What in the world does GDPR stand for? What is it all about? Who is affected by it, and should I care? Those are all good questions, and I am going to give you information that will be helpful to you in some of your advertising decision making. The GDPR is nothing new. It was adopted in April 2016 and has been in effect since May 2018. It has caused a large number of web sites to change how they collect data, but more on that later.
What is the GDPR?
First, GDPR stands for General Data Protection Regulation. Sounds simple enough, right? Before I get into details about what the GDPR is all about, let me answer the first half of the third question: who is affected by the GDPR? At this time, it protects individuals within the EU, European Union, and the EEA, (European Economic Area).
The GDPR addresses individual’s personal data being exported to areas outside the EU and the EEA. It’s primary goal is to give individuals control on who can see their personal information and to make the international business regulatory environment simplified by consolidating the EU regulation. The regulation contains provisions and requirements associated to processing personal data of individuals.
Anyone collecting personal data, referred to as a Controller in the GDPR, in the EU and EEA countries must put into place appropriate technical measures to enact data protection principles. Companies handling personal data put into place safeguards to protect all personal data they acquire during regular business proceedings so that the data is not accessible to the public, unless specific consent is obtained. This information cannot be used to try to identify an individual without information from other sources. Even if an individual has given their consent to share their personal information, they can repeal that consent at any time in the future.
Anyone that processes personal data must disclose any data they are collecting and state how long they will retain the information as well as if it is being shared to outside sources whether they are in the EEA or not. Individuals can ask for a copy of the data that has been collected on them and can request to have that information destroyed at any time after it has been collected. Any entity that relies on personal data collected, whether government or private sector, must put into place a compliance officer to be sure the GDPR is followed. Businesses that have data breaches that affect personal data collected must report the breach within 72 hours or they could face very stiff financial penalties.
For more information on the GDPR visit Wikipedia for more details.
Does It Affect Me?
For the question “Should I care?”, the GDPR not only applies to companies in the EU and EEA, but any company that advertises or does business in those countries. If you are running a Google Ads account and do not exclude the EU countries, you must provide Google with certain contact information. These contacts are a Primary Contact for all notices to be sent to, a Data Protection Officer to be sure the GDPR is being complied with, and an EU Representative if you have one. This information can be added to the Data Protection Contacts section of the Setup.
If you are an advertiser and your site uses data to influence ads being served, a consent form similar to the following should be used.
Google suggests that if you are writing a consent form for an app instead of the word cookie you should use “mobile identifiers”.
Google And YouTube
In January 2017 Google announced 3rd party measurement pixels would not be accepted starting in May 2018. They are also working to rectify pixels for a small group of vendors, including comScore, DoubleVerify, and others.
Google’s Customer Match Audiences
Google will only hold customer loaded data files for as long as it takes to create Customer Match audiences. Once the audience build is complete the customer loaded file will be deleted. If you need to update your Customer Match audience file follow the directions found in Google Help.
Google Remarketing Audiences
As an advertiser, you control what users are included in your remarketing list and how long they stay in the audience.
Google Analytics Data
There are several controls in place within Google Analytics to ensure you are in compliance with the GDPR. The data retention controls allow you to set a time limit for event data as well as user data. You can also set controls to delete data for individual users through the User Deletion API.
Which Countries are in the EU?
The list is long, so if you are advertising in one of these countries now, or plan to, take the necessary steps to protect yourself and your company. Here is the list: Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Republic of Cyprus, Romania, Slovakia, Slovenia, Spain, Sweden, UK.
One Last Question
The GDPR protects individuals living in the EU and EEA, but will similar measures be adopted in the United States? After the Facebook – Cambridge Analytica fiasco there has been talk that a similar regulation or law should be developed to protect people in the U.S. An article published on govtech.com discusses the data breach as well as the different avenues the U.S. and the EU have developed over the years. The article suggests three items of the GDPR that the U.S. should adopt to protect the personal information of its citizens.
Are you GDPR compliant? Don’t wait to find out you aren’t the hard way! Be proactive and get legal advice.
About the Author
Gary has been with That! Company since June 2014, starting as a novice. Under the guidance of several SEM masters, each with 10+ years of individual experience, Gary has become proficient in various platforms of SEM including AdWords, Bing, and most recently Facebook. Gary is certified as a Google Specialist covering all facets of AdWords. Along with his SEM duties, Gary trains new members of the SEM team in specialized report creation and distribution. He also aids in client onboarding processes and procedure training.