Over the past month, we've talked a lot about how GDPR affects data collection.
But what about online advertising? How big of an impact will GDPR have on Google Ads users?
The European Economic Area (EEA) is the second largest consumer market in the world. The EEA also represents the third largest search advertising economy on the planet.
So, if you're using Google Ads to advertise inside of the EEA (or outside), you need to be aware of GDPR, and its implications.
In this post and video, we'll look at how GDPR affects search advertising on Google Ads. We'll also discuss which Google Ads features could cause GDPR related problems. And we'll review some strategies to help you use Google Ads within the parameters of GDPR.
GDPR is here – What does this mean for Ads?
In case you've had your head down, mining keywords and building out ad groups, here's a brief update on what GDPR is and how it impacts online marketing.
What is GDPR?
GDPR is the new European Union (EU) data privacy regulation. This legislation was enacted to protect the personal information of EU citizens. GDPR went into effect on May 25th, of 2018.
GDPR governs the way data can be collected when EU citizens interact with your marketing efforts. Under GDPR, you cannot collect personal data from your EU website users without their consent.
Does GDPR apply to your Ads campaigns?
You don't have to be located in the EU or EEA to be affected by GDPR. If your advertising reaches EU citizens, then your data collection methods need to adhere to GDPR.
Caveat – GDPR might protect EU citizens in the US or other areas?
There is some ambiguity about whether GDPR protects EU citizens traveling abroad. I don't have a definitive answer or opinion about how GDPR affects EU web users in the US or other areas. For more clarity on this issue, I would advise that you follow up with an attorney who has expertise on this subject.
How does the GDPR impact your Google Ads campaigns?
The bottom line is this:
GDPR affects advanced Ads users who are running campaigns targeting EEA countries.
Let's break down the advertising process, so we understand how to use Ads in compliance with GDPR.
Geo-targeting for Ads under GDPR
It's always a good practice to geo-target your Ads campaigns. Precise geographic targeting will often yield better data about your ad campaign performance.
With GDPR in effect, I would view geo-targeting as mandatory.
You should create specific campaigns for each GDPR country you target. And, do not target GDPR and Non-GDPR nations within the same ad campaign.
What if you're not targeting EU users with any of your Ads campaigns?
If you are not targeting EU users with your ads, and EU web visitors are not reaching your landing pages, then you should be clear of any GDPR issues. But your attorney is the only person who can completely clarify this for you. So, discuss your specific scenario with your lawyer if you're concerned that your advertising strategy might violate GDPR.
The main point I want to stress is that geo-targeting on Google Ads is critical post GDPR. If you don't gain any business from EU customers, exclude those countries from your advertising. And be explicit in your targeting so that you don't risk accidental GDPR violations.
What type of Ads activity in the EU is affected by GDPR?
Let's start with the good news. Basic search advertising should remain unaffected by GDPR. Standard search advertising targets keywords, not users. Search ads display for users based on their anonymous search engine queries. So, in its purest form, Ads search advertising doesn't rely on any personal data.
Advanced Ads features and GDPR
GDPR impacts many advanced features like conversion tracking. Of course, I'm referring to some essential functions of Google Ads as being advanced. But if you've taken my PPC Course, you will know that conversion tracking is a minimum requirement for being successful with advertising. Many essential tracking and targeting strategies rely on these features.
Here are some of the features that collect and retain personal data.
Conversion tracking
Conversion tracking sets cookies in your visitor's browser. And your tracking connects your user's personal data to their keywords searches. That means even basic Google Ads conversion tracking has the potential to collect protected data.
Remarketing
When you use remarketing, you can show ads based on previous interactions visitors had with your website. So once again, this advertising technique may be using personal user data that is protected under GDPR.
Remarketing Lists for Search Ads (RLSA)
RLSA is typically one of the most effective Google Ads strategies. But the data used to generate your RLSA information may also be subject to GDPR compliance.
Customer Match and Store Shopping
These features require you to upload customer data into Google Ads. If you enter EU user data without permission, you are likely to violate GDPR.
We just identified some of the most necessary and efficient Google Ads features as being risky under GDPR.
So how do you use these features but avoid the risk? It comes down to a matter of consent.
GDPR requires consent for personal data collection
Consent means that your EU website visitors permit you to track their personal data.
User consent according to the advertiser platforms
Google has issued some documentation about getting user consent. But this information is not very clear.
Facebook's information about user consent is much more defined.
Their documentation also includes some examples of how to obtain user consent.
And If you've been following this blog, you've heard me talk about Cookie Consent.
Cookie consent for user data collection
Cookie consent refers to getting your users' permission to collect their data using cookies and tracking pixels.
One of the best tools I've found for obtaining and tacking user consent is Cookiebot. The Cookiebot consent notification tool is transparent, simple, and effective.
There are many other consent notification tools available. You can read our article on cookie consent for a more detailed explanation of how tracking notification works.
User consent for lead generation campaigns
You also need consent from your EU users for opt-in forms and email marketing. Thrive Themes published an excellent article on email address opt-ins and GDPR compliance.
If your campaigns are collecting email addresses, you need to let users know what happens after they are opted-in. One way to be more explicit about your data collection is to link to your privacy policy in your opt-in form. Linking to your privacy policy will help your users understand what happens to their data after they submit their email address.
Consent for Customer Match and data uploads
Before we get into the details here, I am going to offer this warning: tread lightly.
Customer match involves taking personal user information from your database and giving it to Google. Did your customers opt into this process? Probably not, unless you told them what you were doing.
Under GDPR you need to let your users know how you're going to use their data. And your EU users have to give you permission to use and transfer their data. Without consent from your EU users, data uploads to Google can put you at risk for a GDPR violation.
I've recorded a prior video about how Customer Match is a highly accurate remarketing tool. It's an incredibly cool feature that matches your customer data across multiple Google platforms.
So, you might want to continue using Customer Match. But make sure you understand the risks.
Here are some things you can do to limit your risk with Customer Match
- Exclude all you EU user addresses from your upload. You can do this by deleting your EU user data from your customer match file before you upload it to Google.
- Let your customers know, at the time of purchase or opt-in, that you're going to be using their data for matching in search campaigns. Be explicit with this notification in your terms of use agreement. And leave the box unchecked on this notice, so your users can opt-in as required by GDPR.
- Discuss Customer Match with your company/attorney to see if it's worth the risk. Do a risk-reward assessment to gauge the value of using the customer match feature.
Let your users opt-out of your tracking
Here's a final consideration when it comes to consent, tracking and remarketing. You need to let your users opt-out of tracking and advertising. Under GDPR you need to make it just as easy for users to delete themselves from your database, as it was to opt-in. I am going to do an upcoming tutorial on user deletion tools. But for now, be aware that if you retain user data from Google Ads, you'll need to have a plan to remove that data on request.
Here's a quick recap of how GDPR affects Google Ads:
- Standard keyword search advertising should not be affected by GDPR
- Geo-target your campaigns. Build separate campaigns targeting inside/outside EU/EEA/GDPR zone
- You need consent for remarketing, conversion tracking, and other personal data collection/usage in the GDPR zone.
- Do a risk/reward assessment for your more advanced targeting tactics.
It's time to start being careful with the collection of personal data and being judicious about how we use that data. GDPR forces us to gain consent for collecting and using the personal data of EU users with Google Ads campaigns. So be clear in your consent notification and privacy policy about how you use your website visitors' personal data.
Are you struggling to figure out GDPR compliance?
GDPR represents a significant shift in how we use many of the tracking strategies we've relied on for years. Leave a comment below If you're struggling to figure out how to use Google Ads under GDPR. I'll respond to as many questions as I possibly can.