What does GDPR mean for your Google AdWords Campaigns?

Posted 01-05-2018 by Alexandra

The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. What does this mean for Pay Per Click (PPC) activity? I have been investigating all the impacts that GDPR will have on the way we work, so let’s see how GDPR will affect Google AdWords activity.

A book of law — Photo credit: https://www.pexels.com/photo/antique-bible-blur-book-268424/

It is important to remember that the GDPR relates directly to personal data. This is defined as:

“any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.”

From a Google AdWords perspective marketers generally do not utilise individual personal data. For example, we may look at average pages/session, bounce rate etc. we do not drill down to see that user [unique identifier] clicked on the ad at this time on this date and visited page 1, page 2 and page 5 and spent xx minutes and xx seconds on the site. This is not the case when it comes to retargeting. This is where GDPR will really have an impact.

Google’s User Consent Policy

Google has already released it’s new EU User Consent Policy although it does not come into force until 25th May 2018. It states that:

Properties under your control

For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area.

You must obtain end users’ legally valid consent to:

the use of cookies or other local storage where legally required; and
the collection, sharing, and use of personal data for personalization of ads or other services.

When seeking consent, you must:

retain records of consent given by end users; and
provide end users with clear instructions for revocation of consent.

You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.

So just to unpick some of these statements in the context of the GDPR legislation:

Legally valid consent

The GDPR sets out 6 lawful basis for storing and/or processing personal data. Whilst Consent is one of the 6 it has been clearly defined and states that “Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.”

Therefore, Cookie notices on website should not simply say “We use cookies…” with an “OK” button. They should make users aware of what cookies are being used for on the website and require users to accept the use of cookies.

One of the other 6 lawful basis is “Legitimate Interest” and this can be the legitimate interest of the organisation or the person whose data is being stored/processed. “It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”

Therefore, Cookies which track user data for the purposes of fraud detection, Analytics, eCommerce processing or security can arguably be processed and stored under the legitimate interest basis. Cookies which will be used for marketing purposes must require consent. Furthermore, consent cannot be synonymous with usage. A user should be able to deny consent without it impacting their ability to use a website.

A user should also be able to easily revoke their consent at any time.

Retain Records of Consent

It is a requirement of the GDPR that in any instance where personal data is stored or processed the lawful basis for that data storage and/or processing is clearly recorded. Google’s requirement of this is therefore in line with the law.

This means that where you do ask for a user’s consent to use cookies you need to store their information in a database with a consent granted column.

Clearly Identify all Parties that will use Users’ Personal Data

Google is requiring that all parties who will store or process personal data collected or processed using a Google Product must be clearly disclosed and identified to the end user. Therefore, a Cookie Policy requesting consent for cookies to be used to track a user for remarketing purposes will have to include that this information will be available to the Organisation, Agency X, Agency Y and Google and what they will use the information for.

Google’s Advertiser Policies

The GDPR defines the obligations for personal data usage by Data Controllers, people who determine the purposes and means of processing personal data and Data Processors, the people responsible for processing personal data on behalf of a controller. As a result, Google has created two new Data Protection Terms.

In Google’s Google Ads Data Protection Terms: Service Information Google classifies AdWords as a whole as being subject to their Controller Terms and Ads Data Hub, AdWords Customer Match and AdWords Store sales specifically as being subject to their Data Processing Terms.

The pertinent points that I took from reading through the legal jargon are:

Controller Terms

By agreeing to the terms, you agree to comply with the GDPR
Once personal data has been collected with consent the data can only be used for the purposes that the user gave consent for the data to be used for – 6.2 (a)
Google will ensure a minimum level of protection (equal to the requirements of Privacy Shield) of personal data that it receives – 6.3 (a)
Businesses are required to ensure a minimum level of protection (equal to the requirements of Privacy Shield) of personal data that it receives from Google – 6.3 (a)

Data Processing Terms

These only apply if the business is based in the EEA or the business is collecting and processing personal data of people in the EEA, even if the business is not based there – 4.1
The terms state that Google is a processor of Customer Personal Data and a business agreeing to the terms is either a controller or processor of Customer Personal Data – 5.1.1
By agreeing to the terms, you agree to comply with the GDPR
Agencies or freelancers who are intermediary data processors on the behalf of the personal data controllers confirm that they have been authorised to process personal data and authorised to allow Google to process that same data – 5.1.2
Google will only process personal data legally and within any agreed constraints which could be set within Google account settings or provided in writing to Google. Google will also provide technical support. – 5.2
If a Google product has the functionality to delete data and you choose to delete it Google will permanently delete the related Customer Personal Data within 180 days of you opting to delete it. – 6.1.1
If a Google product does not have the functionality to delete Customer Personal Data that you would like to delete then you can request that Google deletes the data and Google will do so, but you may be subject to a fee. – 6.1.2
Google will keep the Customer Personal Data that it has access to secure and will handle any data incidents promptly. – 7.1 and 7.2
Data Controllers must take appropriate security measures including in regard to the security of Google login details – 7.3.1
If someone requests that your business provides them with all their personal data that you control Google will comply via you – 9.2
Google can appoint any Third Party Subprocessor and will ensure that they are GDPR compliant. If you are unhappy with the appointment of a Third Party Subprocessor you can terminate your agreement with Google in writing. This is the only way you can object to the appointment of a Third Party Subprocessor – 11.4

Google also lists the Customer Personal Data that it processes here: https://privacy.google.com/businesses/adsservices/.

Conclusion

In order to continue to use AdWords after the 25th May you must accept Google’s new T&Cs. In order to comply with these you must be GDPR compliant, which you are undoubtedly working on anyway. So, the only thing that is really stand-out from an AdWords and GDPR perspective is creating a robust cookie tracking and data storage system that requires users to opt-in for some cookie types and allows them to use your website without opting-in to those cookies for remarketing purposes.

Further GDPR Information

The following sites may help you to explore how the GDPR will impact your Digital Marketing further:

Information Commissioner’s Office - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Cookie Law - https://www.cookielaw.org/blog/2016/5/13/the-gdpr,-cookie-consent-and-customer-centric-privacy/

Follow my contributions to the blog to find out more about digital marketing strategy, or news, or sign up to the ThoughtShift Guest List, our monthly email, to keep up-to-date on all our blogposts, guides and events.