If you’re based—or advertise to prospects—in Europe, there’s a pretty decent chance you’re familiar with the General Data Protection Regulation (GDPR).
It’s a package of new legislative rules being introduced by the European Union to make it easier for residents of EU countries to protect their personal data online. The regulation was officially approved on April 27, 2016, and will formally go into effect across the entirety of the EU by May 25, 2018.
And it’s being heralded as “the most important change in data privacy regulation in 20 years.”
We’ve talked about how this suite of historically restrictive (at least from the advertisers’ perspective) laws will impact your Facebook Advertising efforts.
Today, we tackle AdWords.
The Gist
Search, plain old intent-based search, requires no personally identifying information. Today, at least, a search query doesn’t constitute “personal,” regardless of its contents.
Provided you aren’t using any kind of remarketing or conversion tracking, you won’t need to do anything at all. Google is the controller (the handler of personal data) and there is no processor (an entity that process data on behalf of a controller); you’re just along for the ride.
This approach is great for, say, Coca-Cola’s next branding campaign in which impressions are the only metric that matter; for small businesses, not so much.
When you want to learn something—or create audiences—based on the tangible business value created by all those clicks you’re paying for, things get messier.
Cookies, Remarketing, and RLSA
Do you use Google Analytics, Tag Manager, or the AdWords Remarketing code on your site to build valuable, bottom-of-the-funnel audiences?
(Gosh, I hope the answer’s yes…)
If so, you must obtain consent.
Per Google, “Advertisers using AdWords will be required to obtain consent for the use of cookies where legally required, and for the collection, sharing, and use of personal data for personalized ads for users in the EEA. This includes use of remarketing tags and conversion tags. Where legally required, advertisers must also clearly identify each party that may collect, receive, or use end users’ personal data.”
In plain English, this means that if you’re using a Google product to track the on-site action of prospects in order to serve personalized ads down the line, you must acquire their consent to do so.
Exceptions: Customer Match and Store Sales
There are two instances—Customer Match and uploaded Store Sales data—in which Google acts as both a controller and a processor of personal data, meaning that they simultaneously determine the purposes of data while processing data you control.
The exact language they use is as follows (note that you are “the customer”):
“When we handle end user personal data, the customer and Google will each act as independent controllers under the GDPR, except for the Customer Match and Store sales (direct upload) features, where Google will act as the customer’s processor for customer-provided personal data.”
As such, in these situations you are responsible for ensuring that the data Google is processing complies with the GDPR.
Customer Match is a tool that allows you to upload a CSV file loaded with customer data to target specific groups within AdWords.
Since you’re relying on data that’s by no means pseudonymous to create your Customer Match audience (email, phone, name, and zip code are all pretty identifying), you’ll need to be able to prove that you acquired explicit, opt-in consent from each member of your database; doing so simply isn’t Google’s problem.
Store Sales refers to the ability to the ability to import offline transaction data into AdWords, at which time Google matches transactions data with AdWords user information to create powerful audience for optimization, upselling and cross-selling.
In addition to the same personally identifying information implicated in Custom Audiences, when it comes to Store Sales there’s also a chance that financial data could be appended and, thus, there is a clear need for informed consent under the GDPR.
Now, the majority of advertisers aren’t using either of these valuable tools, but the ones that are will need to be able to prove to prospective auditors that the information uploaded for Google to process on their behalf is kosher.
What’s Next?
The GDPR promises to be one of the most far-reaching and ambitious consumer protection programs ever devised.
Although the implementation of the GDPR is likely to cause some businesses more difficulty than others (such as enterprise firms that offer “big data” products), it’s important to remember that this legislation is being introduced to protect users’ rights in a time at which almost every conceivable aspect of our lives is stored online – and is highly vulnerable to exposure and exploitation.
The regulations officially go into effect on May 25th. If you haven’t started preparing your AdWords account (and landing pages) for the impending changes, you should probably get going.