligations to protect data under GDPR. What changes is when you use your own consumer data with these platforms for ad targeting. When using conversion tracking cookies, remarketing ids, Customer Match and other data collected from your site, the responsibility lies on you to obtain consent and explain what the data will be used for.
Let’s look at an example for Adwords advertising. If you tag your site to build remarketing lists for search ads (RLSA), then Google’s the data controller, not you. If you upload a email list to run a customer match, then you’re the data controller and all responsibility lies on you to comply with GDPR requirements.
If you upload a Custom Audience to Facebook, you have responsibilities to properly collect and protect data. They’re actually in the process of developing a Custom Audiences permission tool so advertisers can provide proof that they obtained proper consent.
Luckily, if you’re already GDPR compliant for Facebook ads, you won’t need to do anything additional for Instagram, since Facebook owns it.
YouTube ads work in a similar way. If you’re using remarketing ads, affinity audiences, in-market audiences, similar audience, etc., then you need to get consent to use consumer data. If you’re using YouTube’s internal targeting features, the responsibility is on them.
Even with an explanation, your obligations can be confusing. Just remember that if you collect any data from your audience for advertising or otherwise, you need to get permission, fully disclose what you plan to use it for, and take proper steps to ensure data management and security. Adwords, Facebook and other advertising platforms will do the same.
5 steps for GDPR compliance with advertising
Even if you’re not currently using personal data for advertising, it’s best to be proactive and create a framework for compliance with GDPR standards. After all, transparency with your audience is a good business practice all around, whether they’re located in the EU are elsewhere.
Here are 5 steps you can take to start on the road to compliance before the May 25th deadline:
1. Audit your existing data
The first thing you should do is perform an analysis of your existing data to see how it’s already being used. Use this audit to develop processes to gain compliance for existing data and establish new practices to capture data.
Your audit should answer questions like:
Who are our data subjects?
Where do we keep their data? Who has access to it?
For what legal purpose do we have their data?
How are we processing their data?
You’re going to need to disclose to your customers how you plan to use their data and what third parties you might share it with. Therefore it’s important to start by mapping out where their personal data is held so you can be as transparent as possible.
2. Establish new practices for data collection
Do this the wrong way and you can end up ruining cookies as a data source for advertising. Many visitors will blanketly opt out if you present them with a binary consent option (cookies or no cookies). Instead, illustrate how cookies are helpful for their user experience and give them options for what kind of cookie data you can use. Here’s a good example:
There are tools available, such as Cookiebot, that can help you create custom GDPR compliant cookies.
3. Create a data protection plan
If you’re collecting consumer data (not your advertising platform), then GDPR requires that you have a data protection plan for internal business processes. Draw out a clear data security plan for your business that’s in line with GDPR requirements. Here are some important points to consider:
The right to be forgotten
Under GDPR, users have the “right to be forgotten,” which means they can request their personal data to be removed from your databases or cookie pool at any time. Procedures should be in place to properly purge data if and when users want to be removed from your databases.
Requests for personal data
Users also have the right to request personal data they’ve provided to your company. You’ll need procedures in place so you can easily provide personal data “in a structured, commonly used and machine-readable format.” A CSV file should be sufficient.
Procedures for handling data breaches
Include procedures for addressing data breaches, so you can report necessary information to involved parties in a timely manner. GDPR mandates that data breaches should be reported to all consumers and respective bodies within 72 hours.
Who is collecting data?
What kind of data are you collecting?
Your legal basis for processing the data.
Who you plan to share the data with.
How you will use the information.
How long you plan to store the data.
What rights the data subject has.
How data subjects can raise complaints, request their data or request its deletion.
5. Seek Privacy Shield certification
Privacy Shield is a framework developed by the European Commission, Swiss Administration and the US Department of Commerce to develop a mechanism to comply with data protection requirements when transferring personal data for transatlantic commerce. Seek out and obtain certification under their standards. Do this before GDPR comes into effect to ensure you’re in compliance.
On the surface, GDPR can seem like a marketing challenge that hinders your ability to collect and drive advertising insights from consumer data. But fully complying with GDPR mandates actually helps ensure you’re marketing to the highest value leads when they do opt-in.
It may be by force of law, but advertising platforms and advertisers alike are making positive changes to ensure they market to people who really want to be targeted with advertisements. While these changes might reduce your pool of marketable leads, it does improve the quality and effectiveness of your advertisements immensely.
Now that you’re targeting a smaller base of engaged users, ad costs are bound to go up. That leaves even less wiggle room in advertising budgets for wasted ad spend. Artificial intelligence and bid automation tools to accurately allocate ad spend will become even more essential as advertising becomes more expensive.