What does GDPR mean for marketing?
Tom Davenport, Data Scientist at Mezzo Labs, describes how GDPR is going to affect the world of digital marketing and, more specifically, web analytics.
I’ve been to several conferences around the UK recently, from Datafest in Edinburgh to MeasureCamp down in London, and GDPR has appeared on the agenda at every one.
In this post, I’ll describe what every digital marketer needs to know and how it’s going to affect our field: digital marketing and web analytics.
What is GDPR?
GDPR is the General Data Protection Regulation – it supersedes our current Data Protection Act regulations and brings every country in the EU up to the same high standard.
GDPR creates new rights supporting individuals and their personal data. It has some very specific definitions of how organisations can collect and process data from EU citizens.
By 24th May 2018, every company that trades in the EU needs to show that it will comply with the new regulation and has an action plan in place to get there.
The fines for breaking the rules are considerable: 4% of global annual turnover or €20 million, whichever is higher.
Many businesses are looking to put standards in place now, as it is going to be a significant change.
How has the definition of “personal data” changed?
Personally Identifiable Information (PII) has been given a much broader definition under GDPR.
In the words of the regulation, personal data is “any information relating to an identified or identifiable person”.
It used to be names, addresses, email addresses, phone numbers – something that would allow someone to contact the individual. It now refers to anything that can be used to identify an individual uniquely, which could include IP addresses and cookie IDs.
An identifiable person is someone who can be identified by reference to an identifier that includes: “a name, an identification number, location data, an online identifier”. If there is any possibility that data could be traced back to an individual person, then it becomes PII.
This means that this data will require the same level of care and protection as the current definition of personal data.
The GDPR also introduces the idea of “pseudonymous data”, which has been subjected to various technical measures that render it no longer directly able to identify an individual. Session IDs and customer reference numbers fall into this category that will need to be pseudonymised effectively if they are to be used in profiling or other processing activities.
Pseudonymised data is currently used in advertising to tie user’s actions together. Cookies and mobile OS identifiers are a good example. These tend not to pass user’s exact information around, but use a pseudonymisation method such as hashing that disguises who the user is. The organisation is then able to de-pseudonymise the data to identify a customer’s interactions across platforms. See our article on how to do this in Google Analytics for more info.
This kind of data allows some relaxations of GDPR’s provisions, if the organisation reviews its level of security and makes adequate risk assessments.
Pseudonymous data lost in a breach is more secure, as without the method for retrieving the details of the data, it is much more difficult to work out who the individual is, and so draw value from it.
Organisations can process pseudonymised data more too. They can use it in profiling as it is unlikely to cause harm to a data subject.
What can companies still do?
Retargeting is when a business targets those individuals that were about to convert, but then left the site with adverts encouraging them to come back. This automated decision making, target this individual with an advert related to their conversion, will fall under some of the GDPR rules under profiling.
Remarketing emails will be considered as an activity that constitutes “a regular and systematic monitoring of data subjects”. This kind of activity means that these must be planned effectively, with privacy taken into primary account. It also technically means an organisation will have to appoint a Data Protection Officer (DPO). This is an individual at board level who ensures that the actions that the organisation takes adheres to GDPR.
How does this affect cookies and tagging?
The days of having a pre-ticked box, taking silence as consent, or writing terms and conditions in complex legalese, are over.
GDPR brings in the need for “explicit consent” (in other words, opt-in), written in an age-appropriate, understandable way, that can be withdrawn at any time.
It will also be necessary for the user to be able to choose what their cookies are (and are not) used for. In other words, a user must be able to say: “I want cookies enabled for saving my log in details, but not for targeted advertising.”
This sounds like bad news for the digital marketer, but the provisions also state that it should be as easy to remove consent as it is to give it – and that is a real problem.
It means that it should be possible for an individual to opt in initially, and then be able to see each of these purposes and to opt out from any, at any time, now or in the future. It should also be possible to delete personal data on demand and to delete all data that has been kept longer than is necessary.
Many companies will want to consider either extending their existing permissions centre, or building a new one entirely.
What does this mean for marketing automation?
GDPR also takes the new step of defining “profiling”. It grants individuals significant rights to protect them from automated decisions – what we know as marketing automation.
Profiling refers to the automated processing of personal data to evaluate various aspects of an individual. This includes predicting how an individual may behave, their personal preferences, interests and other examples.
The regulation focuses on when this analysis is used to make automatic decisions. An individual now has the right to raise an objection to these decisions, and can challenge them.
Examples include automatic refusal of an online credit application or being automatically rejected when applying for a job through an online platform.
Even if a user has given consent to be used in profiling-based activities, they are able to object.
Companies that fail to honour these objections will potentially come under the higher level of fine, and these can be brought by individuals.
Pseudonymising and anonymising can provide some protection from these challenges.
Do customers need to opt in to web analytics?
Yes. Careful re-wording of the cookie permission interstitial might be enough, if it is clear what their data will be used for, and who it will be shared with, and if it contains links to the permission centre for further information.
Most companies use web analytics data at an aggregate level – numbers of visitors, page views – so PII is rarely captured. But you often segment by things that put a user in a group. We would need to make sure you have permission from the customer to do this.
Does this mean the end for DMPs?
That is a difficult one to answer. DMPs certainly make great use of 3rd party data, much of which has not be collected with the user’s knowledge. DMPs will need to consider how they can comply with GDPR and not compromise their clients.
What is the impact on Retargeting and Programmatic Advertising?
Good question. You will need to ask permission of the user to do this. It is likely that many users will refuse permission to have ads follow them around the internet. What was previously referred to as “the right side of creepy”, may become marginalised.
How can Mezzo Labs help?
GDPR presents some significant challenges to digital marketers. The best approach is to get some understanding of how it is going to affect your business:
- Where does your data sit?
- Is it secure and anonymised?
- What permissions have you collected for it?
- How is it transformed or used for automated marketing?
- What marketing programmes would be impacted if we couldn’t use it?
Our expert knowledge of web analytics puts us in a good position to audit your current marketing data silos. Starting with the data collected by your web analytics platform, we can look at various customer data across your digital marketing ecosystem and help you identify where the risks are and what changes need to be made to ensure you are not caught out by the GDPR deadline.
For further information on how we could help, contact us.
Want to know more?
- EU’s GDPR site: http://www.eugdpr.org/
- Full text of GDPR: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
- The EU’s explanation of GDPR: http://ec.europa.eu/newsroom/document.cfm?doc_id=44100
- UK Data Commissioner Office’s explanation of GDPR: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
- GDPR and profiling: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-5-profiling/
- GDPR and Cookies: https://www.cookielaw.org/blog/2016/5/13/the-gdpr,-cookie-consent-and-customer-centric-privacy/