If you live and breathe digital marketing, then you’ve been hearing and reading quite a lot about a certain four-letter acronym that’s about to take shake up the marketing industry as we know it. GDPR – General Data Protection Regulation – kicks into effect in the European Union on Friday, May 25. While the law is meant to shield EU consumers from having their personal data tracked all over the web, the GDPR’s reach will extend far beyond the EU’s borders and impact digital marketing efforts across the globe. GDPR includes personal data protection provisions that potentially create a global impact on the digital marketing world.
If the very thought of ensuring that your digital marketing efforts are GDPR-compliant sends you into a frenzy, or you have been living under a rock for the past several months, don’t panic – the Digital Examiner has your back. Here you’ll find a last-minute guide to the GDPR, and what the law will mean for your personal data protection and the future of digital marketing.
I’ve Been Living Under a Rock. What, Exactly, is GDPR?
Put simply, the General Data Protection Regulation strengthens the individual privacy rights of EU citizens. A closer look frames the GDPR as Europe’s answer to the internet’s “grand bargain,” as the New York Times phrases it – the idea that we trade privacy for convenience:
“Businesses offer free services like email, entertainment and search, and in return they collect data and sell advertising….”
Not a dangerous bargain in theory, but:
“…recent privacy scandals involving Facebook and the political consulting firm Cambridge Analytica highlight the downsides of that trade-off. The system is opaque and ripe for abuse.”
With GDPR, the EU is fighting back and aims to give its citizens control over how their data is used, or whether to consent to give out their data at all. The new law sets the bar much higher for companies that target ads based on personal data, which includes everything from the obvious (name, address, and phone number) to banking information, photos, information associated with social media posts, and more.
Businesses that advertise to residents of the EU will need to be transparent about how they handle this information – and get consent before using it. Those businesses that do not adhere to GDPR can face fines of up to 4% of global revenue.
Those who are protected under the law can ask businesses what personal information they hold, and request that it be deleted, according to the New York Times. If people suspect their information is being misused, they can report it to the national data protection regulator to be investigated. They can also join in on class-action lawsuits against companies they suspect of misusing and abusing personal data.
This law won’t just affect EU citizens. Most everyday internet users have probably received a deluge of privacy update notices in their inboxes as companies scramble to ensure GDPR compliance, or noticed pop-ups explaining the upcoming changes when visiting sites like Facebook.
My Company is Based in the US. What Do I Need to Know about GDPR and Personal Data Protection?
Just because your business and digital marketing efforts are based in the US doesn’t mean you’ll escape the strict rules put in place by GDPR.
Think about whom you sell your products to. Is there even the remotest chance your customer base includes people living in the EU? Does your business use or store in any way personal data that could possibly belong to a citizen of the EU? Play it safe and ensure your personal data protection, digital marketing and advertising strategies are GDPR compliant.
Even if your company does not sell to citizens of the EU, the use of personal data in online advertising has come under serious scrutiny in recent months. Earning and maintaining consumer trust by following the rules put in place by GDPR can’t hurt.
The good news is that, as digital marketing professionals, most of the websites, tools, and vendors we use fall under the GDPR’s definitions of data processors and controllers, and are therefore ensuring compliance internally.
For example, Facebook has sifted through all the data used in creating audiences for ad targeting (more on this later) and has let users know via Ads Manager which audiences need to be updated to remove data that doesn’t meet GDPR criteria. MailChimp has updated its Data Processing Agreement and third-party vendor contracts to ensure compliance, and is releasing new tools to help users collect consent and handle customer data appropriately.
How Will GDPR Affect Facebook Advertising and Targeting?
Facebook is in the unique position of being classified as both a data processor and a data controller under GDPR. Coupled with its role in the Cambridge Analytica data scandal, the social media giant is not taking any chances when ensuring GDPR compliance. The company issued a lengthy, thorough press release earlier this month outlining its preparations for GDPR and commitment to transparency, control, and accountability.
WordStream boiled it down:
“Facebook is going to make it easier for people to figure out what Facebook knows about individuals based on the data they share on their Facebooks, and they’re going to make a concerted effort to care a bit more about how other entities–namely advertisers–handle said data.”
Digital marketers who use Facebook advertising and targeting as part of their day-to-day need to understand how GDPR will affect Saved Audiences, pixel data, Custom Audiences and lead ads.
Saved Audiences – audiences created using Facebook’s built-in targeting tools based on users’ interests and behavioral data – are pretty easy to square away. Facebook has scoured all of this data and flagged any interests or behavior targeting that won’t fly under GDPR. Social media strategists can simply log into Ads Manager to see if any of their audiences have been affected and, if so, can update those audiences to remove the flagged data.
It gets trickier from here. WordStream provides an excellent breakdown of how GDPR will affect Facebook Pixel, custom audiences and lead ads, but here’s the gist:
- When you place Facebook Pixel on your site, Facebook acts as data controller and is responsible for letting users know what’s happening with their data.
- When you upload a Custom Audience to Facebook based on aforementioned Pixel data (or any other customer information you obtain), your business acts as data controller and Facebook becomes the data processor. Therefore, it is your business’s responsibility to inform customers about how their data will be used and obtaining consent (Facebook is releasing a Custom Audiences permission tool to aid in this effort).
Don’t forget that Facebook owns Instagram, so you can expect the same strict adherence to GDPR over on the ‘Gram.
Many digital marketing professionals are likely lamenting what appears to be the end to Facebook’s ability to tightly target ads to the people most likely to convert to customers. It’s going to require adjusting both strategies and mindsets, but Facebook will continue to be a powerful tool for advertising. As Digiday points out, there are other ways of creating personalized audience segments that aren’t based on personal information. It’s been done before – think of the magazine and television advertising of old. Campaigns will have to operate on a broader basis but the social network’s extensive reach is still at play for marketers.
How Will the New Law Affect Other Digital Marketing Strategies?
In addition to Facebook advertising, GDPR has consequences for email marketing – however, the impact is quite clear. The ability to “opt in” to email campaigns must be straightforward. Gone are the days of default opt-ins or only offering the ability to opt out. Your email marketing campaigns will require a literal check box that allows recipients to truly opt-in to receiving future messaging from your company, thereby ensuring personal data protection.
Furthermore, businesses can legally only use email lists that are 100% opt-in, and will be required to show proof of that. If you’re already using such lists, that’s great, but you’ll likely need to re-confirm consent of your contacts to be able to keep use that list after May 25. SendinBlue has more information on how to ensure your email marketing is GDPR-compliant.
Short on time? Check out HubSpot’s video on GDPR and email marketing:
And if your focus is content marketing and blogging, don’t forget to ensure your newsletter subscribers are opting in of their own free will to receiving your blog posts! Hopefully, you have been providing valuable content to your readers this entire time so they will gladly continue to consume your work. Otherwise, you have some thinking to do about who your audience is and how you can best serve them.
This Seems Like a Lot of Work. Will It Pay Off and Improve Personal Data Protection?
If you’re one of the many, many people creeped out by ads for novelty T-shirts that follow you from site to site, then yes – GDPR will pay off.
All joking aside, GDPR is a massive step toward giving consumers back a right that has been neglected for some time now – the right to control their personal data protection. For businesses and the digital marketers who work to connect them to customers, GDPR is an opportunity to foster trust and establish a loyal consumer base that does not have to question whether personal data is abused for advertising purposes.
As UK Information Commissioner Laura Denham told participants at the Direct Marketing Association (DMA) Data Protection 2018 event, “You will have complete confidence that your customers have given informed consent.”
Ideally, that will lead to more engaged customers who are more receptive to future targeted digital marketing efforts while ensuring their personal data protection.
Disclaimer: The author of this blog and All Points Digital are not an attorneys or legal professionals. This blog is meant to serve as an overview of GDPR and how it may impact digital marketing strategies, from a strategist’s point of view. It is not legal advice and you may not rely on it as such.