If you’re based—or advertise to prospects—in Europe, there’s a pretty decent chance you’re familiar with the General Data Protection Regulation (GDPR).

It’s a package of new legislative rules being introduced by the European Union to make it easier for residents of EU countries to protect their personal data online. The regulation was officially approved on April 27, 2016, and will formally go into effect across the entirety of the EU by May 25, 2018.

And it’s being heralded as “the most important change in data privacy regulation in 20 years.”

We’ve talked about how this suite of historically restrictive (at least from the advertisers’ perspective) laws will impact your Facebook Advertising efforts.

Today, we tackle Google Ads (formerly known as Google AdWords).

The Gist

Search, plain old intent-based search, requires no personally identifying information. Today, at least, a search query doesn’t constitute “personal,” regardless of its contents.

google adwords gdpr impact

Provided you aren’t using any kind of remarketing or conversion tracking, you won’t need to do anything at all. Google is the controller (the handler of personal data) and there is no processor (an entity that process data on behalf of a controller); you’re just along for the ride.

This approach is great for, say, Coca-Cola’s next branding campaign in which impressions are the only metric that matter; for small businesses, not so much.

gdpr impact on large advertisers like coca cola versus smbs

When you want to learn something—or create audiences—based on the tangible business value created by all those clicks you’re paying for, things get messier.

Cookies, Remarketing, and RLSA

Do you use Google Analytics, Tag Manager, or the Google Ads Remarketing code on your site to build valuable, bottom-of-the-funnel audiences?

(Gosh, I hope the answer’s yes…)

google tracking suite impacted by the gdpr

If so, you must obtain consent.

Per Google, “Advertisers using AdWords will be required to obtain consent for the use of cookies where legally required, and for the collection, sharing, and use of personal data for personalized ads for users in the EEA. This includes use of remarketing tags and conversion tags. Where legally required, advertisers must also clearly identify each party that may collect, receive, or use end users’ personal data.”

In plain English, this means that if you’re using a Google product to track the on-site action of prospects in order to serve personalized ads down the line, you must acquire their consent to do so.

Exceptions: Customer Match and Store Sales

There are two instances—Customer Match and uploaded Store Sales data—in which Google acts as both a controller and a processor of personal data, meaning that they simultaneously determine the purposes of data while processing data you control.

The exact language they use is as follows (note that you are “the customer”):

“When we handle end user personal data, the customer and Google will each act as independent controllers under the GDPR, except for the Customer Match and Store sales (direct upload) features, where Google will act as the customer’s processor for customer-provided personal data.”

As such, in these situations you are responsible for ensuring that the data Google is processing complies with the GDPR.

Customer Match is a tool that allows you to upload a CSV file loaded with customer data to target specific groups within Google Ads.

adwords custom audiences gdpr

Since you’re relying on data that’s by no means pseudonymous to create your Customer Match audience (email, phone, name, and zip code are all pretty identifying), you’ll need to be able to prove that you acquired explicit, opt-in consent from each member of your database; doing so simply isn’t Google’s problem.

Store Sales refers to the ability to the ability to import offline transaction data into Google Ads, at which time Google matches transactions data with Google Ads user information to create powerful audience for optimization, upselling and cross-selling.

adwords store sales gdpr impact

In addition to the same personally identifying information implicated in Custom Audiences, when it comes to Store Sales there’s also a chance that financial data could be appended and, thus, there is a clear need for informed consent under the GDPR.

Now, the majority of advertisers aren’t using either of these valuable tools, but the ones that are will need to be able to prove to prospective auditors that the information uploaded for Google to process on their behalf is kosher.

What’s Next?

The GDPR promises to be one of the most far-reaching and ambitious consumer protection programs ever devised.

Although the implementation of the GDPR is likely to cause some businesses more difficulty than others (such as enterprise firms that offer “big data” products), it’s important to remember that this legislation is being introduced to protect users’ rights in a time at which almost every conceivable aspect of our lives is stored online – and is highly vulnerable to exposure and exploitation.

The regulations officially go into effect on May 25th. If you haven’t started preparing your Google Ads account (and landing pages) for the impending changes, you should probably get going.

The Ultimate Guide to the GDPR for Advertisers

If you want even more tips on…

  • What the GDPR is
  • How Google Ads will be impacted by the GDPR
  • How Facebook will be impacted by the GDPR
  • How to acquire consent from paid traffic

Join 713K other marketers that receive our weekly newsletter!

Loading...
Meet The Author

Allen Finn

Allen Finn is the co-founder of Toasted Collective, a cannabis-focused digital agency. Many moons ago, he worked at WordStream, where he reigned as fantasy football champion for some time.

Comments


Please read our Comment Policy before commenting.


Unlock your business potential

We offer innovative technology and unparalleled expertise to move your business forward.