How the GDPR Impacts Online Advertising

How the GDPR Impacts Online Advertising

The EU General Data Protection Regulation (GDPR) is long in form, broad in scope, and powerful in its effect. Almost every company trading in the EU has had to consider how the GDPR will affect its operations.

Online advertising is one of the business activities most significantly affected by the GDPR. Advertisers have already faced large fines for failing to comply with the law. And the GDPR makes little distinction between tech giants and sole traders. Everyone has to comply.

If you're using personalized ads or direct marketing to promote your business, it's almost certain that the GDPR will affect your practices.

Let's take a look at some of the new obligations for online advertisers that the GDPR brings about.


What is the GDPR?

What's the GDPR

The GDPR is an EU law that came into force in May 2018. It's a regulation, which means that it has direct effect in all 28 EU Member States (including the UK).

The GDPR replaces the EU Data Protection Directive. This directive was already providing people in the EU with the highest standard of data protection and privacy in the world. Despite this, the changes brought about by the GDPR are highly significant.

One of the main aims of the law is to bring stronger protection to the personal data of everyone in the EU. The regulation achieves this in several ways, including:

  • Bringing non-EU companies under the law
  • Providing a stronger, more meaningful model of consent
  • Granting people powerful new personal rights, including the "right to data portability" and the "right to be forgotten"

Why is This Relevant to Online Advertising?

As marketing becomes more sophisticated, it frequently involves significant amounts of personal data.

Advertising is no longer just about producing a compelling message to promote a product. It's about determining who is most likely to be affected by that message. It's also about how and when to deliver the message for maximum impact.

Previously, advertisers could target potential customers by advertising in a particular magazine, or after a specific TV show. Nowadays, advertisers can target individual people based on thousands of data points collected by companies that monitor their internet activity, their location and their purchases.

This can be intrusive, disconcerting, or just plain unwanted. So data protection law attempts to bring people some control over whether their personal data is used in this way.

What is Personal Data?

"Personal data" is a nebulous term that means different things in different places. The EU has long recognized a very broad definition of personal data through its legislation and court decisions. The GDPR codifies this broad definition, leaving very little room for ambiguity.

According to Article 4 of the GDPR, personal data is "any information relating to an identified or identifiable natural person."

It's a mistake to think of this as merely information that identifies someone (such as their name or email address). Instead, think of personal data as any information that would tell you something about a specific person, even if it was combined with other information.

The following things, all relevant to online advertising, are personal data according to this definition:

  • IP addresses
  • Information derived from cookies, web beacons and tracking pixels
  • GPS data

Let's look at some of the new rules that the GDPR places on advertisers' use of such data.

New Obligations for Non-EU Companies

New Obligations for Non-EU Companies

One of the reasons that the GDPR has caused such a stir is that it applies everywhere.

The GDPR applies not only to companies based in the EU, but also to any company (or individual, or organization) that:

  • Offers good or services to peope in the EU, or
  • Monitors the behavior of people in the EU

If your company does either of these two things, it must comply with the GDPR.

Offering Goods and Services

The GDPR's rule about "extraterritorial applicability" doesn't mean that, for example, anyone who provides an ecommerce store that's accessible within the EU will necessarily have to comply with the GDPR.

Recital 23 states that there are certain things to consider when determining whether you would be deemed to "offer goods and services in the EU." For example:

  • Using an EU national language
  • Offering goods or services in an EU currency
  • Mentioning EU customers

To some degree, this will be a matter of common sense. You know whether your company is trying to attract EU customers.

Monitoring the Behavior of People in the EU

"Monitoring people's behavior" might sound a little clandestine, but it's a big part of what online advertising is about.

The European Data Protection Board provides the following relevant examples of what might constitute the monitoring of behavior:

  • Behavioral advertising
  • Geolocation activities, especially for marketing purposes
  • Online tracking via cookies or other tracking techniques
  • Market surveys and other behavioral studies based on individual profiles

If your company or website derives personalized ad revenue from people in the EU, you most likely need to comply with the GDPR.

New Standard of Consent

The GDPR brings a new, higher standard of what constitutes a person's "consent."

But why is it necessary to earn consent for online advertising?

Governments have long tried to regulate the ways that companies market to consumers. Even countries with relatively free market economies like the United States have laws that restrict the sending of "spam" email.

Now the stakes are even higher. Advertising can involve the accumulation and analysis of data about a person's preferences, political affiliations, and family life (to name just a few examples).

The GDPR wants to make sure that, if a person is going to be subject to online advertising, they really know what they're getting into.

Under the old law, the Data Protection Directive, the definition of consent held businesses to a fairly high standard of consent. Under the GDPR, this standard is even higher.

Consent in the Data Protection Directive Consent in the GDPR
"any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed" "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

So, until the GDPR, consent was:

  • Freely given
  • Specific
  • Informed

The GDPR requires that consent must also be:

  • Unambiguous
  • Made by a statement or clear, affirmative action.

A lot of people interpreted the old law as allowing an "opt-out" model of consent, where you could assume you had a user's consent so long as they didn't refuse something.

The GDPR now clearly operates an "opt-in" model of consent, where you cannot assume a user has consented to something unless you've asked them (in the right way) and they've said "yes."

The GDPR saw a lot of companies sending out emails requesting that customers "refresh" their consent to direct marketing. Here's an example from Pact Coffee:

Pact Coffee: Repermission email for consent for email marketing

If you earned consent from some EU consumers under the Data Protection Directive, you don't necessarily need to get their consent again.

But if the way in which you earned a user's consent was compatible with the old law but not the GDPR (or wasn't compatible with either law), you will need to either remove that user from your marketing pool or request consent again.

The upshot of this stricter requirement is that you might end up advertising to a smaller group of people, but those people are likely to be more engaged with your company and more on-board with being the subject of personalized ads or direct marketing.

Consent for cookies has been required under EU law since 2002. This requirement comes from an older law, still in force, known as the ePrivacy Directive.

All cookies require consent, except for those that are necessary or used for user-centric activities. Such cookies might be used to keep track of form inputs, remember the contents of a shopping cart, for authentication or load-balancing.

So what's changed? Well, because of its new, higher standard of consent, the GDPR has significantly affected how cookies are used. This is why EU users have seen more and more "cookie banners" popping up on commercial websites.

Unfortunately, it's quite difficult to find many websites that are compliant with the new law.

Cookie banners should offer users a genuine choice about whether they consent. Opt-out or "browsewrap" cookie solutions don't comply with this principle.

Here's an example from Essentra:

Essentra Cookie Consent notice

There's no option to refuse here. The choice is either accept and have cookies placed, or don't accept and have cookies placed anyway.

You should make consent easy for your users. This means making "accept" or "reject" equally accessible choices.

Let's take a look at another example from AOL. Here's what happens when a person visits AOL.com from within the EU:

AOL Cookie Consent notice

If a person wants to refuse consent, they must visit the "Privacy Centre" of AOL's partner company, Oath. They're presented with a 3,500 word document, within which is this clause:

Oath Privacy Centre: Your controls and privacy rights clause

Selecting the "Privacy Dashboard" leads to this page:

Oath Privacy Centre Dashboard with list of brands

Selecting "AOL" presents a CAPTCHA verification:

Screenshot of AOL CAPTCHA verification

Finally, the user is presented with some controls with which they can opt out of personalized advertising:

Screenshot of Your Privacy Controls section of AOL Privacy Dashboard

So not only are cookies set by default, the user also has to jump through numerous hoops in order to turn them off. This an example of how to earn "consent through submission" rather than "freely given, unambiguous consent."

Here's an example of a much better cookie banner from Express.co.uk:

Express CO UK Cookie Notice banner

The reasons the website uses cookies are briefly explained, then the user is presented with two options: "reject" or "accept." This makes it easy to exercise a free choice.

And here's an example of a GDPR-compliant "dashboard" from The Guardian:

The Guardian: Your Privacy dashboard screen for cookies and personalised ads settings

GDPR compliance means offering people a real choice about your use of their personal data.

Because a person's email address is their personal data, the GDPR applies wherever you collect, store or otherwise use it.

It's actually not necessary to always earn consent for email marketing under the GDPR. There is a certain exception for certain customers with whom you have an existing business relationship.

If you can demonstrate that it's in your company's "legitimate interests" to send a customer marketing emails, and you give them every opportunity to refuse, then you might not have to ask for their consent.

But in most cases, and certainly whenever you're trying to procure new customers, you'll have to get consent for direct marketing.

One important step that many companies have taken towards GDPR-compliance is ensuring that they don't use a pre-ticked box when requesting consent for direct marketing.

Here's an example of one of these problematic pre-ticked boxes in action from Bifold:

Bifold Register form with pre-ticked box

You can see the problem here. If consent is supposed to be "unambiguous" and earned via a "clear, affirmative action," this can hardly include where a person fails to untick a box. Perhaps they didn't see the box? Perhaps they were in a hurry?

Here's an example of a somewhat unclear consent mechanism from PageSuite:

PageSuite registration form with pre-ticked box

The box is pre-ticked, so this is actually an "opt-in." But it's kind of confusing. Unticking the box signs the user up to the mailing list - not exactly "clear."

New Data Subject Rights

New Data Subject Rights

"Data subjects" have always had certain rights over their personal data under EU law. Data subjects are simply people, including your users or customers. It also covers anyone else whose personal data gets swept up in your ad campaigns and analytics.

The GDPR introduces certain new data subject rights that are not entirely relevant to online advertising. But there are two new areas that are important in this context.

People in the EU have the right to object to their personal data being used in particular ways. This overlaps with the right to withdraw consent.

EU law has long recognised this right. But the GDPR reinforces the relevance of this concept to the area of online advertising.

Under Article 7 of the GDPR, you must:

  • Inform people of their right to withdraw consent when requesting it
  • Make it as easy for people to withdraw their consent as was for them to give it

Under Article 21, it is made clear that people have an absolute right to withdraw consent for direct marketing at any time, for any reason. You must respect their request.

Both of these rules should apply to cookies as much as to email marketing.

You can make withdrawing consent easy for your users via a "privacy dashboard" mechanism which allows them to toggle their consent status.

For example, The Guardian provides users of its Android app with this facility to withdraw consent for various trackers:

The Guardian Android app Tracking settings screen

The Right to Data Portability

The GDPR's new "right to data portability" appears to have been aimed at large online advertisers/social media companies such as Facebook, but it applies to operations of any size.

If you receive a request for data portability from one of your users, you're required to provide a copy of their personal data in "a structured, commonly used and machine-readable format." You'll have one calendar month to do this. You can use a format such as CSV, JSON or XML.

This only applies to personal data that you have collected on the basis of their consent, or for the purpose of performing a contract (two of the GDPR's lawful bases for processing personal data).

Depending on the context in which your company operates, you may wish to set up a process whereby a user can carry out this request and receive their personal data automatically.

Here's how Twitter offers its users a facility by which to exercise their right to data portability:

Twitter: Your Twitter Data - Download your Twitter data section

It's not entirely clear how Twitter determines what data is "most relevant and useful" for its users.

Summary

Compliance with the GDPR can take a lot of work, particularly for companies involved in online advertising.

To comply with the new requirements under the GDPR, make sure that you:

  • Understand whether you are subject to the GDPR (if you're based outside of the EU)
  • Update your consent request mechanisms for cookies and direct marketing
  • Consider whether you need to request "fresh" consent from any of your long-standing customers
  • Ensure you have systems in place to facilitate the right to withdraw consent and the right to data portability
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.