There is a lot of buzz around GDPR lately as the D-day (25th May) approaches near. Although Digital Marketing companies and many businesses have been contributing to the hue and cry around it since long.
So, the big question is- what is GDPR (followed by many bigger questions)?
GDPR stands for General Data Protection Regulation and, is a regulation in EU law for data protection and individual privacy that would become enforceable on 25th May 2018. The law was adopted in 2016 and would replace the 23-year-old EU legal act- Data Protection Directive once enforced.
There are adverse implications if you do not comply with GDPR, the penalties of which could tune into €20 million or 4% of total revenue (the world over).
GDPR is a data regulation which concerns the control and processing of personal data. Personal data of the EU citizens to whom any good/services are being sold even if the company is not based in the European Union.
The regulation would have a widespread impact on the various marketing technologies we use as digital marketers and one of them is web analytics. Google Analytics is a web analytics tool extensively used across the world. There are about 50 million websites which are configured with GA. GDPR would have a major impact on GA.
As per GDPR, Google Analytics is your data processor if you are using GA and you are the data controller. As a data processor, it makes it important for GA to be compliant with GDPR.
Well, there are various ways to become GDPR-compliant which would save you from a lot of hassle. Here are 5 ways to tune in with the regulation.
PII or Personally Identifiable Information is the data which could potentially identify a specific individual. There are various combinations of data sets like Google Analytics report and existing data that could identify an individual and GDPR would count it has PIIs. Google Analytics terms already prohibit collecting PIIs and the GDPR would tighten the noose. To comply with the regulation check the page URLs and titles for PII collection, you might be transmitting to marketing tools.
GDPR in its definition of PII considers an IP address as a PII as Google uses the IP to provide geolocation data. GDPR compliance needs that you should turn on the IP anonymization and to enable this a code change is required. This can be done either by Google Tag Manager (GTM) or you would have to edit the code directly.
Gaining consent for tracking in GA constitutes an important part in GDPR, although more importantly how you are gaining the consent. Collecting user ID and other pseudonymous identifiers gaining consent from the user is imperative. The ‘cookie consent’ would no longer be considered gaining a consent, rather you would have been more explicit on it. The best way that is the most common also is getting an overlay modal that pops up (once the website loads), to ask the user for his/her consent.
Another marketing technology that would be impacted by GDPR would be Email Marketing. Email marketing delivers the marketing campaigns personally which makes it effective than other broadcasts making it a growing marketing technology. According to Radicati’s 2016 Email Statistics report, email would be used by 3 billion people by the year 2020.
GDPR would not consider the contacts collected by after the enforcement date i.e. 25th May 2018 but the regulation would apply to your existing contacts as well.
If you are using Email marketing, GDPR would like you to-
You need to check or have an audit of all the contacts you have been adding to your Email marketing database from all those years. Check if you know the geographies of these contacts, when you added them to the repository, check if you have been taking the consent of the contacts, how you got them to your database.
GDPR would require you to provide the ‘unsubscribe’ option clearly and in a simple way. For that, you should use the unsubscription link in all the marketing communications so that a user can unsubscribe to the marketing communication that is talked about or to all of your communications. The unsubscription process should be very simple, enabling the user to unsubscribe in a single click. Asking a user to login your web page to unsubscribe is not recommended. GDPR also would empower the user to get his/her data erased completely by directly emailing to you.
As of now signing up may be considered as accepting terms and conditions and hence taken as consent. Although GDPR requires separating the consent from signing up, so that the user should be able to clearly understand if they are giving a consent to receive the emails.
The data subject’s consent relies on the clear opt-in boxes being used. Pre-ticked boxes will not be sufficient to confirm consent under the new regulation.
Facebook has evolved as an indispensable marketing technology but with the recent data scandal, it would have to keep itself out of any kind of controversy.
As an advertiser, you would have to inform your prospects about the data you are collecting like- what you would be doing with their data and with whom you would share it.
If you are using Facebook Pixel you would have to obtain consent from prospects such as:
The data collected by the retail websites about the products people view for the purposes of ad targeting.
Facebook advertisers who install the Facebook Pixel to measure ad conversions.
Since Facebook owns Instagram, Instagram will be as GDPR compliant as Facebook is. You don’t need to do anything extra to use Instagram ads or acquire additional consent.
When you upload a custom audience to Facebook using a data file, Facebook is a mere data processor and so, you will be responsible for complying with GDPR standards (before that information is uploaded to Facebook). It is not possible as of now as there is no tool to do this but Facebook is in the process of developing a Custom Audiences permission tool that will require you to provide proof.
Facebook Lead ads are a great business tool and here is what Facebook has to say about GDPR compliance with leads- “In the case of lead ads, both Facebook and the business are data controllers, thus, both parties are responsible for ensuring compliance.”
While the main focus here was Google Analytics, Email marketing and Facebook ads these steps also apply to other marketing technologies as the core remains common i.e. data permission, data access, and data focus.
Remember, GDPR isn’t designed to stop businesses from communicating with their customers. In fact, it will lead to an increase in data quality, which is why it’s an opportunity to delve deeper into the needs of prospects and customers.
We are not a law firm and this blog post is based on our research and interpretation of the General Data Protection Regulation (GDPR) and e-Privacy Regulation. The sole purpose of the blog is to give information to the readers and advises you seek legal counsel that specializes in the GDPR and e-Privacy Regulation to ensure that your organization conforms to these regulations. GDPR is complex and interpretations vary. If you have questions or suggestions, please comment and provide sources, as appropriate.