Unless you have been able to hide yourself from all the buzz about data protection, the chances are high that by now you’re familiar with the General Data Protection Regulation (GDPR) and the upcoming E-Privacy regulation (EPR). But what impact do all these new regulations have on your digital advertising activities?

When you’ve been reading one article after another and listening to all the GDPR fuzz, do you, as a marketer, still know what you can and can’t do in the digital space? 

We believe it is necessary to provide some guidance and clarity on how these new privacy regulations impact the common applications of world’s most popular advertising platforms: Google and Facebook. We know this topic can be very complex, so in this article we will only tackle those platforms’ most used applications.

To start (and never to be forgotten): are cookies personal data?

Since a lot of online advertising techniques are based on cookies, let’s first recap where cookies are considered to be personal data under the GDPR.  So yes, a cookie could be considered as personal data under the GDPR when they are used to identify the website user. This does not mean that the GDPR will eat all your cookies, a lot depends on the types of cookie you are dealing with. 

We can distinguish two types of cookies: functional cookies and non-functional cookies. Functional cookies make sure that the website functions properly (e.g. for login or registration purposes, language preferences, etc.). These cookies are not used to identify the website user and thus are not considered as personal data under the GDPR. 

Secondly, there are non-functional cookies (tracking cookies and third-party cookies). These cookies can be inserted for statistical, social, targeting and commercial purposes. Non-functional cookies are part of the notion of personal data under the GDPR, which means that you should ask for consent to use them (if identifiable).

Who’s responsible to ask consent for online advertising: you – as a marketer – or advertising platforms such as Google and Facebook?

When setting up your campaigns you are certainly using data collected by Google or Facebook. However, under the GDPR, these platforms can no longer simply share their users’ personal data without their consent. According to the GDPR principle ‘Purpose Limitation’, personal data can only be collected for a well-defined legitimate purpose and may not be used for other purposes without a prior valid consent. Hence neither Google nor Facebook can request a general consent linked to all purposes for which they aim to use their users’ personal data.

We know that this can be quite confusing for your prospects or customers. He/she might see your ads and decide to withdraw his/her consent, while in fact he/she should address a request to Google or Facebook. But we’ve noticed that marketers also get lost sometimes.

So, to make your life easier, we have made a list of the most common applications within advertising platforms – Google and Facebook – and the respective responsible for gathering consent.

Campaigns with Google Ads 

We don’t need to explain to you that Google AdWords (Google Ads as of July 24^th, 2018) is an essential source for bringing visitors to your website. However, this advertising platform has many different functionalities which are impacted by the GDPR which you as a marketer need to be aware of.

Campaigns in the Google Search Network

The most used form of Google Ads are ads in the Google Search Network. This network is a group of search-related websites and apps where your ads can appear. When you advertise on the Google Search Network, your ad can show near-search results when someone searches with terms related to one of your keywords. As no personal data is being used, the GDPR is not directly applicable here.

However, nowadays the Google Search Network is often used in combination with user data which makes the regulation applicable, e.g. demographic targeting or remarketing lists.

With demographic targeting, Google Ads enables you to target age and gender demographics within your search campaigns. When you want to use this data to create bid adjustments for different demographics or you want to exclude certain age groups, the GDPR is applicable but it is Google who is responsible for gathering valid consent.

The same goes for remarketing lists for search ads. This feature lets you customize your search ads campaign for people who have previously visited your site, and tailor your bids and ads to these visitors when they're searching on Google and search partner sites. As you use a target group that you have built yourself, it is you who are responsible for gathering consent.

Campaigns in the Google Display Network

Google’s Display Network, on the other hand, allows you to reach people with your display ads while they are browsing other websites, watching videos on YouTube or using mobile devices and apps. When trying to find new customers or engaging your existing customers you can make use of in-market audiences. These audiences allow you to target people who are most likely to be interested in your products. When doing so, Google uses data which require a valid consent. Hence, Google is responsible for obtaining consent.

Similar Audience Targeting

Similar audience targeting is available for the Search Network and the Display Network (but also for YouTube, Gmail, Customer Match and other apps). It is a feature that allows you to target new users based on the characteristics of a targeting group that you have collected. This similar audience consists of users that you have not contacted before, so it is not possible to ask their consent. However, since your target group is based on the preferences of your website visitors, you should ask your visitors’ consent if you want to share their data with Google.

Customer Match Targeting

Customer Match is a useful advertising tool for many business goals: from increasing brand awareness to driving conversions. It lets you use your online and offline data to reach and re-engage with your customers across Google Search (but also Google Shopping, Gmail and YouTube). Using information that your customers have shared with you, Customer Match will target ads to those customers and other customers like them. To benefit from this technique, you need to target ads based on email addresses, for which, of course, you need to ask for consent.

Because you use personal data that you also share with a third party, namely Google, it is important to turn this user data into pseudo-anonymous data. This can be done by hashing email addresses. Email hashing is a method of coding an email address by using an algorithm that transforms the email address into an unrecognizable series of numbers and letters. With hashed email addresses you can still analyze user behavior but it cannot be traced back to the address.

Conversion tracking in Google Ads 

We don’t need to explain you that when managing your campaigns, conversion tracking is essential. Within Google Ads there are several ways to track conversions.

First, we have the Google Ads conversion code. Here we find ourselves in a gray zone: on the one hand no personal data is involved when measuring conversions. On the other hand, the Google Ads conversion code barely differs from the Google Ads remarketing code. The latter is a block of code that adds your website visitors to remarketing lists as described here above. As discussed, if you want to use your users’ data you are responsible for asking for their consent.

Next to that, Google Ads conversions can also be imported from Google Analytics. If you set goals or measure transactions in Google Analytics, you can link them to Google Ads. Hence, you can evaluate which campaigns achieved the goals set. But with doing so, you are processing your website visitors’ personal data which of course implies that you need to obtain valid consent.

Advertising on Facebook

Next to Google, Facebook also offers a multitude of advertising options. Let’s have a closer look at the most common ones and examine the impact of the new privacy regulations.

Targeting your customer data base or site traffic

In this option you upload data that you collected directly from your customers or visitors of the website. Just like Google’s remarketing and customer match, it is you who are responsible for collecting consent from the data subject.

Look-alike audiences

Just as Google has similar audiences, Facebook also has look-alike audiences. This is again a gray area, because these target groups are established by combining data you have collected yourself with data from Facebook. Since the look-alike audience concerns people you have never had contact with, Facebook is the party that needs consent for using their data to target advertisements. Since the look-alike audience is based on the preferences of your known user group, you need to seek consent and notify users that their personal data is shared with Facebook. 

Targeting based on engagement

Facebook offers the possibility of approaching Facebook users that have engaged with your Facebook page or post, for example users that liked your message or placed a comment on your event. In this case it is Facebook that collects this data from the user, it’s their responsibility to ask for consent from the user to offer this as a targeting option.

Fan pages hosted on Facebook

If you are an administrator of a fan page you can obtain anonymous statistical data on visitors to this page via a function called ‘Facebook Insights’. The data is collected through cookies, each containing a unique user code, which are active for two years and stored by Facebook.

The German data protection authority published a press release stating that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page. In theory, this means that it needs to be agreed which of the two parties need to inform the visitors to the fan page that personal data concerning them is being collected and processed. In practice, we would advise you to be transparent with your visitors and inform them of this processing activity through your privacy notice.

If you are responsible for seeking consent, how can you obtain valid consent?

1. When consent is required to use your visitors’ personal data, keep the following conditions for valid consent in mind. A full overview of the requirements that must be met to obtain valid consent can be found in Article 7 of the GDPR and the respective recitals (32, 33, 42 and 43).
   Seek unbundled consent from visitors:
   
   • Best practice regarding cookies: Ask for consent before you drop cookies that identify your users on their computer.
     Note: A cookie wall (access denied until you accept) is not permitted under current legislation, nor will the new legislation allow you to work with only one button to accept functional and non-functional cookies at the same time.

2. Provide sufficient information about what personal data is used for advertising purposes
   
   • Best practice: Refer to your privacy notice everywhere you collect personal data
   • Best practice regarding cookies: Refer to your cookie policy in your cookie banner (or other message). This information should remain visible as long as you don’t have valid consent.
3. Explicit or implicit consent 
   • Best practice regarding cookies: You could still benefit from implicit consent. This could consist of continuing browsing your website without adapting cookie settings, under the condition that the visitor is informed (e.g. cookie banner). Note: The current proposal of the e-privacy regulations suggests that cookie settings should be managed in a central location, for example in the browser settings.
4. Users should have the possibility to withdraw their consent at any time
   
   • Best practice regarding cookies: Always provide an opt-out option by providing a control center where users can view and manage their privacy preferences.

In this climate of change, the protection of personal data gets more and more regulated. As a marketer it is essential not to let your digital advertising strategy be eaten up by these new regulations. Engage your Data Protection Officer (or legal advisor) for all digital marketing initiatives and document all personal data you are collecting for this purpose in your company’s data processing register. And don’t forget to see these new data protection regulations as an opportunity to improve your digital strategy.  

References: WordStream, Privy, Byte, Marketingfacts, Curia, EUR-Lex, Support Google