Have you ever been browsing a website, only to see an ad pop up for a product you nearly bought last week? The chances are that you were subject to a retargeting campaign.
- 1. Retargeting and Privacy Law
- 1.1. European Union
- 1.2. United States
- 2. Agreements with Retargeting Companies
- 2.1. Google Ads
- 2.2. Twitter Tailored Audiences
- 2.3. AdRoll
- 2.4. Pinterest
- 3.2. Explaining Cookies and Retargeting
- 3.3. Types of Data Used in Retargeting
- 3.4. Third Parties
- 3.5. How to Opt Out
- 3.6. Consent for Retargeting
Retargeting and Privacy Law
Retargeting is an effective advertising method with a high return on investment. Some businesses find it helps their conversion rates to go through the roof. But to consumers, retargeting can sometimes feel a little "creepy." Research by Hubspot, for example, reveals that consumers are particularly bothered by ads that appear to "follow" them.
This is one reason why it's in your best interests to ensure that you conduct your retargeting campaign in a transparent and respectful way. Transparency and respect for personal data are also a legal requirement.
Retargeting involves a number of practices that fall under the scope of privacy law.
- Using cookies
- Gathering information about users based on their online activity
- Tracking users across the web
- Sharing user data with third parties
The European Union (EU) passes laws which apply across all 28 EU countries, and usually the wider European Economic Area (EEA) as well. Each individual country also has national laws, which might be slightly different but will usually have to meet the minimum standard set at EU level.
In the context of retargeting, there are two particularly important EU privacy laws.
Firstly, the ePrivacy Directive. This is sometimes referred to by a 2009 amendment to the law known as the Cookie Directive. Here's an excerpt from this privacy law. (Scroll down to section 24 in the linked text to find it):
Let's break this down.
The Directive says that certain data placed on a user's device to monitor their activities, such as cookies, can have a legitimate purpose. They should be allowed subject to certain conditions. For example:
- The user should be informed about them, and
- The user should be able to refuse them
So it should be clear that because it involves the use of tracking cookies retargeting falls under the scope of this law.
We can see that the GDPR applies to any entity that "processes" the "personal data" of people in the EU, for the purposes of offering goods or services or monitoring their behavior. This applies whether the entity is based in the EU or not.
So, does a retargeting campaign in involve processing personal data? Here's how the GDPR defines "personal data":
You can see above that one of the examples of personal data is an "online identifier." At Recital 30, we can see that this includes cookies, an essential part of retargeting:
And here's how the GDPR defines "processing" in Article 4 (linked above):
Retargeting involves the collection of cookie data from a user's device. Therefore, it constitutes the processing of personal data, and so is subject to the GDPR.
"The controller" here refers to a data controller. A data controller is an entity that decides how and why personal data should be processed.
United States (US) privacy law is quite weak at the federal level. However. California has some relatively strong privacy laws at state level, including the California Online Privacy Protection Act (CalOPPA).
CalOPPA doesn't apply only to California businesses. It applies to any commercial website that collects the personal data of California residents.
Agreements with Retargeting Companies
Let's take a look at some of these companies and what their requirements are.
Running a retargeting (Google calls is "remarketing") campaign through Google is a popular choice. But Google has high expectations of its customers. If you choose Google as your retargeting provider, you'll be subject to terms that require strict compliance with privacy law.
Google's requirements are spread across a series of policies, terms, and FAQs. Here's a key excerpt from a Google Ads help page that requires Google Ads users to inform people that your website is gathering information for remarketing:
You'll need to have:
- A description of how you use remarketing or similar services for online advertising
- A message about third-party vendors (including Google) showing your ads on other websites
- A message about third-party vendors (including Google) using cookies to show these ads
- Information for how users can opt out of all of this with Google's Ads Settings page or the Network Advertising Initiative opt out page
Twitter Tailored Audiences
Twitter's Tailored Audiences and conversion tracking programs involve retargeting methods. Twitter sets out its requirements over two policies.
Here's the reference to the Tailored Audiences program in Twitter's main Terms for advertisers:
The requirement for "legally sufficient notice" says it all. But in a separate document, Policies for Conversion Tracking and Tailored Audiences, Twitter sets out some specifics:
- That you are working with third parties to collect users' data, through either your website, app or both
- That this data will be used for conversion tracking and delivering targeted ads tailored to users' interests
- How users can opt out of Twitter's interest-based advertising. Where the program is used on a website, this section must include reference to the opt-out mechanism provided by Twitter.
Note that Twitter also requires you to obtain consent for these activities where legally necessary. We'll cover this later.
AdRoll is another popular choice for retargeting services. AdRoll's Terms require the following:
- Is clear and conspicuous
- Is legally compliant
- Discloses that third parties, including AdRoll, may place cookies on users' devices to collect data
- Identifies the types of data involved in delivering targeted ads
- Discloses that third parties may use this data for the purposes of delivering targeted ads based on browsing activity
- Informs users how they can opt out of targeted ads
- Obtains consent for such activities where legally required
- Is clear and prominent
- Discloses both to website and app users that their information will be shared for behavioral advertising (targeted ads)
- Informs users how they can opt out of targeted ads
For example, The Guardian displays both policies in its footer:
Explaining Cookies and Retargeting
Privacy Policies should not be written in legalese. This is clear from the GDPR, which states that as part of its principle of transparency, information relating to the processing of personal data must be communicated in a way that's easily accessible and easy to understand. You need to use clear and plain language.
Here's how Direct Line explains cookies to its users:
Direct Line offers two explanations of retargeting cookies. First, a very simple explanation:
And later, a more comprehensive explanation:
This is a great approach as it gives a short, basic summary as well as more detailed yet still easy-to-understand information for people who may want to find out more about the topic.
Types of Data Used in Retargeting
Some retargeting companies (such as AdRoll) require you to list the types of data that might be collected in a retargeting campaign. You could include this within a disclosure of the types of data collected by cookies more generally.
Here's an example from Source Knowledge that lets users know that cookies collect data such as browsing activity, IP addresses, mobile device type and other pieces of data:
This clause organizes information in a paragraph format, which is fine, but this paragraph may be easier to read if each of the highlighted sections was a separate bullet point in a list.
You should be able to find out what types of data your retargeting providers use if you look at their Privacy Policies and do so easily.
You need to let your users know which advertisers you're working with. After all, these companies will be receiving your users' data.
Even the strictest of privacy laws, the GDPR, only requires you to disclose the "categories" of third parties you share personal data with. However, we've seen that many advertisers require their customers to specifically name them in their Privacy Policies.
Here's how Showplace does this:
How to Opt Out
Retargeting providers generally require their customers to inform users how they can opt out of retargeting. This is also a requirement where you're using cookies more generally.
Note that only providing an "opt out" system is not recognized as legally valid consent under the GDPR. We'll discuss this in more detail below.
Remember that some retargeting providers require you to display links to specific websites where users can opt out. Therefore, you may have to provide a list containing several different out-out methods if you're using several companies.
Here's how Fierce Inc does this:
The easier you make it for your users to opt out of retargeting, the better it will be for your legal compliance.
Consent for Retargeting
As we've seen, disclosure is only part of what's required for a legally-compliant retargeting campaign. Most advertisers require you to gain legally valid consent. Where required to do so by law, you must ask your users for permission to be subject to your retargeting campaign.
This is particularly important if your campaign extends to individuals in the EU. Earning consent for cookies is required under EU law. And "consent" under the GDPR really means consent.
Consent is defined at Article 4 of the GDPR and it must be:
"freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
There's no room for "passive" or "implied" consent under the GDPR. You can't only ask your users to opt out of your retargeting campaign. You must ask them if they would like to opt in.
Here's an example from the New York Times of a cookie consent request that does not fit the GDPR's requirements:
Clicking "x" on the cookie banner hardly constitutes "freely given" and "unambiguous" consent. Nor does clicking "I accept," if there's no option for "I don't accept."
Here's a better example from Worcestershire County Council.
It gives clear options to either accept or not accept, and doesn't count something like browsing the website further to mean acceptance.
There's no point denying that some people don't like the idea of being targeted by advertisers based on their browsing activity. That's why it's so important to be totally transparent about the practice, and give people a choice about whether they participate in it.
- What cookies are
- What retargeting is
- What type of data is collected during retargeting
- Which third parties are involved in your retargeting campaign
- How your users can opt out of, or withdraw consent for, retargeting