Much has changed since the EU devised its first set of rules concerning the processing of personal data in 1995. With the internet’s ubiquity, the nature of the quantity and the quality of the personal data collected is a vastly different than before. For that reason, the European Union revised its data protection regulations and approved an updated version in 2016. Following a 2-year grace period, the General Data Protection Regulation (GDPR) will become fully enforceable from May 25th 2018.

In this article, I will first discuss the main changes taking place within the GDPR, followed by a special focus on the ways in which the new law effects the world of online marketing.

What key changes does the GDPR bring?

In general, from the users’ point of view, the conditions for the lawful processing of personally identifiable information (PII) will become fairer and more transparent (Article 5, GDPR).

PII includes any piece of data with which one single individual can be identified. Examples are names, email-addresses, telephone-numbers, or IP-addresses.

While the term “fair” can be interpreted in many ways, when referring to GDPR-compliance, it includes but is not limited to the following categories:

  • User consent: Before storing or processing any PII, the data subject must be asked for their consent. Data processors must be able to prove that this consent was granted and users must be able to revoke their consent at any time.
  • Territorial scope:The GDPR applies to all data subjects that reside in the European Union. Ergo, if a user of your services resides in the EU you are required to prove GDPR-compliance, even if your company does not have any physical dependencies within the EU (Article 3, GDPR). Furthermore, the data storing and processing is required to be conducted within the EU and the transferring of either into third countries is only permitted with previous user consent paired with “prudent reason” (Chapter 5, GDPR).

Transparency, in the GDPR sense, means that data processors have to declare which data is being stored, in which way it is being processed, and for what purposes it is being used. Should any data be shared with or processed by third parties, this needs to be stated as well. Additionally, this declaration must be published in a non-technical, easy-to-understand form.

With the enforcement of the GDPR, the data subjects now also have the legal right to a free, digital extract of the information that a data processor is storing about them. Along with this comes the right that the data subject can request their PII to be erased (“right to be forgotten” – Article 17, GDPR).

Any infringements of the GDPR can be fined with up to 20 Mio EUR or up to 4 % of the data processor’s global turnover – whichever is higher.

What key changes does the GDPR bring to Online Marketing?

Luckily, most companies that are behind the tools that online marketers work with have used the 2-year grace period to render them potentially GDPR-compliant (Google Analytics, Adwords, Hotjar, Matelso, etc.). Many of them are only potentially GDPR-compliant, as there are still some aspects that have to be dealt with for continued use of those tools after the 25th May 2018. The concrete steps necessary for GDPR-compliance can be directly derived from the regulations on transparency and fairness that are stated above.

Step 1: Ensure no PII is stored without consent
There are obvious methods to collect PII, such as asking a user to submit their name and contact details when they submit a contact form on your website. This will continue to be lawful as long as the user is required to give their consent (i. e. accept the general terms of service) before submitting the data.

However, when tracking website user behavior with Google Analytics, there are also less obvious ways of collecting PII.  By default, Google Analytics collects the user’s IP address. If not consented to, this will be illegal after GDPR enforcement. For compliance, IP-anonymization needs to be activated. Using Google Tagmanager, this can be easily achieved via activating the anonymize IP-function (as in the screenshot below) for all tags that send data to Google Analytics.

Another elusive method of collecting PII is when user information is used as query parameters in the URL of a thank-you page after submitting a contact form and this URL is then sent to Google Analytics.

Example: www.yourwebsite.com/thank-you?user=johndoe&usermail=johndoe@mailservice.com

These query parameters need to be consented to or cleansed of any URL sent to Google Analytics.

Step 2: Ensure transparency regarding what data is used how, where and why
With the enforcement of the GDPR, it will be required to clearly and intelligibly (i. e. no use of technical language) specify what user data is used in what way and for which purposes. This requires a privacy policy statement on each website in which every tool that the website is linked to is described. Furthermore, it is important that these tools in turn are GDPR-compliant. This privacy policy statement must be up to date at all times.

Summary

After the 25th May 2018, the rights of users will be considerably strengthened. Every company that processes any kind of data of EU-residing users will be required to prove GDPR-compliance. There are two main changes for online marketing resulting from the GDPR:

  • The collection of user-identifying data without previous consent is explicitly prohibited.
  • Websites owners are required to provide clear and intelligible transparency about what data is used how and what for.

While online marketing is not the only area that is affected by the GDPR, it is the one OMMAX can support you with best. Are you wondering if your website is GDPR compliant? Get in touch with us and we will be happy to guide you through this process.