Last updated on 01 July 2022 by Jaclyn Kilani (Legal writer at TermsFeed)
Remarketing is one of the best things that's ever happened to online advertisers. However, this method of targeting specific website visitors may become a legal minefield when the General Data Protection Regulation (GDPR) comes into force on May 25th, 2018.
If remarketing is your go-to method to bring in repeat customers, be prepared to make some changes.
We'll fill you in on the changes that are going to occur and how to keep remarketing in compliance with the GDPR.
Remarketing is a personalized form of online advertising that implements a user's browsing history to target them with products that they have previously shown interest in.
Because it is so personalized, remarketing campaigns are highly effective in bringing back recent website visitors and creating repeat customers.
However, the very nature of remarketing relies on the collection of analytical data about consumers and placing tracking cookies on their web browsers.
Therein lies the problem with the upcoming GDPR regulation.
The GDPR requires that online businesses obtain the express, unambiguous consent of EU residents before collecting their analytical data or placing any advertising cookies in their browsers.
These requirements go far beyond a passive cookies policy or informative cookies banner.
EU visitors must be given an opportunity to click to consent to advertising cookies or opt-out of them completely before they may be placed.
If you're thinking "Well, I don't run a business in the EU, so this doesn't apply to me," you will receive an unpleasant surprise in May.
The GDPR can and will be enforced on any business that collects so much as an IP address from an EU resident, regardless of where the business is located.
The internet is an international marketplace. Can you really guarantee that no visitor from the EU will ever come across your website or mobile application?
Google has declared its full support for the GDPR since it launched in 2016. Being the largest provider of remarketing services, Google is leading the charge on compliance.
Recently Google sent the following message out to all AdWords advertisers to inform them of the upcoming changes:
As you can see, Google will now require all AdWords clients to obtain legally-valid consent to collect data for personalized ads from EU residents.
Since the vast majority of advertisers use Google as their remarketing provider, these advertisers will have no choice but to comply if they wish to continue using Google tools.
According to Google's new EU User Consent Policy, advertisers will need to meet the following requirements in order to use Google's analytics and remarketing tools when it comes to end-users in the EU:
This list of action items will bring your Google Analytics and remarketing campaigns up to GDPR standards.
In this section, you will need to disclose exactly which kinds of information you collect about users and how that information is shared and used for advertising. Full disclosure is very important for GDPR compliance.
This can be as simple as linking to your provider's ads setting interface, such as Google's Ads Manager.
Another solution is to provide users with your own custom opt-out solution, like this one from Adobe:
Adobe also provides an entire page where users can control how their data is used, including communications and targeted ads:
While basic account information can usually be erased by the end user within your account setting interface, the analytics data you hold on them will only be accessible to the account holder of the remarketing provider.
Start generating the necessary legal agreements for your website or app in minutes with TermsFeed.
We also offer different solutions and tools for your website or app:
In other words, if an EU customer wishes you to erase their analytics data permanently, you or one of your employees will need to personally log into your remarketing provider's client interface (such as the Google Adwords administrative interface) in order to delete analytics or remarketing data for specific end users.
Provide consumers with instructions on how to make this request.
Globalscape lets visitors know of their right to be erased and provides a method of contact for them to make this request:
Here is a very simple yet compliant example from Globalscape:
If you don't already have a dedicated Cookies Policy, it's time to implement one. The GDPR is all about transparency, and a thorough Cookies Policy is one way to create transparency for visitors.
Here is a summary of the BBC's Cookies Policy to illustrate some of the subject matter included in a typical Cookies Policy:
First of all, you'll need to define cookies and explain to your visitors what they are and why you use them. Be as detailed as possible and help consumers understand why cookies are necessary.
As far remarketing goes, you'll need to be very specific about third-party advertising and analytics cookies.
The GDPR requires that you specify which third-party cookies you use and why.
Here, Shell Global explains why and how they use third-party cookies, as well as how cookies are used for advertising purposes. Users are also informed about how to reject and delete cookies:
Shell also includes a detailed cookie chart that specifies each type of cookie that is used by the site and what its purpose is:
Note that there is a link provided to opt-out of each cookie. This is one way to provide users with a method to opt-out of specific cookies.
We will go into more detail on this topic below.
Consent for advertising and analytics cookies will be the cornerstone of compliance for remarketing under the GDPR.
These are the tools that remarketing and personalized advertising campaigns use to collect data about individuals, so they must be disclosed to visitors and specifically consented to before they are placed.
The Hewlett Packard Enterprises data collection and cookies notice pops up upon navigation to their homepage. It specifically mentions cookies and the collection of information for marketing and promotional efforts, asking that users click to consent and continue:
It's important to remember that when it comes to valid consent under the GDPR, the visitor must take a decisive action, such as a click or the tick of a checkbox before any remarketing cookies may be placed in the browser.
Within its Privacy Statement, HPE offers an opt-out interface for visitors to opt-out of marketing and analytics cookies.
This step is vital in order to make remarketing legal under the GDPR:
The final step in ensuring a GDPR-compliant remarketing campaign is to update your consent recordkeeping system.
None of your consent methods will matter if you are not keep meticulous records of obtaining consent.
Both the GDPR and remarketing service providers like Google require you to keep a record of valid consent for remarketing for every EU user in your database.
Here are a few online businesses that are continuing their remarketing campaigns while maintaining GDPR-compliance:
We've already touched on Google's compliance with the GDPR as a remarketing provider, but they follow the same level of compliance protocols when dealing with end users.
First off, check out this comprehensive GDPR notice that pops up when an EU resident accesses the Google homepage:
Finally, a prominent "I Agree" button and "Other Options" link gives visitors the opportunity to consent or opt-out.
When the user clicks "Other Options," this interface appears:
Here, the user can control the information that Google collects about them in minute detail. This is transparency at its best.
Google goes on to list out every possible way that customers may access, control, or delete their information. Note that there is also a link to control advertising preferences:
Finally, Google gives a more in-depth description of the different types of cookies that it uses, including third-party and advertising cookies:
The UK's most famous news network is also working hard to reach GDPR compliance. They provide visitors with this information upon navigation to the BBC's website:
Note that this cookies notification isn't actually GDPR-compliant because it does still use browsewrap and doesn't obtain clear consent for placing cookies. The sentence that says, "If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the BBC website" is the sentence that ruins this notice.
By deleting that sentence and requiring users to click Continue to consent to have cookies placed on their devices, this notice would be a great example of GDPR compliance.
Aside from that browsewrap sentence, there are some good things going on in this notice.
When visitors click the "Change settings" button, they are directed to this interface where they can choose which cookies to accept or block:
Here you can also find instructions for how to delete consumer information held by the BBC:
The BBC informs users about its remarketing practices and provides easy-to-find information for opting out or adjusting relevant settings.
Aside from the use of browsewrap in the cookies notice, the BBC is doing a great job towards achieving compliance for remarketing under the GDPR.
To continue remarketing compliantly with the GDPR, remember to do the following:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022