Please note this blog and its content are not exhaustive resources on GDPR policy and they should not be relied on as legal advice. Because legal information is not the same as legal advice – the application of law to one’s specific circumstances, we recommend consulting a lawyer if you need legal advice on how to interpret the legislation. This content is information for awareness purposes and to inspire you to review your current policies and practices.
If you’re reading this, it means that GDPR is here...
*cue dramatic music*
The main focus of GDPR has primarily been email addresses and personally identifiable information such as name, address, phone number, etc.
However, did you know that GDPR also applies to your digital marketing initiatives beyond email addresses?
If you weren’t, that’s ok! We’ll go over what digital marketing initiatives you need to gain consent from your end user for before placing cookies or collecting any information from them.
Just like with standard email marketing, you will have to make sure everyone in your marketing automation lists has given clear consent. Beyond consent to communicate with a contact in your database, if you or an agency is utilizing lead scoring as part of your marketing automation efforts you will have to get explicit permission from individuals to gather and use that information. Similarly, reverse IP tracking requires consent from the end user as well.
If you or an agency is collecting data from European Union citizens through Google Analytics, Tag Manager, or the AdWords Remarketing code on your site to create audiences, you must obtain consent from these visitors.
A more complex scenario is if you are uploading data for use with Customer Match to create audiences. Google serves as both a Processor and Controller in this situation, meaning they will determine the use of their data as controller while processing the data that you uploaded. You are responsible as Data Controller for ensuring the contacts that you upload were collected and stored in compliance with GDPR. In GDPR terms, you are an independent controller of the data you collect, store, and upload.
Much like Google Adwords, if you or an agency is utilizing Facebook Ads to advertise towards European Union citizens, you must obtain consent from the end user if you are utilizing the Facebook Pixel to collect data from visitors for use in the creation of Custom Audiences. Facebook explicitly states anyone using a Facebook Pixel “will have obligations under the GDPR.”
Also similar to AdWords, if you are uploading data to Facebook through a data file to create custom audiences, Facebook will act as both the Controller and Processor of that data, however once again you must ensure the data you upload complies with GDPR standards.
What to Do
With GDPR, the word “consent” is thrown around often. What that comes down to is you are legally required (by GDPR) to actively alert EU citizens about which cookies you will be placing when they visit your site, what data you are collecting behind the scenes, how you are using that data, and that you will not place cookies or gather information without an affirmation (such as clicking “I Accept”).
Now the difficulty is that it is nearly impossible to tell if someone browsing your site is a European Union citizen, so this idea of consent should apply to all website visitors.
Additionally, it should be noted that even if you are paying an agency or a 3rd party provider to advertise on your behalf, it is YOUR duty to ensure you are gaining consent to place cookies, and gather data from your users.
If you are uncertain of what cookies or advertising efforts are being conducted on your behalf, reach out to your agency account manager. They should be able to provide what digital marketing tools they are using to collect data. After you have gathered this information, it is your responsibility to talk with your legal team to ensure you are GDPR compliant, and that all privacy and cookie policies, cookie consent messages, and tagging mechanisms, are updated on your site to reflect these changes.