March 1, 2018
*This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should seek professional legal advice where appropriate.*
The General Data Protection Regulation (GDPR) is a new EU regulation that will require businesses to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy. Failure to adhere by these laws can be detrimental to a business and their financial stability. GDPR fines can go up to 20 Million Euros or 4% of annual global turnover, whichever of both is highest. Companies have until May 25, 2018 to comply with the GDPR.
GDPR regulations apply regardless of your business location. If you track behavior or manage data of a EU resident, you are required to be compliant with GDPR.
At the simplest level, GDPR deals with consumer concerns about data privacy and security. While there is a plethora of sections and subsections of the entire bill, some of the most prominent areas that relate to PPC’ers and Digital Marketers:
- Personal Data can only be used with the express consent of the consumer
- Consumers have a “right to be forgotten” and a right of “data portability”
- Safe and secure administrative record – keeping requirements
Personal data can be associated with everything from email addresses to payment information, basically anything that can tie to a person’s identity.
However, under GDPR now also categorizes cookies, IP addresses, device IDs and location data as “personal data”.
Recital 30 of the EU GDPR defines “online identifiers for profiling and identification” as such:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
So, what is “consent” for the use of personal data? Basically the user must actively agree to the way their data is collected and used. Here are some examples of things no longer acceptable as “consent” under GDPR:
- Pre-checked boxes on forms or data collection points.
- Passive “you accept cookies” notices
Customers must be able to freely give consent. No longer is implied consent acceptable. It can also not be hidden in long Terms & Conditions that uses complex legal language. Also, the customer is also given the right to remove their consent at any time.
How will this impact tactics like remarketing and behavioral campaigns in display and social? That is still not 100% clear, but… here is what we have been able to piece together from our different partners.
The “Right to be forgotten” means that at any time, a consumer can request that their personal data be removed from any database or cookie pool.
A key takeaway for digital marketers is, those who manage consumers’ personal data must also have a process to erase any collected data should the user submit this request or withdraw their original consent.
Consumers also have the right to request, at any time, to receive any personal data that they provided a company “in a structured, commonly used and machine-readable format.”
If a company obtains consent from a user, they must also protect that data. Should a data breach occur, it must be, under the new law, reported within 72 hours to all consumers and respective bodies.
The biggest thing that GDPR is trying to achieve, from our research and partner conversations, is transparency and data security. Here are some tips that have been indicated to us are some best practices.
Be extremely transparent about how you collect cookie data and provide an option for users to opt out.
Companies like OneTrust have integrations that can provide this functionality with your site and provide users with an option to remove themselves from your cookie pool.
Ensure you have a strong data security process in place. This is key to success in a GDPR world.
Make sure that if you do have a breach, that you report everything in detail to the appropriate parties.
Finally, if you do have users who eventually want to be removed, do so in a timely manner, and make sure that all your appropriate data-bases are purged/cleansed on a regular basis.
GDPR is going to be a process and learning curve for everyone. EU based cookie pools may shrink, but these audiences will likely improve in quality, because the user is engaged and wants to be able to shown ads relevant to them.
Ad Costs will likely go up….. particularly in Display and Social, where the shrinking cookie pools will create higher demands for more engaged users, driving auction prices up. Rethink your strategic approach to these channels and how to utilize them in the best manner. For those on the agency side, start having those conversations now, if you already haven’t, about the overarching effects that GDPR will have.
Ultimately, this will be a benefit to the industry. For too long, irrelevant ads and poor quality tracking has been the scourge in the industry. The industry is constantly being forced to evolve and improve the way it interacts with consumers. Use this as an advantage to hit reset on your strategy and focus on quality content, quality copy, and relevant targeting.
Despite the tips we laid out above, they are not valid legal advice. You should seek professional legal advice on GDPR to ensure you are in compliance with all areas of the regulation.