GDPR – How it impacts Email Marketing, AdWords and Facebook Advertising
The General Data Protection Regulation (GDPR) is a new European Union Regulation concerned with the protection and free movement of personal data and the rights of individuals, including children. It replaces the EU Data Protection Directive (95/46/EC) from 1995 and the UK Data Protection Act 1998, which was enacted to bring British law in line with the above Directive.
These new regulations will come into effect on May 25th, 2018 and will apply to all companies processing the personal data of people living in Europe. The law applies to all businesses regardless of where they are based. This may lead you to the question: “what about Brexit?” First, the UK government has stated and reaffirmed numerous times that GDPR will become the data protection regulation for the UK after Brexit. Additionally, if you’ve done your math, you have already figured out that the UK will still be in the EU in May 2018.
GDPR 2018 WILL affect your business – but you can easily stay ahead of the curve by preparing early
It is important to remember that the GDPR covers all data not just marketing data. It applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Brexit will have no impact on the implementation of the GDPR in the UK. First as we just pointed out it covers all companies that do business in the EU. Secondly, the UK will still be a member of the EU on the implementation date of 25th May, 2018. Lastly, the UK government has made it clear that GDPR will be the l aw post Brexit.
How do I record consent?
When the GDPR becomes effective, data controllers will need to demonstrate that they have informed their data subjects of their processing activities and (if relying on consent) consent has been obtained to the GDPR standard.
Each controller will need to establish their own processes and practices to ensure compliance with the provisions of the GDPR. Records should demonstrate:
- Who consented
- When they consented
- What information was supplied at the time
- How they consented
- Whether consent has been withdrawn.
Say a Chicago-based software company is looking to run a campaign in France and has set up a webpage to collect email addresses for a white paper. At the very least, the company will need a checkbox — without a default “x” in it — accompanied by clear language about what it will be doing with these email addresses. And it’s not allowable to ask the user to click on a link to a long “terms and conditions” document filled with legalese.
If you have a signup form that contains an opt-in checkbox with, “Yes, I’d love to receive future emails”, then that’s going to cease being the gold standard on May 25. You’re going to need to come up with something more specific – something that says what those emails are going to contain, and how often you’ll be sending them.
But coming up with clearer, more specific opt-in text is one thing. The GDPR also says that you need to be able to demonstrate you have that specific consent.
Important notes considering consent, include:
- You will need explicit opt-in for all electronic marketing channels.
- Silence, pre-ticked boxes and inactivity do not prove consent.
- Consent can be withdrawn by your customer at any time.
When generating a sign-up form in the OpenMoves email platform, you’ll now be asked to describe the content you will be sending to the contacts that sign up and the frequency you will be sending, so the subscriber can agree to signing up for your emails.
You may already be storing preferences in data fields, or perhaps with address books. That’s great, and you should carry on doing that. But being able to demonstrate why a contact has those preferences? That’s something that’s probably new to you – and it’s why we now have Consent Insight. Consent Insight stores all the above when the code is added to your sign-up forms. Learn more about Consent Insight for the OpenMoves platform.
Will I need to refresh the consent of my email contact list?
While not required, we recommend segmenting out contacts who have a UK/EU domain, as well as by location if available, and sending these contacts an email asking them to verify/double opt-in (learn more about double opt-in here: https://support.openmoves.com/hc/en-us/articles/215581023-Using-double-opt-in– ) or point them to a sign up page with the consent check box.
To make this process easier, check out our new automation program templates available for GDPR which can be found under Automation > My Programs > + New Program > GDPR section. You can now set an automation to look for anyone who has not double opted in/verified and send them an email to double opt-in. If they don’t click to double opt-in/verify within a certain period of time (recommended 7 days), then the program can put them in a separate address book where you can then delete them from your account.
What does this mean for your Google AdWords and Facebook Targeting?
In general, GDPR will make it more difficult for you as an advertiser to target EU audiences based on personal information and characteristics unless the users opted in. This means that the available EU audiences you can target as an advertiser will be reduced. By how much, we don’t know.
When one uses Google or Facebook one willingly discloses personal data. These businesses have the right to process the data to provide their services when one asks them to. GDPR will prevent them from using the personal data for any further purpose unless the user permits. The GDPR applies the principle of “purpose limitation”, under which personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes” (The GDPR, Article 5, paragraph 1, b.).
Google and Facebook cannot ask their users for broad, non-specific, consent requests that cover the entire breadth of their activities. Data protection regulators across the EU have made clear what they expect:
“A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”.
A business cannot collect more data for a purpose than it needs and then retroactively ask to use those data for additional purposes.
Google and Facebook will likely be reprocessing all it’s EU users data. It will also need to add layers of opt-in gates to comply with the new law. We also anticipate upfront transparency around how private data is used, once it is collected.
Programmatic advertising, like Google’s DSP, will be hit with massive changes as well because users will have to opt-in with multiple companies: Google + the DMP companies that collect data on users for programmatic ad targeting. Read more about that here.
All personalized advertising on Google and Facebook such as Search, Youtube, Maps will require that users opt-in to tracking. This will affect certain audience targeting features of “remarketing”,” retargeting” “affinity audiences, “in-market audiences”, “similar audiences”, “lookalikes” and several more. A prospect would have had to give their consent to the advertiser for this to occur.
In addition, “programmatic” advertising based on Gmail will also be affected. Google mines the content and metadata of each email message sent and received in Gmail to target advertising. This could not have continued under the GDPR without each sender and recipient giving their consent. Clearly, few would do so, and Gmail is at four on the scale. This may be the real reason, or at least a contributing reason, why Google has recently announced that it will stop mining people’s emails for ads.
Operating these under the GDPR would require not only that a user consents to Google’s use of data for advertising targeting purposes, but to the many other companies such as DMPs (data management platforms), DSPs (demand side platforms), and so forth processing these data too.
Location targeting technologies may skip the need for an Opt-in and only have an opt-out.This is based on the assumption that advertising in map search results is accepted as a compatible purpose with the original purpose for which location data were shared by users.
Google’s AdWords product has the benefit that it can be modified to operate entirely outside the scope of the GDPR. If Google discards personalized targeting features from AdWords, then it can continue to target advertisements to people based on what they search for.
Here are the official Facebook and Google pages on GDPR: