GDPR will likely have long-lasting consequences to anybody doing digital marketing.
The General Data Protection Regulation, or GDPR, will finally come into force on May 25th, affecting all website usage from any EU countries, regardless of where the website owner is located in. As this new piece of EU legislation has a status of a directive, it will overrule most national legislation within the EU countries, and will therefore change many of the basic ground rules of how we do online tracking and advertising in a significant way. There have been a lot of news, blogs, discussions, websites and events surrounding the landmark legislation – but since it seems many businesses are still blissfully unaware of many or of the changes required. Due to this, we’ve attempted to collect the most important changes a digital marketer should be aware of, and put them into a concise bulletpoint format below.
So read on. Disregard this at your peril.
Most important changes for online marketing
- Personally identifiable information must not be collected without explicit consent. If such consent is not explicit, then we have to assume the visitor hasn’t given it.
- When asking for such consent, you must inform the visitor what your data will be used for, and by whom – in explicit terms. For each use, or party (controller) using said data, consent must be asked separately. Explicit consent means clicking ’yes’ on a document describing what you’re doing. For those visitors who do not do so, we must assume they do not consent. Yes, you will need to ask separately for tracking users’ actions across different sessions, for each ad network, etc.
- Cookies that identify your browser are included in that PII definition. This means that the a website cannot set such cookies which identify the browser without the user’s explicit consent. It will still be okay to set anonymous cookies, though – e.g. make it so that you cannot distinguish between browsers. This will allow you to track visitors’ actions during a single visits, but you will lose data related to returning use.
- Consent cannot be given by just clicking forward on a page – ’cookie banners’, done in the same way they have been before, will most likely become very ineffective. You will need to think of new ways of gaining the permission to track visitors.
- Tracking walls won’t work either. GDPR prohibits using personal data as a payment to the service – basically, you cannot block visitor entry to any part of your website just because they won’t give you the right to track them. Obviously, you can restrict access to a service that requires said tracking to operate – e.g. personalized content – but as a rule, you can not block people for not allowing tracking.
- In case one of your visitors wants you to stop tracking them, you’ll need to comply – and you’ll need to erase all of their personal information from your databases. Just advising them to delete cookies will not be enough.
What you need to do in order to stay safe
Here are the most pressing dos and don’ts, starting May 25th:
- You should not set browser-identifying cookies unless the visitor has given explicit okay. Basically, you should have a pop-up informing the visitors about tracking – and store those cookies for only those who click ’yes’. For everybody else, you need to either not install cookies at all, or install one with a uniform Client ID.
- In case you are doing any retargeting, or utilizing client cookies in any way in communication, stop it by May 24th. You can start it again afterwards, but you will need to collect audiences through having them explicitly give their permission to doing so, after informing them what you’re doing with their data.
- In case you’re giving visitor data to any third parties (such as Google, Facebook, or any other ad network) you need to make sure the visitor gives explicit okay to what they will be doing with their data, before giving them the data. Yes, this can be a troublesome thing to achieve.
- If you have subcontractors working with data you’re collecting, make sure you have a signed Data Processing Agreement (DPA) with them, and that you have defined appropriate roles with your subcontractors.
- If you want to save yourself a lot of hassle, make sure you have one person in the company who is aware and responsible of most data protection issues and practices (a Data Protection Officer). This might save you a big headache in the future.
- Also, make sure you have mapped out the processes your company uses in handling any personal data. If there are legal questions, you will have to be able to show how you do it.
- And last but not least, in case nobody in your organization has done so yet, you better consult your lawyer.
What will the future look like?
Most likely, many businesses will not be ready by the time of the deadline. Several companies seem to be looking at what the actual practice and translation of the law will look like before making drastic changes – and especially what online giants like Facebook and Google do. For most, doing so carries a lot of risk, since their role is usually different to companies that actually collect and use the data (e.g. advertisers and media). Penalty fees for breaching GDPR can amount to millions of Euros – and it is very easy to break them if you’re not careful. At the moment, it therefore seems that the legislation is strict enough to ensure that eventually, changes will be made.
Short term effects might be quite drastic – perhaps not immediately after May 25th, but at the latest soon after the first company is sued due to mishandling identifying cookie data. Ad networks will lose efficiency as platforms of reaching widespread audiences, and retargeting audiences will both diminish in size and likely become much more tuned into your core customer group. Overall, in a year’s time, some of the ground rules of how tracking is done, and how data should be understood, might have changed a great deal.
Eventually, if the current status of tracking cookies as personal information persists, both websites and marketers will need to start thinking about new strategies on how to get tracking consent in a way that is transparent, well communicated and beneficial to the user. This might well turn out to be to the benefit of both online businesses and consumers, as it forces the companies’ hands in ensuring that people who get tracked also gain enough benefit from said tracking.
As the proverb says, as online analysts and marketers, we live in interesting times. By the start of the summer holiday season we will likely learn just how interesting these times will be.