The moment you collect, store, handle, or process a user's personal data, you're legally bound to comply with various data privacy laws. These laws include the following:
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA) as amended by the CPRA
- Personal Information Protection and Electronic Documents Act (PIPEDA)
Although these laws are all different, they have one principle in common: People have the right to know who has access to their personal data, and what companies plan on doing with the data they collect.
Put simply, you can't use someone's personal data for marketing or other analytics purposes without getting their informed consent. The most effective way to get this consent is by:
There's no doubt that remarketing, also known as retargeting, is a great strategy for generating business and boosting conversion. Why? Because it lets you specifically target users who have already shown an interest in your service or product. Here's a very brief summary of how it works:
- The user lands on your website and looks around
- These users are added to customized "lists" through browser cookies
- You can then send these users highly targeted ads on various websites
Who wouldn't want to target a highly curated audience that's likely to convert into paying customers? It's unsurprising that remarketing is such a popular business strategy. What's important, however, is that you're aware of your legal responsibilities and obligations before you use this marketing tool.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. Introduction to Google Adwords Remarketing (AWR)
- 3.1. Type of Data
- 3.2. Purpose of Collection
- 3.3. Method of Collection
- 3.4. Use of Personal Identifiers
- 3.5. Opt-Out
- 4.1. Disclosure of Use of Remarketing
- 4.2. Third Parties
- 4.3. Ad Display & Cookies
- 4.4. Opting Out of Targeted Marketing
- 4.5. More Information
- 6. Conclusion
Introduction to Google Adwords Remarketing (AWR)
Google Ads, or Google AdWords, is a highly popular online advertising and marketing platform. It lets you place ads on Google and it lets you know which advertisements are working most effectively. Specifically, AdWords lets you send curated ads to the audience you know will appreciate them the most.
All you need to get going is:
- A free AdWords account
- A small tag, or pixel, added to your website from Google's remarketing codes
- Users who click on your website and accept browser cookies
Google sums it up succinctly on its own Privacy and Terms page. Here's what it says:
- You use remarketing or similar marketing technologies
- How you use these technologies to advertise online
- How third-party vendors and partners display your ads online
- How users can opt-out of retargeting cookies and targeted marketing
- Where they can find out more information about their privacy rights
- The type of data you collect
- Why you collect this data
- How you collect it
- What you do with the personal information once you've got it
- How users can opt-out of everything but essential data collection (i.e., how they opt out of marketing and related activity)
So, what do these clauses look like? Let's take a look at examples of each type.
Type of Data
Tell users that you collect personal information from them. Personal information, legally speaking, is any information that can be used to identify someone, such as their name, IP address, or email address.
The list is non-exhaustive, meaning there are many identifiers which may be considered personal information. It's a good idea, then, to keep your clause broad so you're covered for collecting a wide variety of personal information.
Here's an example from Barnes & Noble:
Inform users you're collecting personal data, and what this may include.
Purpose of Collection
Users have the right to know why you need the data you collect from them. You may, for example, need their financial details to complete a transaction, or their basic name and address details to set up an account.
Data privacy law is all about transparency. You should set out, as clearly as possible, why you need a user's personally identifiable information.
Arnold Clark, a vehicle retailer, sets out in clear, concise sections precisely why it collects personal information, at what stage and why:
Make it clear why you need certain personal identifiers at various stages so customers know exactly what information you take from them, and why.
Method of Collection
You can collect personal information from users in various ways. For example, you might gather their name, home address, date of birth, and email address when they go through checkout. You might also collect their IP address when they browse through your site.
What's most important is that users know how you collect data from them at these various stages. In other words, they should know that creating a store account is a method of personal data collection, and so on.
Here's another example from Barnes & Noble:
Be transparent about when and how users supply you with personal information.
Use of Personal Identifiers
Be clear about how you plan on using someone's personal data once you have it.
There are some circumstances in which you have to use or disclose someone's information. For example, if you suspect they're committing fraud through your platform and you contact the authorities. However, in other circumstances, you should set out how you use the data from the moment the data is exchanged.
Taking another look at Barnes & Noble, we can see that the company dedicates a whole clause to setting out how they use personal identifiers. It's a broad clause drafted very much in the retailer's favor. It uses personal information to manage the business, which means someone's data can be used for virtually any business-related purpose:
Keep this clause as broad as possible.
Users must be able to opt-out of data collection for marketing. It's all about a person's "right to be forgotten." You must tell users that they can opt-out of marketing at any time, and it should be possible for them to reject marketing and other analytics activities from the outset.
Here's an example from Beauty Kitchen:
The company clearly and concisely explains how users can opt out of marketing and makes it clear that users can change their mind (or rescind consent) at any time.
In line with privacy laws around the world, give users full control over their data.
Now, here's a look at the more specific clauses you'll need to comply with Google's own AdWords Policy.
Disclosure of Use of Remarketing
If you plan on using remarketing technology, you must disclose this to your users. To comply with Google AdWords' Terms, there are two main steps:
- Disclose that you use remarketing or ad retargeting tools
Barnes & Noble has a great example for this. It explains what cookies are, in simple terms, and is very open about using marketing cookies:
Here's an example from Beauty Kitchen. It explains the types of technology that the company uses, including ad tags and custom audience tools, to remarket around the web:
Be clear about using remarketing technologies. A clause declaring your use of these technologies is sufficient.
You must include a clause that tells your visitors how third-parties such as Google may place ads for you across the internet. This is based on users visiting your website, and the personal data they share with you. Again, it doesn't have to be a long clause. The more succinct and concise the clause, the better.
Here's an example from Myprotein. You can see the clause is very general so that it includes a broad range of third parties. What's key is that users know that they may see tailored ads on third-party websites:
Tell users that they may see your ads across the internet because of your third-party data sharing policy.
Ad Display & Cookies
- You partner with third parties
- Third parties serve ads based on a user's past behavior on your website
Notice that this clause from Barnes & Noble covers these three requirements quite succinctly:
Opting Out of Targeted Marketing
This is the approach taken by Barnes & Noble, and it's entirely sufficient for purpose:
Be clear about where visitors can find out more about their privacy rights. First, it should be obvious how users can contact you or your data controllers for more information. However, in addition to this, you should provide a link to one or two external sources.
Here's a good example from Myprotein.
Give users access to the information they need about their privacy rights.
- Message on the use of remarketing or retargeting technology
- Message on how third parties, including partners such as Google, display yours ads online based on user behavior
- Advice on how to opt out of targeted marketing
- Links to where users can find out more about their privacy rights