Privacy Policy for Retargeting

Privacy Policy for Retargeting

Have you ever been browsing a website, only to see an ad pop up for a product you nearly bought last week? The chances are that you were subject to a retargeting campaign.

Retargeting allows a business to advertise to its customers (or potential customers) as they move around the internet. It's a great way of advertising to someone people that you know have taken an interest in your company. But because of the way it uses personal data, any company running a retargeting campaign will need to mention this in its Privacy Policy.

We're going to take a look at the legal reasons that retargeting requires a Privacy Policy, and what that Privacy Policy should contain.


Retargeting and Privacy Law

Retargeting is an effective advertising method with a high return on investment. Some businesses find it helps their conversion rates to go through the roof. But to consumers, retargeting can sometimes feel a little "creepy." Research by Hubspot, for example, reveals that consumers are particularly bothered by ads that appear to "follow" them.

This is one reason why it's in your best interests to ensure that you conduct your retargeting campaign in a transparent and respectful way. Transparency and respect for personal data are also a legal requirement.

Retargeting involves a number of practices that fall under the scope of privacy law.

  • Using cookies
  • Gathering information about users based on their online activity
  • Tracking users across the web
  • Sharing user data with third parties

Because retargeting is subject to privacy law, you'll need to disclose your retargeting campaign to your users in a Privacy Policy.

Different laws make different demands about what must go into a Privacy Policy. You'll need to meet the legal requirements of the country in which your company is based. And you'll also need to comply with the privacy laws of the countries in which your customers are based.

Let's look at some of the jurisdictions which require companies to produce a Privacy Policy.

European Union

The European Union (EU) passes laws which apply across all 28 EU countries, and usually the wider European Economic Area (EEA) as well. Each individual country also has national laws, which might be slightly different but will usually have to meet the minimum standard set at EU level.

In the context of retargeting, there are two particularly important EU privacy laws.

Firstly, the ePrivacy Directive. This is sometimes referred to by a 2009 amendment to the law known as the Cookie Directive. Here's an excerpt from this privacy law. (Scroll down to section 24 in the linked text to find it):

EUR-Lex ePrivacy Directive sections 24 and 25 highlighted

Let's break this down.

The Directive says that certain data placed on a user's device to monitor their activities, such as cookies, can have a legitimate purpose. They should be allowed subject to certain conditions. For example:

  • The user should be informed about them, and
  • The user should be able to refuse them

So it should be clear that because it involves the use of tracking cookies retargeting falls under the scope of this law.

Also relevant is the General Data Protection Regulation (GDPR). This important regulation brings companies from outside of the EU under the scope of EU privacy law.

GDPR Info: Article 3: Territorial Scope

We can see that the GDPR applies to any entity that "processes" the "personal data" of people in the EU, for the purposes of offering goods or services or monitoring their behavior. This applies whether the entity is based in the EU or not.

So, does a retargeting campaign in involve processing personal data? Here's how the GDPR defines "personal data":

Intersoft Consulting: GDPR Article 4: Definition of "personal data"

You can see above that one of the examples of personal data is an "online identifier." At Recital 30, we can see that this includes cookies, an essential part of retargeting:

GDPR Info Recital 30: Online identifiers for profiling and identification

And here's how the GDPR defines "processing" in Article 4 (linked above):

Intersoft Consulting: GDPR Article 4: Definition of "processing"

Retargeting involves the collection of cookie data from a user's device. Therefore, it constitutes the processing of personal data, and so is subject to the GDPR.

The GDPR gives the requirement to produce a Privacy Policy in section 1 of Article 12:

GDPR Info Article 12 Section 1: Privacy Policy requirement

"The controller" here refers to a data controller. A data controller is an entity that decides how and why personal data should be processed.

If you're running a retargeting campaign, you're deciding that a visitor to your website should have their online activities tracked via cookies for the purposes of advertising to them. This makes you a data controller - and data controllers need to have a Privacy Policy in place.

It's clear from these two laws that anyone running a retargeting campaign involving people in the EU is required to have a Privacy Policy.

United States

United States (US) privacy law is quite weak at the federal level. However. California has some relatively strong privacy laws at state level, including the California Online Privacy Protection Act (CalOPPA).

CalOPPA states that any commercial website that collects the "personally identifiable information" (personal data) of California residents must display a Privacy Policy.

CalOPPA doesn't apply only to California businesses. It applies to any commercial website that collects the personal data of California residents.

If you're operating in the US, it wouldn't really be feasible for your retargeting campaign to exclude California residents even if you wanted it to. So, if your retargeting campaign is aimed at people in the US, you'll need a Privacy Policy no matter where your company is based.

Agreements with Retargeting Companies

Agreements with Retargeting Companies

Privacy law isn't the only consideration you need to make. There are many third-party companies who can provide retargeting services. They all make certain demands in their Terms and Conditions agreements. One of these demands is usually that the customer produces and display a Privacy Policy.

Let's take a look at some of these companies and what their requirements are.

Running a retargeting (Google calls is "remarketing") campaign through Google is a popular choice. But Google has high expectations of its customers. If you choose Google as your retargeting provider, you'll be subject to terms that require strict compliance with privacy law.

Google's requirements are spread across a series of policies, terms, and FAQs. Here's a key excerpt from a Google Ads help page that requires Google Ads users to inform people that your website is gathering information for remarketing:

Google Ads Help: Excerpt of requirement to inform in your remarketing Privacy Policy

Having a Privacy Policy is the way to fulfill this requirement.

Google also has specific requirements about what you should include in your Privacy Policy:

Google Ads Help: What to include in your remarketing Privacy Policy

You'll need to have:

  • A description of how you use remarketing or similar services for online advertising
  • A message about third-party vendors (including Google) showing your ads on other websites
  • A message about third-party vendors (including Google) using cookies to show these ads
  • Information for how users can opt out of all of this with Google's Ads Settings page or the Network Advertising Initiative opt out page

Twitter Tailored Audiences

Twitter's Tailored Audiences and conversion tracking programs involve retargeting methods. Twitter sets out its requirements over two policies.

Here's the reference to the Tailored Audiences program in Twitter's main Terms for advertisers:

Twitter Master Services Agreement: Data Use and Opt-Out clause with targeted ads section highlighted

The requirement for "legally sufficient notice" says it all. But in a separate document, Policies for Conversion Tracking and Tailored Audiences, Twitter sets out some specifics:

Twitter Policies for Conversion Tracking and Tailored Audiences: Requirements clause highlighted

If you're using Twitter's Tailored Audiences or conversion tracking programs on either your website or mobile app, your Privacy Policy must disclose:

  • That you are working with third parties to collect users' data, through either your website, app or both
  • That this data will be used for conversion tracking and delivering targeted ads tailored to users' interests
  • How users can opt out of Twitter's interest-based advertising. Where the program is used on a website, this section must include reference to the opt-out mechanism provided by Twitter.

Note that Twitter also requires you to obtain consent for these activities where legally necessary. We'll cover this later.

AdRoll

AdRoll is another popular choice for retargeting services. AdRoll's Terms require the following:

AdRoll Terms of Service: Client Data Privacy Responsibilities clause highlighted

Let's break this down. AdRoll requires its customers to provide a Privacy Policy that:

  • Is clear and conspicuous
  • Is legally compliant
  • Discloses the website's use of cookies, targeting and online behavioral tracking
  • Discloses that third parties, including AdRoll, may place cookies on users' devices to collect data
  • Identifies the types of data involved in delivering targeted ads
  • Discloses that third parties may use this data for the purposes of delivering targeted ads based on browsing activity
  • Informs users how they can opt out of targeted ads
  • Obtains consent for such activities where legally required

Pinterest

Pinterest offers a range of advertising services, including their retargeting tool, Visitor Retargeting. This is the relevant part of Pinterest's Ad Data Terms:

Pinterest Ad Data Terms: Pinterest Tag, App Activity and SDK clause highlighted

So, Pinterest advertisers must provide a Privacy Policy that:

  • Is clear and prominent
  • Discloses the use of cookies and other tools used for advertising
  • Discloses both to website and app users that their information will be shared for behavioral advertising (targeted ads)
  • Informs users how they can opt out of targeted ads

What to Include in Your Retargeting Privacy Policy

What to Include in Your Retargeting Privacy Policy

We've established that any business engaged in retargeting will need to disclose this in its Privacy Policy. This is clear both from privacy law and the Terms and Conditions of retargeting providers.

We'll now look at some of the clauses you'll need to include in your Privacy Policy to ensure it's legally compliant.

Privacy Policy vs Cookies Policy

Many websites choose to separate out the "cookies" section of their Privacy Policy by producing a distinct Cookies Policy. Because retargeting is a complex way of using cookies that requires a lot of information, you may wish to consider this.

For example, The Guardian displays both policies in its footer:

The Guardian website footer with Privacy and Cookie Policy links highlighted

You don't need to do this. You can cover everything in your main Privacy Policy. But if you do choose to have a separate Cookies Policy, make sure you provide a link to it, along with at least some information about cookies, in your main Privacy Policy.

Here's how The Guardian incorporates its Cookies Policy into its Privacy Policy:

The Guardian Privacy Policy: Cookies and similar technology clause with cookie policy highlighted

Explaining Cookies and Retargeting

Privacy Policies should not be written in legalese. This is clear from the GDPR, which states that as part of its principle of transparency, information relating to the processing of personal data must be communicated in a way that's easily accessible and easy to understand. You need to use clear and plain language.

Your first job when producing this part of your Privacy Policy is to help your users understand cookies, retargeting, and their implications.

Here's how Direct Line explains cookies to its users:

Direct Line Cookies Notice: What are cookies and what other technologies will we use clause

Direct Line offers two explanations of retargeting cookies. First, a very simple explanation:

Direct Line Cookies Notice: Advertising and retargeting cookies section highlighted

And later, a more comprehensive explanation:

Direct Line Cookies Notice: Targeting cookies or advertising cookies clause highlighted

This is a great approach as it gives a short, basic summary as well as more detailed yet still easy-to-understand information for people who may want to find out more about the topic.

Types of Data Used in Retargeting

Some retargeting companies (such as AdRoll) require you to list the types of data that might be collected in a retargeting campaign. You could include this within a disclosure of the types of data collected by cookies more generally.

Here's an example from Source Knowledge that lets users know that cookies collect data such as browsing activity, IP addresses, mobile device type and other pieces of data:

Source Knowledge Privacy Policy: What data we collect and how we use it clause highlighted

This clause organizes information in a paragraph format, which is fine, but this paragraph may be easier to read if each of the highlighted sections was a separate bullet point in a list.

You should be able to find out what types of data your retargeting providers use if you look at their Privacy Policies and do so easily.

Third Parties

You need to let your users know which advertisers you're working with. After all, these companies will be receiving your users' data.

Even the strictest of privacy laws, the GDPR, only requires you to disclose the "categories" of third parties you share personal data with. However, we've seen that many advertisers require their customers to specifically name them in their Privacy Policies.

Here's how Showplace does this:

Showplace Privacy Policy: Advertising Partners clause

Check the Terms of Use/Terms and Conditions of any advertising service you work with to see if they specifically require you to list them by name in your Privacy Policy. For transparency, you may wish to list them specifically by name even if not required. However, keep in mind that if you do this, you need to make sure your list is kept up to date at all times.

How to Opt Out

Retargeting providers generally require their customers to inform users how they can opt out of retargeting. This is also a requirement where you're using cookies more generally.

Note that only providing an "opt out" system is not recognized as legally valid consent under the GDPR. We'll discuss this in more detail below.

Remember that some retargeting providers require you to display links to specific websites where users can opt out. Therefore, you may have to provide a list containing several different out-out methods if you're using several companies.

Here's how Fierce Inc. does this:

Fierce Cookie Policy: Remarketing and retargeting opt-out links highlighted

The easier you make it for your users to opt out of retargeting, the better it will be for your legal compliance.

If you begin to engage in retargeting and are updating your Privacy Policy with this information, consider sending out an Update Notice for your Privacy Policy changes.

Consent for Retargeting

As we've seen, disclosure is only part of what's required for a legally-compliant retargeting campaign. Most advertisers require you to gain legally valid consent. Where required to do so by law, you must ask your users for permission to be subject to your retargeting campaign.

This is particularly important if your campaign extends to individuals in the EU. Earning consent for cookies is required under EU law. And "consent" under the GDPR really means consent.

Consent is defined at Article 4 of the GDPR and it must be:

"freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

There's no room for "passive" or "implied" consent under the GDPR. You can't only ask your users to opt out of your retargeting campaign. You must ask them if they would like to opt in.

Here's an example from the New York Times of a cookie consent request that does not fit the GDPR's requirements:

New York Times cookie consent banner highlighted

Clicking "x" on the cookie banner hardly constitutes "freely given" and "unambiguous" consent. Nor does clicking "I accept," if there's no option for "I don't accept."

Here's a better example from Worcestershire County Council.

Worchestershire County Council cookie control and consent notice

It gives clear options to either accept or not accept, and doesn't count something like browsing the website further to mean acceptance.

Consent under the GDPR is a long and complicated topic. As well as providing your users with a Privacy Policy, it's important to obtain consent for your use of retargeting technologies.


Summary of Your Retargeting Privacy Policy

There's no point denying that some people don't like the idea of being targeted by advertisers based on their browsing activity. That's why it's so important to be totally transparent about the practice, and give people a choice about whether they participate in it.

Your Privacy Policy should disclose pretty much everything about your company's data protection practices. And it must include a section which provides comprehensive information about your retargeting campaign.

The specifics of this section of your Privacy Policy will vary depending on which third parties you work with. But you must ensure that, at a minumum, you cover the following:

  • What cookies are
  • What retargeting is
  • What type of data is collected during retargeting
  • Which third parties are involved in your retargeting campaign
  • How your users can opt out of, or withdraw consent for, retargeting
Last updated on 12 March 2020

Article categories