Feb 26 2019
Basis Technologies

How Data Security and Regulatory Compliance are Changing SEM


Consumer data is a critical performance factor for digital and search engine marketing. In fact, it’s now practically impossible for businesses to gain visibility in either organic or paid search results without relying on consumer data insights. Yet at the same time, the European Union and other government bodies around the world have continued to introduce stringent regulatory compliance mandates governing how that data can be collected and managed—which, needless to say, has significantly affected the way that organizations treat, store and use their most valuable data.

And while forward-thinking businesses need to make every effort to adhere to these regulatory compliance mandates, these regulatory compliance mandates under a new paradigm universally have had an impact on data practices around the world.

Here are some insights into how you can navigate regulatory compliance in the world of SEM.

GDPR's Impact on SEM

In 2016, the European Union passed what's known as the General Data Protection Regulation (GDPR), a stringent and broad reaching law requiring search engines, advertising platforms and individual businesses to do more to protect the data of European citizens—and compelling Google, Bing, and other advertising platforms to place data management and security at the top of their priority list.

Among other things, the GDPR requires any business that uses consumer data to:

  • Keep clear records of collected data and its use
  • Assess the privacy standard of consumer information in their possession
  • Obtain explicit consent from consumers before using their personal data
  • Put processes in place that give consumers the right to be forgotten
  • Have protocols in place to respond to potential data breaches

While the law only applies to European citizens, its impact is clearly global: any website that collects information from site visitors—even if the business is based outside of Europe—could be subject to these regulatory compliance requirements. And the emergence of GDPR has also inspired similar regulatory compliance mandates elsewhere, including a new state data privacy law in California and several data protection bills gaining traction at the federal level in the US.

So, how does it affect search engine marketing? Simply put, the responsibilities for data protection impact both search engine platforms and the marketers that use them to reach their audience. The extent of your responsibility all depends on who controls the consumer data vs who processes it. If you either control the data and/or process it, then GDPR will govern your regulatory compliance responsibilities.

Consider Google’s in-market audiences, for example. Advertisers use Google’s consumer behavior data to target new audiences with their advertising message. But in-market audience data is both controlled and processed by Google who possess and analyze it for ad targeting—this places the responsibility for GDPR compliance on them.

In another scenario, consider remarketing lists for search ads (RLSA) in which you upload a file of your leads’ email addresses to create a new Customer Match audience. In this case, you are the data controller and Google is the data processor. Thus, both you and Google have compliance responsibilities under GDPR.

Additionally, browsers are also affected by GDPR regulatory compliance mandates. To ensure compliance with this mandate, Apple made significant changes to how cookies are tracked on Safari, now deleting third-party tracking cookies after 24-hours, while making it difficult for marketers to use cookies for different forms of tracking like remarketing. While most advertisers might see this change as a huge limitation in their ability to advertise to their audience, it also helps cut down on low-quality spam ads and encourages marketers to target audiences with a relevant message during the most critical time frames.

While GDPR is working to prioritize the best interests of people, it also creates some new challenges for businesses that market through search engines. But despite the strong potential for inconvenience and challenges, business owners can’t ignore their responsibilities toward user privacy if they want to both effectively reach their audiences and remain within the law.

Regulatory Compliance Responsibilities for Search Engine Marketers

The GDPR is a complex and extensive piece of legislation governing regulatory compliance. And while this post is aimed at giving search engine marketers an idea of some of their responsibilities under GDPR, it is in no way comprehensive or a means of helping you interpret this document and how it pertains to your business. For any questions regarding your regulatory compliance posture, please enlist the help of legal professionals.

That said, here are some key best practices to follow for regulatory compliance as a search engine marketer: 

Prioritize user experience

Because the GDPR is open to almost limitless interpretation, even businesses that attempt to be compliant could end up inadvertently in violation of its terms. This had led to a number of businesses outside of Europe taking steps to avoid being subjected to the law altogether, including more than 1,000 US news sites that chose to block European visitors to their sites instead taking the necessary steps to be compliant or undergoing scrutiny under its regulations.

Don’t be tempted to follow suit. Not only would you be blocking your European audience base, you might inadvertently block US site users when they visit or live abroad. It can also negatively impact SEO if Google’s crawler can’t effectively read your site when you have links pointing at your website from other EU sites.

While blocking access to certain site visitors might seem smart from a financial perspective, it’s really only a temporary solution to a growing global data privacy issue that won’t go away anytime soon. The US has already enacted numerous compliance regulations, such as SOX, HIPAA and PCC DSS, which are all becoming more stringent and financially punitive. Thus, thinking ahead, it’s better to comply to GDPR regulations now with your user experience intact, than wait until you’re forced to make similar changes down the road.

Obtain proper tracking consent

Probably the most significant change search engine marketers need to make is ensuring they obtain proper consent for using tracking cookies on their website. This is a necessity if you use cookies for retargeting in online advertising.

In the past, it was possible to track site visitors with site cookies without asking them to opt-in, usually with an alert that read “By using this site, you accept cookies.” That doesn’t fly with GDPR—these days, visitors must give expressed permission before you can start using their data.

When obtaining consent, you should:

  • Give site visitors a clear option between accepting or rejecting cookies (e.g. they need to click a button to opt in).
  • Provide clear information about how the cookie data is used by either yourself or third-party providers. To avoid being too wordy on your opt-in popup, you can include a “more info” link where site visitors can see full details about how their cookie information is used.
  • Include a clear option on your website for visitors to opt out of cookie tracking.

What’s more, there are a variety of tools out there that can help you create GDPR-compliant cookie banners for your site, as well as help you track and manage cookie data:

How Data Security and Regulatory Compliance are Changing SEM

Redo your landing page lead forms

Another important requirement of GDPR is that businesses should only collect the data they need for marketing. Say an individual reaches one of your landing pages from organic search or a PPC ad. If you serve them with an extensive lead form requesting additional information that doesn’t have a direct marketing need, you could be in violation.

Not surprisingly, your landing page lead forms also need a lot of the same wording as your cookie agreement in order to comply, so use clear language to explain how the data they provide will be used by yourself and third-parties.

You should also design your lead form so users can provide clear consent about what you can do with their data. For example, one good practice is to have seperate boxes for users to agree to the Terms and Conditions vs. signing up for your mailing list. You also need to be clear if you plan to use lead form information to build your Google ads remarketing lists.

What’s more, you can also provide options for what kind of communications they can opt into receiving from you, such as email, phone, or SMS messages.

Essentially, it’s better to err on the side of being transparent on your landing pages about data use. As with your cookie consent, avoid being long-winded on your lead forms by providing prominent options for users to “read more” about how you might use their data for search engine marketing or other purposes. You can then direct visitors to your data security policy.

Elements of Strong a Data Security Policy

Optimizing how you collect consumer data for search engine marketing is only the first step in GDPR compliance. An equally important task is  implementing and updating a data security policy that details exactly how you will handle the data you collect.

Many businesses simply update their existing privacy policy to comply with GDPR standards, while others create a dedicated data security policy for the regulation. Whatever path you choose, make sure it's thoroughly reviewed by your legal team.

At the very basic level, a GDPR-compliant security policy should include:

What personal data you collect (and how it’s collected)

This should be a clear, complete explanation of who you collect personal information from (e.g. your site visitors) and what type of data you’re collecting. This includes cookie information, user device and IP address data, what browser they used, search queries they used to reach your website, information about on-site behavior, and geolocation data, among other things. The more detail you can provide about the type of information you can potentially collect, the better. You should also explain how the data is collected, including any third-party tools you might use.

A clear explanation of how personal data is used

Next, in order to ensure you’re only collecting necessary data about consumers under GDPR, you need to explain the various circumstances in which you might use personal data obtained from your site users. Essentially you need to justify why you’re collecting certain information by explaining your potential use of it. For example, you can use consumer data to define an audience that is most likely to respond to your marketing content, evaluate usage of your website, or market information about your products and services.

Under this stipulation, you should also disclose any third-party vendors or individuals with which you share consumer data, such as affiliates, advertising networks, or cloud service providers.

How long personal data is retained

GDPR mandates prohibit you from retaining consumer personal data indefinitely without reason. Thus, you need to have standards in place that explain how long you will retain data and under what circumstances.

For example, if you collected cookie data from site visitors for the purposes of remarketing, you might retain it for a maximum of 12 months, although the amount of time you hold onto the data really depends on the length of your sales funnel. If you run an ecommerce business that sells leather boots, it makes little sense to retain cookie information for more than a month, as the sales cycle is short. If you collect other kinds of data, such as lead contact information, you can specify another timeframe for data retention.

How you process data subject requests

Under GDPR, data subjects (consumers) have certain rights that businesses must adhere to, including:

  • The right to request a copy of whatever personal data you have about them
  • The right to request revisions to whatever personal data you have about them
  • The right to delete any personal data you have about them (a “right to be forgotten”)

This, of course, should be reflected in your data policy that should include details about how people can make these requests, and how long they should reasonably expect to wait before receiving a response.  

A protocol for potential data breaches

There’s always the possibility that your consumer data could inadvertently be used in a way outside of your data policy definitions. It could be misused by your own employees, or compromised by hacking, for example. GDPR acknowledges this potential, and requires organizations to have a process in place to notify consumers about data breaches and take efforts to minimize negative impacts. Specifically, you’re required to report necessary information regarding a data breach to all consumers and other relevant bodies within 72 hours of discovery.

Wrapping Up

GDPR is, to date, the most extensive and comprehensive regulatory legislation addressing data privacy online. But it’s not the first, and it won't be the last. But it anything, this privacy mandate sets a new bar, raising it ever higher, for data security, compliance and consumer data protection.

For many businesses, it has already created countless headaches and compliance woes. And it is sure to create more challenges down the road. But like any challenge, it also entails opportunity. For you as an SEM professional, that means you have the opportunity to get ahead of the game by adhering to its set of data privacy laws. Ultimately, that will mean your consumer data will be more secure, and your customers’ privacy will be protected—all of which go a long way to building trust and loyalty, both within your audience and in new markets.

Ignoring it is not the answer—this reinvigorated focus on consumer privacy isn’t going to go away anytime soon. But with a little time, effort and foresight, you can navigate it successfully and even use it to your advantage.