For decades, companies collected personal data from consumers without prioritizing it’s protection.
Sure, data is important for delivering better online experiences, but you can’t collect it with total disregard to people’s privacy — and their right to know how their data is used.
So, eventually, governments stepped in with regulations. The General Data Protection Regulation (GDPR) — the strictest regulation of its kind — was enacted by the European Union (EU) on May 25, 2018, to restrict how organizations collect people’s data. Just as California has the California Consumer Privacy Act (CCPA), the EU has the GDPR.
Still, data privacy remains a hot-button issue among internet users and the businesses they interact with. According to a 2019 report from Pew Research Center, 81% of consumers feel they have little control over the data companies collect from them; 79% are very or somewhat concerned about how that data is used.
The GDPR aims to address those concerns and help brands and consumers build more trusting and transparent relationships in the process.
So, what do advertisers need to know about this regulation, how it impacts their business, and how they comply with its stipulations?
Let’s take a look.
What Is the GDPR?
According to the GDPR.eu website, the GDPR is: “the toughest privacy and security law in the world […] it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.”
The EU created the GDPR to protect the personal data of internet users and give people more knowledge and control over how their data is used.
The GDPR is an evolution of the 1995 Data Protection Directive, which allowed each EU member state to create its own procedures for protecting data privacy.
The GDPR contains 99 Articles. We’ll break down the most important parts for advertisers. If you want to see the full document of regulations, check out this PDF.
How Does the GDPR Define Personal Data?
The GDPR considers personal data as:
- Email addresses
- Bank and payment information
- Medical information
- IP addresses and device IDs
- And more
Essentially, any information that companies can use to track or target an individual customer falls under the personal data category and are covered by the GDPR stipulations.
As the document states: “Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols… This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
Who Does the GDPR Apply To?
Any organization that collects data from citizens within the EU must comply with the GDPR — whether that organization is EU based or located elsewhere. A U.S. retailer running ads on a French publisher’s site, for example, is subject to the GDPR law.
Data controllers and data processors must work together to ensure that they comply with the standards of the GDPR. The GDPR outlines the difference between data controllers and data processors as such:
- Data controllers are those who decide how data is used and what it is used for.
- Data processors are third-party services that collect and analyze data on behalf and at the direction of the controllers.
How Does the GDPR Impact Advertisers?
Simply put, the GDPR requires advertisers to clearly disclose their reasons for collecting consumer data. They also must obtain consent for the gathering and use of that data. They must, for example, ask website visitors to accept cookies and require users to accept Terms & Conditions before completing a certain action.
The GDPR also states that consumers have the right to request access to their data, ask how that data is used, update their data, transfer their data between different services, and ask for their data to be deleted even after it’s been collected.
Additionally, businesses must have processes in place for safely handling and transferring data. They must also conduct assessments and compliance reviews to pinpoint and address any data security issues. If a data breach occurs, businesses must notify users within 72 hours that their data has been compromised.
What if Advertisers Don’t Comply With the GDPR?
If advertisers don’t comply with the GDPR, they will be fined. At most, their companies receive fines of 4% of their global revenue or €20 million. Those hefty fines can follow infractions such as failing to obtain consent from consumers and not having the documentation to prove it.
Smaller infractions are subject to fines of up to 2% of global revenue or €10 million. These include failing to properly handle customer complaints or “execute their evaluations and assessments without bias and via a transparent process.”
In addition to these fines, individuals who’ve had their data mishandled also have a legal right to seek compensation.
How Can Advertisers Ensure They Comply With the GDPR?
There are many steps advertisers can take to ensure they and their companies comply with the GDPR, including:
- Clearly documenting how and why data is collected. Your company should have written processes and data maps that outline where your data comes from, how it’s used, and which third-party services have access to it. These documents should also include processes for deleting archived data.
- Hiring a data protection officer (DPO). A DPO must conduct regular data privacy assessments and keep employees up to date on compliance standards. The GDPR requires that companies who conduct large-scale data processing, such as health care organizations, have a DPO on board.
- Reviewing disclosures and privacy policies with a fine-toothed comb. Make sure you tell your customers everything they need to know about your data collection procedures and how they can contact you with any questions or concerns.
- Train employees to properly handle data. Ensure only employees who use the data have access to it. This reduces the risk of data being leaked, lost, or mishandled.
- Have a plan for data breaches. You hope it won’t happen, but there’s always a possibility that it could. Identify steps for how to handle this issue, including stopping data collection, communicating with third-party platforms, and informing customers about the breach.
Can I use the Taboola Pixel and still be Compliant?
Taboola’s EU data collection practices comply with the GDPR’s requirements. When processing data collected from the Pixel, Taboola relies on the GDPR’s legal basis of legitimate interest.
Before installing the Pixel, an advertiser that targets audiences in the EU must first ensure that it displays appropriate notice and consent mechanisms to all EU users that engage with its digital properties.
Should an advertiser not rely on the legitimate interest and instead rely on the GDPR’s legal basis of consent, that advertiser must obtain each user’s consent on Taboola’s behalf.
Should that advertiser not receive consent for Taboola’s services, then the advertiser must ensure that it does not fire the Pixel for each of the non-consenting user’s visits.
The Importance of the GDPR
The GDPR isn’t meant to scare advertisers and make their lives miserable. On the contrary, it’s meant to create a more seamless and beneficial data collection process for both consumers and businesses.
By keeping companies informed about the best ways to ensure consumers’ security online, the GDPR helps prevent future data privacy crises and makes the internet a safer place for everyone.