GDPR is rocking the ad tech world. Starting on May 25th, 2018, the General Data Protection Regulation (GDPR) will be enforced. Put plainly, companies will be required by law to be transparent about data and gain explicit and individual consent before collecting and using it, placing the control in consumers’ hands. Beyond digital adverting, the GDPR governance includes email marketing, traditional outreach, and CRM databases.
“When a consumer clicks ‘accept’ on an opt-in box to proceed to a website, they should understand how their personal data will be processed and handled by the business asking to use that information. This goes beyond how their data will be used for marketing or advertising to how their data will be shared between systems and who has access to the information. This, I feel, is a reasonable request.” Said Jeffrey Finch, CPO and co-founder at Choozle. “But such is not the case with every company. Transparency is a problem. The jargon and legalese of opt-in forms are intentionally vague to confuse consumers about what user agreements they’ve accepted.”
The bad news is, under these regulations, digital advertising campaigns could become stale, blanketed and untargeted.
Despite the extra work, there are several pieces of good news that can be unpacked by the new law. If you or your company has been regarding consent and transparency as the norm before the loom of GDPR, you will be one of the least affected by the regulation. Most importantly: These rules are helping to pave the way for a more transparent, trusted, and consumer-respecting digital advertising industry.
Actionable steps for GDPR compliance and success
1. Determine how GDPR applies to you. Since you’re here reading this, chances are, you’re under the umbrella. Any company (U.S.-based companies included) that has a worldwide web presence and collects, stores or processes consumer data or who uses vendors to do so is affected, at least to some degree, under the new regulations. If your website (that collects visitor data,) or email (that collects email addresses and other data,) could potentially target someone who is currently in the EU, you should have GDPR-compliant policies in place.
To clarify: GDPR only applies to consumers who are present in the EU when their data is collected. Furthermore, it does not apply to EU residents who are currently outside of the EU.
2. Know that generic marketing doesn’t count. Your email or website content would have to target someone across the EU for it to apply under GDPR. Examples of this would be that your website is in the language of the country and there are references to EU users and consumers, or your website accepts the currency of that country and has a domain suffix (like a U.S. website that can be reached with a .co.uk from the UK.)
An example of something that would not count would be a Dutch user who Googles and finds an English-language webpage written for U.S. e-commerce consumers or B2B customers would not be covered under GDPR.
3. Know what type of data you collect and, therefore, the consent you need to gain. This is the most important part of GDPR. According to Article 7, Conditions of consent, “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.” An example of this would be a bar on the homepage of your website where users can consent to or deny consent for you to collect their cookie-based data.
If consent is not individually and explicitly gained before sending marketing emails or collecting cookie-based data, for example, companies can be fined up to $20 million Euro — that’s $24,689,600.00 USD — or, in other cases, 4% of their total revenues.
4. Take better advantage of first-party campaigns. Data that isn’t cookie-based, AKA first-party data, is already a small but mighty tool — and under GDPR, it’s even more powerful. Since this data is pulled using your current customer databases, made up of those who have already consented for you to use their data (for instance, someone who has signed up for your email newsletter,) most of it is already compliant. However, if you ever pull first-party information from other sources, make sure that source has GDPR regulations in place.
Third-party targeting will still play a vital role in digital advertising, but it will be even more important for marketers to work with data partners that have trustworthy practices. Marketers and advertisers, especially those that are looking to target EU audiences, need to start asking questions about how their data is collected and whether or not they explicitly inform users that they are opting in. (See #3 for more.)
5. Get up to date on your other data providers and ad-employing platforms’ take. The more you know. If you’re currently running advertisements on Facebook or Instagram, here’s a great resource for their take. Also, it’s a good idea to stay up-to-date about how other popular tech platforms, such as Slack, are handling this transition.
Common questions
Why is GDPR only in Europe?
Consumers in the U.S. have long demanded the same rights and data protection. But with the large, dense clusters of European consumers, the voices of many became amplified, which made it easier to achieve legislation.
I don’t have any clients in the EU or a business presence there. How will GDPR affect me?
To reiterate, any company (US-based companies included) that has a worldwide web presence and collects, stores or processes consumer data, or who uses vendors to do so is affected — at least to some degree — under the new regulations. If your website (that collects visitor data,) or email (that collects email addresses and other data,) could potentially reach someone who is currently in the EU, you should have GDPR-compliant policies in place.
Will any changes be made to the Choozle Smart Container Tag?
Choozle will be providing a powerful yet simple Consent Tool to EU and U.S. clients that can be powered via our existing Smart Container and TagBot™ technologies. This feature requires a one-time manual implementation by Choozle engineers.
How will Choozle update its permissions and privacy policy to become compliant?
There will be some changes to the privacy policy language to better align with the legal requirements of GDPR. However, Choozle already has clear and transparent privacy policies in place that are audited for compliance by the NAI (Network Advertising Initiative). As we implement these changes, we will keep our clients in the loop by clearly explaining what has changed and why.
Given that our data management and customer data platform technologies were designed and built after GDPR was initially announced, Choozle has used those requirements as our minimum build standard and will be providing even greater transparency around data in future product releases.
Who controls the data at Choozle?
The Choozle user has control over what data they wish to enter into the platform. Once uploaded and activated via our self-serve tools, that data is then available to create audiences, gain analytics, retarget and execute programmatic advertising as part of a digital advertising campaign. Additional first-party data is created as campaigns progress, and this is funneled back to the client for analysis and optimization (including AI).
“Choozle fills the role of ‘data controller’ under my interpretation of the GDPR guidelines,” said Choozle CPO and co-founder, Jeffrey Finch. To ensure clarity: data controllers, under GDPR, will be required to protect and store data according to the guidelines or face non-compliance measures. In this instance, Choozle will control the data, but only in scenarios where our technology is compliant and suitable for the client’s needs.
Choozle does not use or “control” client data in the traditional DMP sense, where participant data is blended with others to create “new” (and revenue-driving) data segments marketed by the DMP.
Questions? Concerns? Want to talk more about GDPR with someone from the Choozle team?
Send us a note.