What does GDPR mean for Remarketing Advertising?

The introduction of the General Data Protection Regulation (GDPR) on May 25, 2018 enshrined new protections for residents of the European Union in relation to how their private data is managed by the companies and organizations that gather it.

Advertising has been a particular area of concern as large companies have, in the past, been able to take advantage of loosely defined data protection legislation in European Union Member States. These allowed the conducting of highly targeted digital advertising campaigns for their companies or clients. One such way that has been popular has been remarketing, this is the process where website visitors have a cookie tracking them after their visit to a website. The owner of the website visited can pay for adverts to appear when they visit other websites and social media platforms.

GDPR has changed the manner in which this can be conducted and all companies must take note or they will fall foul of the stringent GPDR penalties. These penalties can be as high as €20m or 4% of annual global revenue for the previous year. Though these fines have yet to be fully felt, as recently as this week Google had a €50m fine applied for GDPR breaches by the French data protection agency CNIL. You can read more about that here.

GDPR and Remarketing

It is a main tenet of GDPR that companies and organisations receive the expressed, unambiguous consent of EU residents prior to gathering the private data or using tracking cookies in their browsers. Simply using a banner alert or placing a cookies policy on a website is no longer sufficient. Website visitors must be given the chance to opt out or to ‘click to consent’ to having a tracking cookie applied to their web browsing when they visit a particular website.

This is not just the case for businesses located in the European Union Member States. Companies that collect any browsing data from an EU resident are also subject to GDPR rules and face the penalties that are applicable.

What GDPR Means for Google Ads and Facebook Advertising

Google issued a new consent policy for individuals using Google Ads (previously known as Google Adwords) prior to the May 25 2018 introduction date.

It said that when a Google Ads user is obtaining consent it is expected that an individual:

  • Clearly identifies each party that may gather, receive or use end users’ personal data due to you using a Google product. The user must also be able to provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.
  • Provides end users with clear instructions for cancelling consent.
  • Maintains records of consent provided by end users.

The full list of requirements is available here.

Unsurprisingly the requirements for Facebook are the same as those for Google Ads. Facebook amended its privacy policies prior to the introduction of GDPR. These policies can be read here.

Guidelines Making Your Remarketing Campaign GDPR Compliant

  1. Update Your Privacy Policy to include a section dedicated to personalized advertising.
  2. Include detailed guidelines in the Privacy Policy that advises users how to opt-out of personalized advertising.
  3. Include a link to your Privacy Policy within the GDPR notice or cookies banner that pops up as soon as a visitor enters your website.
  4. Make sure that your visitor completes an action that provides you with consent to track their web usage.
  5. Provide instructions on how end users can access and delete their personal information.
  6. Implement a dedicated Cookies policy if you have not already done so.
  7. Maintain your records carefully in case you ever need to prove that you have obtained consent correctly.