As of May 25, a new set of advertising laws called the General Data Protection Act (GDPR) comes into effect across Europe. Once this happens, all companies that target people in Europe with their ads will be legally required to meet the new GDPR advertising standards or face fines of up to €20 million or 4% of their global annual income, whichever is the larger amount.
GDPR is designed to protect people’s personal data and this is obviously going to have a significant impact on the advertising industry. It’s also pretty complex, complete with a bunch of unanswered questions. However, we’re going to do our best to summarise the impact of GDPR on advertising throughout 2018.
What is GDPR?
The General Data Protection Act (GDPR) is a European legislation that aims to protect the personal data of people living in EU nations. Now, your first thought might be “who cares?” because we’re due to leave Europe in 2019 but Britain is also signed up to this thing and this doesn’t look likely to change as part of the leaving process.
So GDPR will almost certainly apply to Britain, even after we’ve left Europe.
The key thing to know about GDPR is that its regulations require compliance from businesses. In other words, it’s your responsibility to comply with the legislation and non-compliance could result in massive fines.
What regulations do we have to comply with?
First of all, let’s be clear in saying that the only version of the GDPR regulations you should fully trust are the official ones – which you can find here. We’ll do our best to summarise these is a more readable fashion but don’t take our version (or anyone else’s) as the gospel truth.
Get the necessary legal advice if you have any doubts.
Until then, here’s a quick run through of the key requirements under GDPR:
- People you collect data from (data subjects) must explicitly opt-in to having their personal data processed by your company.
- You must make it clear what will happen to any data people hand over.
- People have the right to withhold the use of their personal data without being prevented from using your services.
- Consent must be tracked by your company (the data controller). You need to know when consent was given by an individual and any changes that follow.
- People have the right to access any information collected about them.
- People have a “right to explanation”, allowing them to ask why any algorithmic decisions are being made about them.
- You must appoint a data protection officer who is responsible with making sure your company is compliant with GDPR.
- You must take additional measures to protect people’s data and notify them about any breaches.
- You must also erase all user data upon request or once a service agreement comes to an end.
That pretty much sums up the requirements under GDPR and you can already get an idea of how much they’re going to shake things up. Essentially, this is about giving power back to people over their own personal details – and we consider this to be a good thing.
Who needs to comply with GDPR?
The simple answer to this question is any company that targets people in the EU or Britain. Which means our friends over in the US and other parts of the world will need to comply with GDPR if they want to continue advertising to people over here. Likewise, this also means you don’t need to comply with GDPR when you’re collecting data from people outside of Britain and the EU.
Officially, there are more criteria that define an organisation’s need to comply with GDPR:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional or includes certain types of sensitive personal data.
Either way, any company that collects data from people within the EU or Britain needs to comply with GDPR.
What counts as personal data?
This is the key question surrounding GDPR: the differentiation between personal data and non-personal data. Any information that can be used to identify an individual counts as personal data and this where you’ll need to be compliant with GDPR regulations.
Article 4 of the GDPR states that:
“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
For example, you can’t identify a person by their age or which country they live in. However, collecting someone’s name and their precise location very much counts as processing personal data. Here’s a quick look at the kinds of data that are protected by GDPR:
- Identity info: Name, address, ID numbers, etc.
- Web data: Location, IP addresses, cookies, RFID tags, etc.
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Things aren’t always black and white when it comes to personal data, though. For example, there are John Smiths out there and only collected someone’s name doesn’t necessarily make them identifiable. Likewise, multiple people can be in the same location at the same time, which means location doesn’t always count as personal data.
In many cases, it’s the combination of data (eg: name and location) that makes information personal. It’s important you’re able to distinguish between these instances once GDPR comes into effect. If you’re in doubt, it’s best to edge on the side of caution but you don’t want to limit your data processing any more than necessary.
What does this mean for the data we already have?
If you’re hoping GDPR will only apply to the data you collect after May 25, you’re not going to like this section. The new regulations will apply to all data used once GDPR comes into effect, which means any data you use after May 25 will need to comply with the regulation.
In other words, you’ll need to get consent from users before you can use any of your existing data that involves personal details.
What if you already have consent from users, though? Well, this depends on how you first acquired consent from them and whether this complies with the new GDPR regulations. If your consent remains compliant with the new regulations, you’ll still need to reach out to them and meet the rest of the GDPR criteria – eg: explain what their data will be used for.
Either way, you must be fully compliant with GDPR before you use any of your existing data.
How much will GDPR actually affect advertisers?
How much GDPR affect your company or you as an advertiser not only depends on how you handle data, but also how authorities enforce the regulations. The first thing to understand is that GDPR isn’t only there to protect consumer; it’s also there to protect your employees and anyone else whose data you have access to.
Something else to consider is that how Google, Facebook and the other advertising giants collect their data has nothing to do with you. So you don’t need to worry about using any targeting options in AdWords or Facebook that use data collected by the two tech firms. What you will need to adapt for is any targeting options that use your own data – eg: customer match, which uses data you’ve collected from your existing customers to target new leads.
Whether Google and Facebook change their targeting options to take the responsibility away from you, remains to be seen. Likewise, how much the authorities pressure the likes of Google to get consent from users also remains to be seen. We imagine Google will argue that people signed in to its platforms have already given their consent by signing up and try to get away with notifying them about changes to their data and privacy policies.
Time will tell on this one.
So we have two main impacts that GDPR will have on companies and advertisers. First, there’s the impact on the way you collect and handle data from people. Next, you also have the impact on the tools that you use which collect data themselves to you advertise more effectively. In the case of using AdWords and Facebook for advertising, the impact could be relatively small, depending on how they proceed and the reaction from authorities.
What you can’t wait around for is getting your own data process in compliance with GDPR. You must be in line with regulations by May 25 or risk getting fined for any data you used after the deadline.