A 10-point GDPR checklist for digital advertising

The GDPR: you’ve read a few articles and resources, been to a seminar, you get the ideas – but what does it mean, specifically, for digital advertisers – and what are the actions?

This article offers an opinion and an interpretation of the law, but it’s not legal advice.

With just four months to go – until 25th May – it’s actually remarkably hard to know. Marketing agencies have said very little. Facebook and Google (when it comes to their advertising products) are still working on their “comms.”

If a business has a website, then it’s likely to be its biggest source of personal data collection. Despite that, the relevant regulating body in the UK – the Information Commissioner’s Office – doesn’t seem to have offered any dedicated, direct advice for digital marketing technology; and they’ve published a guide to the GDPR that doesn’t include the word “cookie,” at all.

The only organisations that are recommending clear actions about the GDPR seem to be those that are in the business of providing services to help you be aligned, or compliant, or to avoid enormously costly risks.

So I’ve spent some time reading: there’s a starter list of resources at the end, below. I’ve read (some of) the text of the GDPR itself, and the European legal guidance on the law; industry opinions and advice; as well as what reaction and policy guidance we have seen from Google, including in reaction to previous European data protection law.

I’ve arrived at an interpretation “de jure” – by the book – of the new legislation, and from the perspective of my expertise in marketing technology. Some colleagues and contacts agree with me; but to be clear: it seems no-one can responsibly predict the outcome of the GDPR for digital marketing in practice, “de facto.”

1. Get ready to change the way you implement tracking tech

This would be a big, big deal, but some in the industry agree it’s the only way to interpret the law: Third-party tracking technology (including AdWords and DoubleClick tags, Facebook, Twitter, LinkedIn tags and SDKs, the likes of Criteo and other network tags…) should not be activated on web pages until the user consents explicitly to it being used (i.e. they opt in).

  • Croud has sought clear advice from Google and Facebook in particular on this point. As of mid-January, i.e. four months to go, neither has comms ready to respond, yet; but, we’re told, everything will be clear and fine in time for May…
  • The impact of opt-in consent being needed for third-party ad tech is potentially very significant, and advertisers won’t want to implement according to an interpretation of the new law that’s any stricter than their competitors take. Croud also continues to seek specific advice and industry guidance from the Internet Advertising Bureau in the UK; and we’ll update this article as our position develops.
  • You’ll be able to use Google Tag Manager (GTM) or another tag management system (which doesn’t collect data itself) to disable tags until consent has been given.

2. Understand where you don’t need explicit consent

Even without explicit consent, you can use first-party cookies as part of your website, in order to support the site’s functionality (e.g. the shopping cart); and for site analytics (e.g. a limited implementation of Google Analytics).

3. Get ready to implement site analytics in several different scopes

  • You don’t need consent for first-party analytics (e.g. Google Analytics) without explicit consent, because it’s designed to measure and improve the service you’re providing.
  • But, as soon as you begin to use GA beyond this purpose, you may need to get consent first for that broader scope.
  • This means, for example, you may not be allowed to enable GA’s Advertiser Features without first having the user’s consent.
  • And if you use GA auto-tagging with a linked AdWords account, then potentially you are extending your record of the user’s personal data beyond your site, and so arguably you shouldn’t track the session’s landing page URL until the user has either allowed or denied consent. Once that’s clear, you can either include or strip out the AdWords ID in the URL, i.e. the “gclid parameter”.

    Sometimes, a user will ignore your request for consent; and in that case, you might not collect data from their landing page at all. Bouncing sessions wouldn’t be tracked; and it may be useful to use information e.g. stored in a first party to cookie, to correct the user’s landing page and traffic source if they do move on to a second page view.

4. Start planning for few anonymous users consenting to being tracked for advertising

Few users, because you can’t understand consent implicitly, and you can’t force users to give consent. A request for consent (opt-in, remember) can’t be an obstacle to the user using your service. Often, it will be withheld.

  • The exception to this is if the service cannot be provided except through the collection of personal data. If that’s the case, then it must necessarily be an obstacle.

    But in that case, you may not need to request consent anyway (because it’s obvious to the user that the data collection is necessary). This is like not needing consent to record your store’s transactions; or to collect the address to which a delivery should be made.

5. Ensure you can use first-party data

The GDPR and ePrivacy Regulation set Europe on course to a world without third party audiences. The most competitive businesses, in that world, will be the ones that make the best (respectful) use of first party data.

Your business may already have a customer database, but is it ready to use first party data for audiences, and with the necessary consent? Personal data needs to be clean and securely usable; and when it comes to consent, your business mustn’t store or process data without consent given in relation to a specific purpose(s), or store data that isn’t relevant to that purpose(s).

You may need to organise email campaigns, or custom consent requests on-site or in-app. Remember that these can also be an opportunity to improve data quality, and gain valuable customer feedback.

6. Start thinking about what you want your business to be seen to be doing with personal data, and how you’d like to express it

If you want to collect data for something, you need to be transparent about what you’re doing. When you obtain consent to process personal data (e.g. for use in advertising) you need to request it in relation to the specific purpose(s).

7. Get started on changes in your back-end systems

You’ll be required to keep a record of any consent you obtain. It looks as though this applies even for anonymous users, so this could be a record of consent held against cookie and user IDs. Later, these users might log in, or somehow identify themselves, and (with consent) you would unite cookie IDs and add to the record you hold against each user ID.

8. Get ready to treat personal data like it doesn’t belong to you

Your site needs to allow its users to withdraw their consent for you to store and process their personal data. If that happens, you need to be able to delete it. We look forward to seeing how (the first-party data collecting) Google Analytics, for example, might offer a feature to delete user records. Third party ad tech – via e.g. the user’s account privacy preferences – is taking the approach of offering those consent and data control features directly to the user, for you.

You’ll also need to allow your users to request a copy of their personal data, and you need to be able to supply it electronically and in a machine-readable format. This is about making the data portable: your users will be entitled to take their data to a competing service provider.

9. Check your privacy policy

It needs to:

  • Include further detail on the data you’re collecting and the purposes (if e.g. you’ve used a small banner to summarise it, and some users might need to find out more)
  • Say who you’re sharing personal data with, especially if they’re another data controller in their own right. As this (detailed and useful) example on the ICO website seems to suggest – see, “If you share data with other data controllers” – if you’re sharing data with Facebook, so that they can show ads to your users across their network, then you’re sharing data with another controller. You to be transparent about that (and you need consent).
  • Comply with your technology partners’ user consent policies, e.g. for Google AdWords and DoubleClick, and for GA’s Advertiser Features

10. Consider writing a risk register

Maybe some of this is worth taking a risk on, at least to start with. The dilemma is, how big is that risk, and how should you account for it? The potential fine (as we all know so well) is 4% of annual global turnover or €20m, whichever is greater.

  • In the UK, the relevant regulatory body is the Information Commissioner’s Office. While fines collected by the ICO are now delivered directly to the government, perhaps we should still consider the collection of fines to be incentivised.
  • The GDPR supports public regulation, but also private cases brought against offending businesses, including class action suits. Anyone who feels that their personal data has been abused can sue. In talking to clients and contacts, some feel more concerned about their CRM databases – first-party data – and less worried about the tracking technology on their website. I would argue, however, that your site tech may be a bigger risk: your website is public, and your tracking technology operates on and is visible to everyone who visits your site.
  • Regarding private suits: don’t think just of clued-up individuals going after your brand for a political cause. Clued-up, political people organise themselves and others into groups, and even into businesses. See https://www.digital20.com/ as one example.


by Kevin Joyner
19 January 2018



Related posts