As digital marketers, we’ve gotten used to having access to a million data points, tracking users at every interaction with our brand, and being able to micro-target our audiences really specifically.
Frankly, it’s pretty crazy how much we’ve been allowed to play with–have you seen the Facebook audience tool??
Has this tracking gone too far? Online privacy advocates, some government bodies, and even some tech giants seem to think so.
As a result, we’ve seen legislation like the GDPR (General Data Protection Regulation) in the European Union in 2018 and more recently, the CCPA (California Consumer Privacy Act) come into effect. And just this past week, Google’s announced that they’re no longer allowing third-party cookies for their Chrome browser starting in 2022.
Data regulation is not the sexiest topic for sure… but the penalties for non-compliance can be pretty steep, so you’ll want to pay attention here.
What are the basics you as a marketer need to know about the GDPR? We’ll give you the overviews, but of course, as with anything legal, you’re best consulting an expert to ensure your policies and practices are compliant.
GDPR Essentials
The GDPR went into effect in May of 2018–you probably remember the day your inbox was flooded with “We’ve Updated our Terms” emails. But it’s been a few years, so companies have had some time to get used to the new ways of doing things to be compliant.
It’s not the simplest topic here, but we’ve boiled it down to the essentials for you.
What is it?
Basically, it’s a long list of rules you need to follow when handling user data (we won’t cover off all the regulations, so you can read through the original list on the official EU site).
In essence, the regulations are in place to give users more control over their data, while ensuring that companies provide more transparency in how they store and use the data they collect.
Optily’s Marketing Director, Kevin Stagg comments, “Twitter, Google, H&M, Grindr, and British Airways are just some of the major brands facing GDPR fines. Rulings have taken time to land, given the regulation has been in force for nearly 3 years, but there will be many more to come.
The good thing is, each of these gives us all something to learn from. While they’re major organizations with data warehouses that are infinitely more complex than most, the principles are the same. Following clean, simple, and easy to implement guides, such as this from the Optily team, is a great place to start and following the rulings against these leading brands is a good way to keep up-to-date and away from the regulator’s red card.”
Who and what does it apply to?
While it was passed by the EU, just because you’re based in the US doesn’t mean you can ignore it. Anyone who visits your site from an EU country is protected by it since you’re dealing with their data.
The data in question is anything that can be directly or indirectly linked to a living person. It can be things that are pretty cut-and-dry like names, emails, location data, or usernames. But it also applies to things not as obvious at first glance, like IP addresses and cookies for something like Google Analytics.
What are the GDPR key principles?
Here’s an overview of the big-ticket requirements to give you an idea of the spirit of the law (again, not an exhaustive list so read up on the full list we linked to earlier):
Obtain consent
This is the first step and why you’re seeing pop-ups on almost every website now asking you to allow cookies. Your terms need to be clear, users need to explicitly give consent, and they need to be able to withdraw consent at any time.
Explicit is the key term above too. So passive consent is not compliant (ie “By continuing to use our site you accept our terms…”). This is something tons of companies early on (and still to this day) seemed to be conveniently circumnavigating.
Security breach notification
Breaches happen. Unfortunately, it’s just a reality of the digital age, however, as soon as you find out one has occurred you need to let your customers know. You have 72 hours to report the breach to customers and data controllers (if you have any).
Data access rights
Upon request, your users may request a copy of their full data profile. This report must be sent free of charge and include all the data you’ve collected about them, along with how you’ve used this data.
Right to be forgotten
Basically, this gives users the right to request all their data be deleted upon request.
GDPR Tips for SMEs
Most small and medium businesses don’t have an entire legal department that can comb over every detail of the data policy and process. This means SMBs are especially struggling with these regulations.
Unfortunately, the GDPR applies to multinationals and mom-and-pop shops alike. There aren’t too many exceptions for the little guy, except maybe that you’re not required to keep a record of processing activities if you have fewer than 250 employees. Beyond that, the small-time cornershop gone eCommerce and Walmart have to abide by the same rules.
That being said, there are some actions you can take to ensure that you are compliant should the authorities ever come knocking:
Keep a record of all the data you collect
Ensure there is a unified record of all the information you keep: what it is (specifics like emails, phone numbers, addresses etc), where it’s stored, who has access to it, what it’s used for, and how long it’s kept.
Identify and document how the data was obtained
Most of the data you have on individuals will require explicit, informed consent, so you need to have a record of how the consent was obtained in each case.
Review all external contracts
If you are sharing any data (this includes your employees too, don’t forget) with a third party, make sure all the proper procedures were followed.
Train your staff
Ensure anyone working with customer or employee data at least knows the basic principles of GDPR and it’s best practice to designate at least one go-to GPDR specialist who can be the point-person on any questions that arise.
Review your privacy policy
A privacy policy is not something that will change too often, so it might be worth considering involving a legal professional to ensure this document is drafted correctly. There are plenty of small business lawyers who have a reasonable rate, so it shouldn’t cost you an arm and a leg (although non-compliance might…).
Summary
We here at Optily are a bunch of marketers too, so we feel your pain. The days of Wild West marketing seem to have reached an end, as regulatory bodies reign us in a bit with regard to how we obtain data and how we use it.
GDPR is likely just the tip of the privacy iceberg as Google tightens up on cookies, Apple’s iOS 14 requires explicit consent from each app to track user behavior, and advertisers scramble to put together server-side tracking.
Overall, these policies will make pinpointing attribution more difficult and will require us to go back to some of the marketing fundamentals–before we got spoiled by super-tracking every mouse movement!
One way you can roll with the punches is to automate your ad optimization and spend your marketing dollars where they do the most work for your bottom line. Optily’s single-click ad optimization tool does exactly that for your Facebook and Google ads.
Give Optily a try, free for 14 days, and see your returns grow overnight!