General Data Protection Regulation – Does It Apply To Your Business?
The EU’s GDPR Touches Marketers – And Google
What is GDPR? It is a new law implemented by the European Union and came into effect on 25 May 2018. It regulates the collection, storage and use of personal data of all EEA residents. The General Data Protection Regulation (GDPR) is aimed at data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The EEA includes EU member states, Norway, Iceland and Liechtenstein.
Of special note is that GDPR has a reach beyond the borders of the EEA, because it applies to businesses anywhere in the world that handle personal data of EEA residents.
There are many implications for businesses of the new GDPR law. For example, a business now needs permission to place cookies onto computers of EEA residents, even if your business is outside the EEA area. And the penalties for ignoring the GDPR are huge – among them are a fine of 4% of your business’s global turnover or 20 million euros. With such penalties for non-compliance of GDPR, it is not surprising that Google has had to write policies to bring itself into compliance with GDPR.
How does GDPR affect marketers and website owners?
The new regulation affects much more than just marketing activities. This article focuses on the impact on users of Google products such as Analytics and AdWords, and on website owners, and email marketers.
Google has published an EU user consent policy. The policy states that certain disclosures must be given to, and consents obtained from, end users in the European Economic Area.
Analytics and Cookies
One of the major requirements of GDPR and Google is to obtain consent from any EEA resident before setting cookies on their hard drive when they visit your website. Cookies and online tracking are used for a variety of purposes, including the gathering of statistics to be sent to Google Analytics, and the building of remarketing lists (which are used to show ads to people who have previously visited your website).
Google’s EU User Consent Policy includes the following statement:
“For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area.
You must obtain end users’ legally valid consent to:
- the collection, sharing, and use of personal data for personalization of ads.
When seeking consent you must:
- retain records of consent given by end users; and
- provide end users with clear instructions for revocation of consent.
You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.”
Google has published a help guide to elaborate on their user consent policy. There they define what a personalised ad might include:
“Google considers ads to be personalized when they are based on previously collected or historical data to determine or influence ad selection, including a user’s previous search queries, activity, visits to sites or apps, demographic information, or location. Specifically, this would include, for example: demographic targeting, interest category targeting, remarketing, targeting Customer Match lists, targeting audience lists uploaded in DoubleClick Bid Manager or Campaign Manager.”
In the same document Google attempts to answer the question about how to disable collection of personal data for personalised ads.
“We will be launching new functionality that allows you to disable personalized ads. Please note that the non-personalized ads that we serve on websites still require cookies to operate.”
Whether this new functionality will enable one to exclude only EU residents is as yet an open question.
Google’s policy requires consent for cookies even if they are only used for ad measurement and not for ad personalisation:
“Our policy requires consent for cookies that are used for measurement purposes and consent for the use of personal data for personalised ads — for instance if you have remarketing tags on your pages.”
What if cookie consent has not been given?
A key question is, how does a website prevent information from being sent back to Analytics if consent has not been given?
There are technical solutions available, and various solutions are listed on Google’s Cookiechoices website. For example for WordPress sites the Cookiebot plugin can be used. Here is a guide by Cookiebot concerning prior consent.
Incidentally, cookiebot.com offers to analyse your website and provides a list of areas where it is not compliant with GDPR.
Email marketing lists
As GDPR places a big responsibility relating to the collection, storage and use of EU personal data, a business handling that data will have to implement organisational and technical solutions.
For a very detailed explanation of what GDPR is all about, you can download this pdf guide provided by the UK’s ICO (Information Commissioner’s Office).
Here are some examples, for your reference, of GDPR-related privacy policies on various websites:
Help for WordPress website developers
Settings>Privacy>Create new page button>Follow the “check out our guide” link near the top of the page.
This article, compiled by Digital-Lance Online Marketing, is meant to provide an introduction for marketers to the EU’s General Data Protection Regulation. You should not consider it to be legal advice.