General Data Protection Regulation – Does It Apply To Your Business?
The EU’s GDPR Touches Marketers – And Google
What is GDPR? It is a new law implemented by the European Union and came into effect on 25 May 2018. It regulates the collection, storage and use of personal data of all EEA residents. The General Data Protection Regulation (GDPR) is aimed at data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The EEA includes EU member states, Norway, Iceland and Liechtenstein.
Of special note is that GDPR has a reach beyond the borders of the EEA, because it applies to businesses anywhere in the world that handle personal data of EEA residents.
There are many implications for businesses of the new GDPR law. For example, a business now needs permission to place cookies onto computers of EEA residents, even if your business is outside the EEA area. And the penalties for ignoring the GDPR are huge – among them are a fine of 4% of your business’s global turnover or 20 million euros. With such penalties for non-compliance of GDPR, it is not surprising that Google has had to write policies to bring itself into compliance with GDPR.
How does GDPR affect marketers and website owners?
The new regulation affects much more than just marketing activities. This article focuses on the impact on users of Google products such as Analytics and AdWords, and on website owners, and email marketers.
The new Google policies throw a great deal of light on the impact of GDPR on your marketing efforts. For a marketer using Google products to reach customers in the EU, the terms “consent” and “disclosure” are of key importance for GDPR compliance. “Consent” revolves around an active opt-in for permission to collect and use personal data, and “disclosure” means that a comprehensive privacy policy must be readily available to inform the EEA resident’s consent decision.
Google has published an EU user consent policy. The policy states that certain disclosures must be given to, and consents obtained from, end users in the European Economic Area.
Analytics and Cookies
One of the major requirements of GDPR and Google is to obtain consent from any EEA resident before setting cookies on their hard drive when they visit your website. Cookies and online tracking are used for a variety of purposes, including the gathering of statistics to be sent to Google Analytics, and the building of remarketing lists (which are used to show ads to people who have previously visited your website).
Google’s EU User Consent Policy includes the following statement:
“For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area.
You must obtain end users’ legally valid consent to:
- the use of cookies or other local storage where legally required; and
- the collection, sharing, and use of personal data for personalization of ads.
When seeking consent you must:
- retain records of consent given by end users; and
- provide end users with clear instructions for revocation of consent.
You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.”
Google has published a help guide to elaborate on their user consent policy. There they define what a personalised ad might include:
“Google considers ads to be personalized when they are based on previously collected or historical data to determine or influence ad selection, including a user’s previous search queries, activity, visits to sites or apps, demographic information, or location. Specifically, this would include, for example: demographic targeting, interest category targeting, remarketing, targeting Customer Match lists, targeting audience lists uploaded in DoubleClick Bid Manager or Campaign Manager.”
In the same document Google attempts to answer the question about how to disable collection of personal data for personalised ads.
“We will be launching new functionality that allows you to disable personalized ads. Please note that the non-personalized ads that we serve on websites still require cookies to operate.”
Whether this new functionality will enable one to exclude only EU residents is as yet an open question.
Google’s policy requires consent for cookies even if they are only used for ad measurement and not for ad personalisation:
“Our policy requires consent for cookies that are used for measurement purposes and consent for the use of personal data for personalised ads — for instance if you have remarketing tags on your pages.”
In seeking a visitor’s cookie consent on your website, the use of a pre-ticked check box is not allowed, as the user must actively opt in. A link to your privacy policy must be readily available. There are specific requirements about what areas the privacy policy must cover, and the policy must be written in plain understandable language. There must be a section of the privacy policy in which the use of cookies is set out in detail.
What if cookie consent has not been given?
A key question is, how does a website prevent information from being sent back to Analytics if consent has not been given?
There are technical solutions available, and various solutions are listed on Google’s Cookiechoices website. For example for WordPress sites the Cookiebot plugin can be used. Here is a guide by Cookiebot concerning prior consent.
Incidentally, cookiebot.com offers to analyse your website and provides a list of areas where it is not compliant with GDPR.
Email marketing lists
In order to target individuals with emails from your list, you have to have explicit, active consent from any user in the EEA. This means that if you are collecting email addresses via a form on your website, the user must tick a box to consent to receiving marketing materials. The box cannot be pre-ticked, and it must be accompanied by a link to your privacy policy. The privacy policy must set out clearly the purposes for which you are collecting this information. You must keep a record of how and when consent was given. The user must be able to unsubscribe from your emails and be able to request to be forgotten – meaning that you will have to erase his data from your system.
Resources
As GDPR places a big responsibility relating to the collection, storage and use of EU personal data, a business handling that data will have to implement organisational and technical solutions.
For a very detailed explanation of what GDPR is all about, you can download this pdf guide provided by the UK’s ICO (Information Commissioner’s Office).
Privacy Policy Examples
A clear privacy policy on your website is essential to satisfy the requirement of GDPR and Google.
Here are some examples, for your reference, of GDPR-related privacy policies on various websites:
Privacy Policy Generator
Getting a privacy policy up and running can be a daunting task. I know of a company that can help with this on a paid basis. It is called iubenda. This service is used by at least one multi-national that I am aware of.
Help for WordPress website developers
For WordPress sites, there is a privacy policy page template available in the WordPress back-end. There is also an explanatory guide to go with it. To navigate to WordPress’s Guide from the admin back-end, follow this path:
Settings>Privacy>Create new page button>Follow the “check out our guide” link near the top of the page.
In Conclusion
If your website attracts visitors from European Economic Area countries, the requirements of GDPR apply to you – even if your business is located outside of the EU. Key requirements are consent and disclosure (in a privacy policy), but there are many other duties relating to the handling of personal information. For a more comprehensive study of the implications of GDPR, marketers can refer to the UK’s ICO Guide.
Disclaimer
This article, compiled by Digital-Lance Online Marketing, is meant to provide an introduction for marketers to the EU’s General Data Protection Regulation. You should not consider it to be legal advice.