You have almost definitely heard about the General Data Protection Regulation (GDPR) that came into effect on May 25th, but for some, there still seems to be a bit of confusion over what exactly it means, especially for those outside of the European Union.
The GDPR is a new set of rules that have been introduced, which make it easier for residents of the EU to protect their personal data online. Approved just over two years ago, it still managed to take some by surprise, going into effect this May. And while advertisers may be finding it rather restrictive, the GDPR is being lauded as the most important new regulation of data privacy in two decades.
The main question, though, is what it means for you.
Compliance is Mandatory
There has been confusion in some circles over how this affects those in North America, but in essence, if you serve clients from the EU and you use Google Analytics, Tag Manager, or the AdWords Remarketing code, then your site must be in compliance, and this means gaining consent.
According to Google,
You must obtain end users’ legally valid consent to:
- the collection, sharing, and use of personal data for personalization of ads.
When seeking consent you must:
- retain records of consent given by end users; and
- provide end users with clear instructions for revocation of consent.
You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.
To put that in simpler terms, if you are tracking the actions of your website’s visitors in order to offer personalized ads at a later date, you need the express approval of those visitors to do so.
There are two exceptions to be aware of: Google’s Customer Match—a tool that is used to upload customer data to target specific groups within AdWords—and uploaded data from Google Store sales. In both of these cases, Google is the processor and controller of personal data. In their own words:
When we handle end user personal data, the customer and Google will each act as independent controllers under the GDPR, except for the Customer Match and Store sales (direct upload) features, where Google will act as the customer’s processor for customer-provided personal data.
In these circumstances, you will be responsible for verifying that Google is processing the data in a GDPR-compliant manner.
In creating your Customer Match audience, you will be using personal data, and as such, you will need to be able to provide proof that each and every member of your database granted their explicit opt-in consent. Google will not be responsible for such.
In terms of Google Store sales, this refers to data acquired through offline transactions. This data is imported to AdWords and matched to Adwords user information, creating an audience for cross-selling and up-selling. Given that financial information may be a part of Store sales information, there would be the need for consent according to the GDPR.
The GDPR may not be of concern to some businesses, but it is certainly something to be aware of in order to avoid potentially crippling fines that could been avoided with the simple act of obtaining consent.
If you have any questions about General Data Protection Regulation (GDPR) contact us at Marwick Marketing!
About Marwick Marketing
Marwick Internet Marketing is a Premier Google Partner Agency specializing in Search Marketing (SEO, PPC & CRO). With offices in Vancouver, Victoria and Squamish, Canada.