GDPR in Online Marketing, Google Analytics & Google Ad-words

Twitter Linkedin

In last months, you’ve probably experiencing notices about privacy policy updates from one service or another. The social media which are using also notified you of the changes in their privacy policy.

With the implementation of the General Data Privacy Regulation (GDPR) from May 25th, 2018 every company has complied with the new standards. Most of the marketing people are not aware of what is GDPR and how it applicable.

What is GDPR?

Wikipedia says The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the European Union.
GDPR introduces a lot of new rules, we can see in the regulation.

The significant changes:

  • Companies have to be more clear about what information they collect, where they will use, for what use, how they will collect, and if any information will be shared. Companies can only collect information for relevantly intended use. If any time collected information to use it for a different use, companies must get permission again from each person.

  • Any collected information now no longer be hidden in privacy policy with any legal idiom. The disclosures must be in plain and clear language and as Article 4 (11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. If any individual does not agree to get his or her information collected, companies cannot block them.

  • Every user has the right to see the information company has specifically for him or her, can request to correct information, revoke permission, and can export the data so anytime can switch to another service. If user revokes permission, a company must not only remove the information in a time frame from their data but also cleared from wherever they shared.

Role of GDPR for US-based companies

GDPR regulation within the European Union doesn’t mean that it won’t affect US based companies. GDPR applies to any US based companies who have business in Europe, collect data of users from Europe, any employees who work in Europe.
No matter your company has business in a very specific geographic area; occasionally have some visitors to your website from people outside of that region.

Let’s take an example, let’s say a US based hotel in California posted an offer on their blog about the travel and stay offer on their website. It’s lucrative offer that brings online visitors from outside California, including some from European Union geography. How GDPR apply to them?

As long as the lucrative offer of that hotel is only available to the customers in the US or customers outside European Union, GDPR does not apply.
If another US based hotel has a website with the accessibility to check the site in either German or French languages, customers can pay with Euros, and uses marketing language referring to European customers. In this scenario, GDPR will apply as a company promote their business to get people from Europe.

How GDPR impacts Google Analytics

Google is data analytical tool that works as your data processor. Google handle data from the people all around the world, GDPR compliance has to be there. However, your company is considered the data controller in this liaison, this way you need to take steps to make sure your Google Analytics account is set up accordingly.

Google has been rolling out new features in the context of GDPR. Now you’ve got the ability to delete the information of users if requested. With data retention, control long user data is saved before being automatically deleted, 26 months as the default setting but US-based company that only do business in US, can set it to never expire until data protection law come in to picture someday.

Privacy policies, Use of cookie

As per GDPR, a website’s privacy policy must be in plain and clear language and answer basic questions like what information will be collected, why will be collected, how will be collected, who will collect, how will be used, and if shared with anyone.

Use of Cookie notice also as per the GDPR regulation,
“(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

How GDPR impacts Marketing

The GDPR is not just limited to use of Google Analytics but also use of some particular types of marketing.

  • Google AdWords

Google already required publishers to get permission from end users by putting disclaimers if you use Google Adwords in EU but GDPR will make some change to these requirements. Now, Google will have to require publishers to get clear permission from individuals having their data collected. If an individual doesn’t permit to get his or her data collected, Google will have to serve them non-personalized ads.

  • Referral

Many companies promote business as “refer your friend”. In such promotion a user has to provide information of a friend who is going to receive a deal or discount, GDPR comes in such scenario. To give approval for data to be collected is a key part of GDPR and in such promotions, the person being referred can’t directly approve to being collected his or her information. In GDPR, you can continue this process, but the main part is how that data is being used. If you store the data of the referred person and use it for marketing purposes, that’s the breach of GDPR regulation. However, not to store that data or process it under GDPR.

  • Gated Assets

Many companies use gated assets which are whitepapers, ebook, research/studies or webinars, ways to generate leads. Since GDPR came into picture blocking access to content if a person doesn’t permit his or her information being collected. GDPR does not wholly wipe out the possibility of gated assets, but now higher standards to collect user data. So, if you intend to have the gated assets, you have to prove that the data you collect is significant for you to provide the deliverable.

Conclusion

We simply tried to provide the summary of how GDPR impacts your marketing campaign and the way it will work. This is not GDPR regulation manual, consult your legal team if you fall in GDPR regulation or have any questions about it.

June 14, 2018