May 4 2018
Basis Technologies

The Ultimate Guide to GDPR for Advertising


The customer journey is changing quickly, and it’s not all because of technology. Big data and the necessary legal regulations that follow have a huge impact as well. The General Data Protection Regulation (GDPR) is a new regulation that’s changing the way marketers can advertise to EU citizens. It’s the biggest regulatory change in data privacy in decades, and the deadline for compliance is fast approaching. Companies that don’t comply by May 25th, 2018 can face fines of up to 20 million Euros or 4% of annual global turnover.

Despite these threats, many businesses have done little or nothing to comply to GDPR. Hubspot did a survey in November and found that only 15% of companies had done anything to become compliant.

That’s likely because they don’t know anything about GDPR (36% of marketers hadn’t even heard of it in November) or they think it doesn’t apply to them and their business. That’s why we created this guide, to detail exactly what GDPR is, how it affects advertisers, and what changes you need to make to be in compliance.


The GDPR is a 200-page document that covers data privacy reform for companies in a variety of contexts. Our guide is meant to illustrate how it can impact advertisers, but it’s not meant to be a complete resource on GDPR compliance. Use this guide as a starting point, then enlist the help of legal professionals to ensure your business is in full compliance.

What is the GDPR?

The GDPR is a regulatory act adopted by the European Parliament in April 2016. It’s aimed at protecting data and privacy for all individuals within the European Union, and addresses the export of personal data outside the EU.

Many advertisers make the mistake of thinking the GDPR doesn’t apply to them if they don’t have a business presence within the EU. But if your business processes any personal data of European residents, the GDPR will affect you.

Here are some of the main points businesses will need to address when managing the data of EU citizens:

  • Businesses must comply to strict record keeping requirements when handling personal data

  • Businesses must conduct privacy impact assessments

  • Personal data can only be used with the express (not implied) consent of consumers

  • Consumers have the right to be forgotten and a right of data portability

  • Businesses must adhere to communication protocols if consumer data is breached

Essentially, businesses need to get consent to collect personal data from their audiences, then take steps to ensure they handle it properly.

What is personal data?

GDPR’s definition of personal data is very broad, including a number of online identifiers for profiling and identification that advertisers use. Here’s their own wording on the topic:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. 2This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

For your purposes, you can assume personal data to include:

  • Names
  • Email addresses
  • Cookies
  • IP addresses
  • Payment information
  • Device IDs
  • Location data
  • RFID tags

Broadly, any information that can tie to a person’s identity is personal data. This includes information advertisers use to segment audiences based on interests, political leanings, ethnicity, etc.

What is consent?

Marketers are no longer allowed to use passive methods that imply consent for data use. Now consumers must take an action indicating that they are okay with their data being collected and used.

That means:

  • You can’t bury consent in the Terms & Conditions. It must be up front and center so consumers understand they’re giving consent.

  • No more pre-checked opt-in boxes that consumers can overlook. They must take action to opt in.

  • No more “By continuing to browse our site you accept our use of cookies” notices.

  • Consumers must be able to quickly and easily revoke their consent at any time.

Businesses must also be prepared to provide individuals with their personal data upon request.

The impact of GDPR on advertising

For advertisers, GDPR impacts the personal data you can collect on consumers for ad targeting, how you store and use that data, and how you get permission to use it in the first place. Advertisers who use data science for search engine marketing need to take special care to ensure they’re in compliance.

The GDPR assigns responsibility for compliance to three main roles:

  • Data controller — Responsible for defining how and for what purpose personal data is processed.

  • Data processor — Groups that maintain and process personal data.

  • Data protection officer (DPO)

The data controller is responsible for ensuring outside contractors comply with GDPR when handing data, while the data processor is also liable for non-compliance with GDPR guidelines. Essentially, both you and the advertising platform you work with have obligations for data protection. For companies that store and process large amounts of personal data (e.g. banks or hospitals), a DPO is also necessary within the organization. This doesn’t apply for most advertisers.

Whether your organization is considered a data controller or processor depends on where the data came from. It’s an important distinction to make as it affects your responsibilities under GDPR.

If you’re advertising through Adwords or Facebook using data they collected from consumers for ad targeting, then they’re both the data controller and processor, and you have no additional obligations to protect data under GDPR. What changes is when you use your own consumer data with these platforms for ad targeting. When using conversion tracking cookies, remarketing ids, Customer Match and other data collected from your site, the responsibility lies on you to obtain consent and explain what the data will be used for.

Let’s look at an example for Adwords advertising. If you tag your site to build remarketing lists for search ads (RLSA), then Google’s the data controller, not you. If you upload a email list to run a customer match, then you’re the data controller and all responsibility lies on you to comply with GDPR requirements.

If you use Facebook for advertising, your obligations for GDPR will also depend on the kinds of ads and features you use. Facebook has its own guide for GDPR consent you can refer to. If you use the Facebook Pixel to collect additional consumer data for ad targeting, Facebook is both the data controller and processor. They’re responsible for protecting the data, all you need to do is clearly explain your cookie policy and gain permission from visitors to use their data.

If you upload a Custom Audience to Facebook, you have responsibilities to properly collect and protect data. They’re actually in the process of developing a Custom Audiences permission tool so advertisers can provide proof that they obtained proper consent.

Luckily, if you’re already GDPR compliant for Facebook ads, you won’t need to do anything additional for Instagram, since Facebook owns it.

YouTube ads work in a similar way. If you’re using remarketing ads, affinity audiences, in-market audiences, similar audience, etc., then you need to get consent to use consumer data. If you’re using YouTube’s internal targeting features, the responsibility is on them.

Even with an explanation, your obligations can be confusing. Just remember that if you collect any data from your audience for advertising or otherwise, you need to get permission, fully disclose what you plan to use it for, and take proper steps to ensure data management and security. Adwords, Facebook and other advertising platforms will do the same.

5 steps for GDPR compliance with advertising

Even if you’re not currently using personal data for advertising, it’s best to be proactive and create a framework for compliance with GDPR standards. After all, transparency with your audience is a good business practice all around, whether they’re located in the EU are elsewhere.

Here are 5 steps you can take to start on the road to compliance before the May 25th deadline:

1. Audit your existing data

The first thing you should do is perform an analysis of your existing data to see how it’s already being used. Use this audit to develop processes to gain compliance for existing data and establish new practices to capture data.

Your audit should answer questions like:

  • Who are our data subjects?

  • Where do we keep their data? Who has access to it?

  • For what legal purpose do we have their data?

  • How are we processing their data?

You’re going to need to disclose to your customers how you plan to use their data and what third parties you might share it with. Therefore it’s important to start by mapping out where their personal data is held so you can be as transparent as possible.

2. Establish new practices for data collection

Next you need to change how you collect personal data from your audience. Start by changing the way you collect cookie data for site visitors. Be very transparent about what the cookies are used for, ensure your site visitors must take action to approve the use of cookies, and make it easy for them to opt out.

Do this the wrong way and you can end up ruining cookies as a data source for advertising. Many visitors will blanketly opt out if you present them with a binary consent option (cookies or no cookies). Instead, illustrate how cookies are helpful for their user experience and give them options for what kind of cookie data you can use. Here’s a good example:

Establish new practices for data collection

There are tools available, such as Cookiebot, that can help you create custom GDPR compliant cookies.

You may also need to rework the opt-in forms you use on your PPC landing pages for lead generation. Say for example you use display remarketing to direct users to a gated lead magnet on your site. You may want to put an un-ticked opt-in checkbox at the bottom of the form allowing users to choose if they want to receive future marketing emails from your business. Or you could explain at the bottom of the form that by signing up, they agree with your privacy policy.

3. Create a data protection plan

If you’re collecting consumer data (not your advertising platform), then GDPR requires that you have a data protection plan for internal business processes. Draw out a clear data security plan for your business that’s in line with GDPR requirements. Here are some important points to consider:

  • The right to be forgotten

Under GDPR, users have the “right to be forgotten,” which means they can request their personal data to be removed from your databases or cookie pool at any time. Procedures should be in place to properly purge data if and when users want to be removed from your databases.

  • Requests for personal data

Users also have the right to request personal data they’ve provided to your company. You’ll need procedures in place so you can easily provide personal data “in a structured, commonly used and machine-readable format.” A CSV file should be sufficient.

  • Procedures for handling data breaches

Include procedures for addressing data breaches, so you can report necessary information to involved parties in a timely manner. GDPR mandates that data breaches should be reported to all consumers and respective bodies within 72 hours.

4. Review/revise your privacy policy

Your existing privacy policy may include clauses or language that aren’t in line with GDPR standards. Review your privacy policy and look for changes you can make, such as eliminating language related to implied consent.

In order to be fully compliant with GDPR requirements, your privacy policy should fully disclose to consumers what you plan to do with their personal data in a clear, concise, and transparent manner. It should address important areas like:

  • Who is collecting data?

  • What kind of data are you collecting?

  • Your legal basis for processing the data.

  • Who you plan to share the data with.

  • How you will use the information.

  • How long you plan to store the data.

  • What rights the data subject has.

  • How data subjects can raise complaints, request their data or request its deletion.

To get an idea of how to word your privacy policy for GDPR compliance, you can refer to templates provided by the EU GDPR Documentation Toolkit.

5. Seek Privacy Shield certification

Privacy Shield is a framework developed by the European Commission, Swiss Administration and the US Department of Commerce to develop a mechanism to comply with data protection requirements when transferring personal data for transatlantic commerce. Seek out and obtain certification under their standards. Do this before GDPR comes into effect to ensure you’re in compliance.

Wrapping up

On the surface, GDPR can seem like a marketing challenge that hinders your ability to collect and drive advertising insights from consumer data. But fully complying with GDPR mandates actually helps ensure you’re marketing to the highest value leads when they do opt-in.

It may be by force of law, but advertising platforms and advertisers alike are making positive changes to ensure they market to people who really want to be targeted with advertisements. While these changes might reduce your pool of marketable leads, it does improve the quality and effectiveness of your advertisements immensely.

Now that you’re targeting a smaller base of engaged users, ad costs are bound to go up. That leaves even less wiggle room in advertising budgets for wasted ad spend. Artificial intelligence and bid automation tools to accurately allocate ad spend will become even more essential as advertising becomes more expensive.