The GDPR's Impact on Digital Marketing

by Nicole O. Legal writer.
The GDPR's Impact on Digital Marketing

In the world of marketing, data is now at the center of everything. What's more, data is also available in abundance. Marketers now use increasingly more as well as more personalized data to gather leads, increase sales, and improve customer experience.

You could say that it's this huge increase in the use of data for personalized marketing that contributed to the need for the General Data Protection Regulation (GDPR), the European Union's landmark privacy law that came into effect in 2018. The GDPR is a sweeping attempt to put the individual back in control of their personal data, which means marketers need to work harder for their access to and use of it.

The GDPR is a huge obligation for marketers. Companies that don't comply can face fines of up to €20 million or 4% of their global turnover, whichever hurts you more.

What's the full impact on digital marketing? Here's what you need to know.

What is the GDPR?

The GDPR is a lengthy and opaque law passed by the European Commission to protect the data of European residents from misuse, disclosure, and sale by data processors and controllers.

The law is long and complex, but you can start to get to grips with it by understanding the seven key principles:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Security
  7. Accountability

As a marketer, you can understand the GDPR as a commitment to be open and honest about your data practices. By and large, it means treating people's identifying data with respect: asking for permission to collect it, only taking what you need, making sure your data is accurate, and keeping it secure.

These principles come up over and over again throughout the legislation. But for marketers, they very much come alive in Article 6 Lawfulness of Processing and Article 7 Conditions for consent.

What Marketers Need to Know About Data Collection in the GDPR Era

What Marketers Need to Know

Data collection is a core marketing activity and it always has been. You can't do much if you don't have data to work with, and this was as true in the Don Draper advertising era as it is today.

The GDPR targets this very first step, and as a result, some of your biggest responsibilities as a marketer of any type rest within the initial collection mechanism.

In the past, you could collect whatever data you needed (or wanted) from any preferred source, and the rest was up to you. You're no longer allowed to take data as you please.

There are three key GDPR issues that impact your data gathering and collection practices:

  1. Legal bases for processing
  2. Getting consent
  3. Opting out

The GDPR provides six legal bases for processing data. You need to meet these if you intend to collect and use any personal information from an EU resident. These are:

  1. Consent
  2. Contract
  3. Legal obligation
  4. Vital interests
  5. Public task
  6. Legitimate interests

Marketers generally operate under the first basis: consent. Why? Because you don't need to market to someone to uphold a contract or legal obligation. It's also not a public task or within your vital interests. Digital marketing is totally optional, so you need permission.

To that end, you need to seek consent for all the data you intend to use for marketing. If you start contacting a data subject who hasn't provided consent, then you're participating in unsolicited communication and you have collected data without a legal basis. These are two violations of the GDPR.

Remember: you'll also need to note the use of consent as a legal basis in your Privacy Policy. As an example, UK retailer John Lewis does this well by not only sharing that it uses consent as its legal basis but providing a context in which it uses this basis:

John Lewis Privacy Notice: Legal Bases clause - Consent section

In the past, marketers relied on things like implied consent to gather data. It was a practice particularly popular in email marketing and SMS marketing. You might have simply built an email list based on customer orders or you might have used the old pre-checked checkbox to automatically gather consent to add a customer to your email list.

Both of these actions are now GDPR violations.

Because your legal basis is probably consent, you need to follow the new rules of consent as provided by the legislation.

The law requires consent to be granular, affirmative, and freely given. Ideally, if you want to sign a customer up for an email campaign and an SMS campaign, then you need to ask for consent for each one individually using a consent mechanism, like a checkbox.

At a minimum, your marketing consent needs to be distinct from any consent to a Terms and Condition agreement or Privacy Policy.

See the example here from Ticketmaster Ireland:

Ticketmaster Ireland email sign-up form

Ticketmaster uses two consent mechanisms because it has two legal bases for processing.

To market to you, it relies on consent, which means that you need to opt-in or opt-out by choosing Yes please or No Thanks.

Marketing is distinct to agreeing to the Terms or Purchase Policy, which falls outside the realm of marketing and falls under the legal basis 'contract.' Contract covers times where you need to process data to uphold your contractual obligations to a customer.

For example, Ticketmaster needs a customer's email address to deliver the e-tickets they order. Without the email address, Ticketmaster can't uphold its end of the bargain, which means that they don't need consent to ask for and collect the email address.

Ticketmaster doesn't need to send the customer information about upcoming events to deliver their tickets. That part is optional, which means Ticketmaster needs consent to use their email address to do more than send them tickets.

Offering the Option to Opt-Out

You need consent to market to Europeans. However, they aren't automatically yours forever once they opt-in. The age of endless marketing emails is officially over.

The GDPR requires marketers to make it as easy to opt-out as it was to opt-in. In other words, consent needs to be freely given at all times during the customer relationship, not just within your sign-up mechanism.

Most marketing teams help manage consent through direct marketing by adding an Unsubscribe function on any texts or emails and by using a communication preference page within the customer's account.

Amazon UK provides two helpful examples of this. First, it offers a Communication Preferences Centre where settings can be adjusted and consent can be revoked:

Amazon UK Communication Preferences Centre

It also offers a standard Unsubscribe link in the footer of every marketing email it sends out:

Screenshot of Amazon Audible email footer

You should make it clear to your users that they can unsubscribe/revoke consent, and make doing so at any time very easy.

How the GDPR is Changing Targeted Ads

How the GDPR is Changing Targeted Ads

Targeted and location-targeted ads are more and more common in part because the statistics say customers like them.

Data targeting, including location targeting and geofencing, allows marketers to use data to deliver ads that are specifically tailored to customers' interests. For example, if you shop at Target and Target has a sale, then Target might use historical location data to advertise its sale to you. Usually, Target will collect the data through your account, but if you don't have a Target account, it might still catch you if you ever log on to Target's free Wi-Fi.

Using this kind of data is increasingly difficult if you're collecting data within the European Union. Even if the data you get is theoretically anonymous (there's identifying information attached), the data still needs to be collected and processed according to the GDPR, including the GDPR's definition of consent. It is less likely to apply if you're collecting geo-location data from someone who isn't an EU resident.

Not all targeted ads are under the chopping block. If you're running ads based on contextual advertising and not using any personal information, then you're still okay. But if you're using the viewers' geo-location or any other demographic or piece of granular data, then you need to think more carefully about what you collect and whether you have permission to have that information.

One way forward is to ask for permission for contextual marketing. Starbucks has done that. You can opt-in to Starbucks emails, but you also have the option to opt-in to targeted ads based on your activity and information:

Starbucks email sign-up form

Fast fashion giant H&M offers the same protection:

H and M account sign-up form

Ultimately, the GDPR seems as though it will send the heavily targeted ads back towards a more kosher contextual marketing. However, that's not a bad thing: over-personalization not only limits effectiveness but also infuriates the more privacy conscious.

Chatbots and the GDPR

Chatbots and the GDPR

Chatbots are an increasingly popular tool for digital marketers because once again, customers like them. Chatbots cut costs by up to 30% and by next year, it's estimated that 85% of customer interaction will take place via bot rather than with a human.

If you've installed a chatbot in the past year, then you probably already have a GDPR-compliant chatbot. Many providers updated their services in order to provide streamlined services to European clients as well as international organizations with GDPR obligations.

Chatbots are customer service-focused, but they're an important data collection tool. The big issue with chatbots is ensuring you know what information you collect and why you're collecting it. It also needs to be published within your Privacy Policy.

The use of a chatbot is a tricky one in terms of legal basis. On one hand, you don't need to use a chatbot to collect data. At the same time, your customers can't use a chatbot unless they hand over personal data.

If you rely on chatbots extensively, you might even consider publishing a Chatbot Privacy Policy. PricewaterHouseCoopers requests that all its customers agree to its version of this statement in order to use its chatbot:

PricewaterhouseCoopers Chatbot Privacy Statement excerpt

It's also important that your customers are able to access their data, as is their right under the GDPR. Your chatbot should also comply with GDPR security regulations to prevent data breaches and mitigate their effects.

What the GDPR Means for Affiliate Marketing

What the GDPR Means for Affiliate Marketing

What about affiliate marketing? Does the GDPR carry any provisions that disproportionately impact affiliate programs?

The answer is that there's no particular clause that targets affiliate programs. Iit targets all data processors and controllers equally whether you're participating in a program or running a global business. You need to treat any personally identifiable data the same as you might for any other type of marketing.

That means you need to:

  • Identify your legal basis for collecting information
  • Get consent for data collection and processing
  • Provide a clear and up-to-date Privacy Policy for your activities

You probably already have a Privacy Policy because many affiliate programs require it for their own GDPR and privacy obligations. For example, the Amazon Affiliate Program requires all its participants to use a Privacy Policy that discloses their participation in the program as well as any tracking or data collection you do:

Amazon Associates Program Participation Requirements: Responsibility for Your Site clause - Disclose collected data section

Remember that the opt-out is incredibly important, and something of a sticking point among affiliate marketers. If a European resident wants you to take them off your marketing list, show them what data you have, or delete their data, then you have an obligation to do so under the law, or you could be reported to a supervisory authority.

The Bottom Line is Transparency

There are a lot of ways that digital marketing had to change to keep up with the new GDPR regulations. Affirmative and granular consent is a big one, and a more detailed and up-to-date Privacy Policy that covers all your marketing activities is another.

The biggest takeaway for digital marketers is that transparency is key.

  • You can't market to people who don't know they're being marketed to, and you can't market to people who haven't given you permission to market to them.
  • You need consent first and foremost, and you need that consent to remain valid throughout the customer journey and lifetime.
  • You need to let customers know what they're consenting to.

If they sign up for your monthly newsletter, then you can't send them random promotional emails unless you ask first.

Ultimately, the GDPR has wide-reaching implications for marketers and it has already forced many to reconsider how they work. But if marketers of all types work together and embrace the principles of the GDPR (as well as the nitty-gritty details), then not only will you have a more willing and engaged audience but you'll also do your part to protect their rights and freedoms by protecting their data, and that's more valuable than any old email list.

Last updated on 23 June 2020

Article categories

Nicole O.

Legal writer.