In the past decade, digital marketing has evolved rapidly. Prospective customers could easily be reached using email newsletters. Personal data became a currency: businesses offer free services like email, entertainment, news, and search facilities, and in return, they collect data and sell advertising. Today various tracking mechanisms make it possible to predict what products and services a visitor on a website will be interested in. Advertisements can be personalized to the individual visitor this way, minimizing the irritation of advertising and maximizing the chances to conversion.
And then came the GDPR with its principle of transparency and fairness, with its ruling that anybody processing personal data needs a valid, legitimate purpose. Impacting about every kind of marketing activities and with a ‘bite’ in the sense of serious fines in case of non-compliance. The GDPR requires a new way of thinking.
Impact on email marketing
The main rule for email marketing is that you need consent before it is allowed to send any commercial message. That is not new, but the AVG is more strict in its ruling that consent must be a ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes’.
Most companies solve this by asking visitors on their website to subscribe to their newsletter. The idea is to publish some interesting texts on your website more or less related to the products and services you offer, and ask the visitor of the site to opt-in (i.e. give consent) to your email newsletter. A newsletter as an advertising medium, however, will only work in practice as long as you publish at regular times content the data subject is interested in.
Analytics check the performance of a website and the way visitors use it. It needs cookies, so both consent to store cookies and consent to process personal data like an IP address is needed. Often, websites use third party software, like Google Analytics (GA). In that case and depending on the agreement you have with Google you might need to inform the visitor that his data is being sent outside the EU and the related information required by GDPR articles 13 and 14. Some analytics software (including GA) can be set up so that it only uses a part of the IP address, anonymizing the data used.
Tracking and profiling
It is clear that tracking the behavior of internet users this way is in breach of the GDPR. It violates the principle of fairness and transparency, violates the requirement to have a legitimate processing purpose and informed and freely given consent, etc. In an article on tracking EDRi – the association of European civil and human rights organizations – quotes Eurobarometer: ‘71% of (respondents) say it is unacceptable for companies to share information about them without their permission, even if it helps companies provide new services they may like.’
Quite a number of websites still use a ‘cookie wall’ or ‘tracking wall’, i.e. you can’t access their website unless you accept cookies and other trackers. It is clear that this consent is not ‘freely given’, hence processing on the basis of it is illegal. The ePrivacy Regulation proposal (EPR) which is expected to become European law in 2019 will also require consent to store cookies to be ‘freely given specific, informed and unambiguous …’ and forbid the use of tracking walls.
Advertising and automated bidding
‘Targeted advertising’ is the most common way to personalize advertising. This system uses tracking apps, pixels or cookies. As soon as a user connects to an app or website, his/her personal data are sent to automatic bidding platforms which ultimately transfer them to advertising intermediaries wishing to buy ad space for their advertiser clients. Intermediaries rely on such data to adjust the value of their bidding request for the given ad space, depending on whether the user’s profile matches the targeted audience of advertisers. The advertiser can ask for a very ‘focused’ target audience, based on hundreds of attributes from your online profile, on the time and day of the week and your current location. The French supervisory authority CNIL has recently issued public formal notices to a number of advertising companies using targeted advertising for not having obtained valid consent.
New opportunities for Digital Marketing
As soon as the GDPR and EPR will really be enforced, advertising companies will surely find ways to show advertising within the rule of law. Websites showing articles we pay for with personal data will also need to find another revenue model. Privacy-friendly browser Brave already introduced a system to pay for website content using the cryptocurrency Etherium, making it possible to pay for articles you read online without spreading your personal data. Quite a number of free browsers and browser add-ons that can be set (or are preset) to block tracking and unsolicited advertising are already a fact.
This article has been written by guest author Leo Besemer.