Source: freepik.com
The recent introduction of the General Data Protection Regulation (GDPR) has ushered a new era of data security and privacy. Many people hail it as an ultimate triumph over the dark forces, but is such a notion premature? Well, rules are indeed harmonizing, businesses are revising their models, and search marketers targeting customers and prospects in the EU feel like they have a new mountain to climb.
They are weighing risks of non-compliance while the revenue is slipping through the fingers, audiences declining, and space for maneuver narrowing. In the meantime, internet users are bombarded with opt-in prompts and see their inboxes overflowing with similar notifications. Amidst this commotion, we need to realistically assess how the booming channel of PPC is affected.
Spirit of the law
The new regulation is broadly written and directional in nature. It is also still in its infancy and many businesses have not yet managed to overcome the new learning curve. All of this makes it hard to gauge the impact on the PPC advertising. Nevertheless, there are new hard rules to follow and interesting telltale signs of change to acknowledge. Essentially, the law proclaims that control over private information is to be given back to the subjects.
For PPC advertisers, the most important novelty is that acquiring freely-given consent is now the prerequisite to tracking and manipulating any kind of personal data. In other words, users must voluntarily agree to the way data is stored and used. Speaking of which, the definition of personal data is extensive and encompasses cookies, IP addresses, email contacts, payment information, conversion tracking, device IDs, etc.
When it comes to the good ole intent-based search, it remains unhinged. Simply put, a search query does not constitute personal data. So, if you are not doing any conversion or remarketing tracking, you do not have to change your marketing ways. In this case, Google is the sole controller and handler of data. On the other hand, if you like most PPC advertisers want to actually learn about consumers, you are in for a different kind of ride.
Gaining consent
So, let us assume you mean to build an audience at the bottom of the funnel and add value to your business, propelled by all those clicks you are paying for. You are probably using tools like Tag Manager, Google Analytics, and AdWords remarketing code. That is all fine, but you have to obtain consent for it. Cookies are the most obvious example, but this rule applies to conversion and remarketing tags, as well as similar processes of sharing, collecting, and using personal data.
There is no more unchecked spoofing. Pre-checked boxes and passive “you accept cookies” do not cut it. You cannot sneak implied consent in Terms of Service either. What is more, consumers have the right to “be forgotten” (submit a request to remove data) and exert “data portability”. They have to be able to opt in and out of data collection as well as ads personalization. This latter aspect involves ad personalization settings, web and app activity settings, and location history.
Finally, data holders will also have to establish safe and secure administrative records. The main takeaway from this segment of GDPR is that any data breach must be reported within 72 hours, both to affected consumers and the authorities. Failure to do so is linked to big financial penalties and fines— 20 million Euros or 4% of global turnover, whichever is higher. And if the data is handled by third parties (agencies), then you have some more explaining to do.
Brave new advertising landscape
Among other things, GDPR has demonstrated that nobody is untouchable. Within hours of GDPR entering force, Facebook and Google faced lawsuits and this did not go unnoticed. Digital giants like Microsoft and Bing are applying opt-ins on a global scale instead of going for lackluster traffic segmentation.
Furthermore, many websites have endured traffic dips. In some cases, only 20-40% of visitors opted into tracking, which is a considerable shrink of their display and remarketing audiences. As a result, the number of clicks, conversions, and revenue is decreasing. Another challenge comes in the form of ad costs, which are likely to go up, especially in display and social. Namely, the cookie pool is going to shrink and higher demand for engagement will increase auction prices.
Therefore, GDPR will inhibit the ability of PPC advertisers to personalize ads and target with laser-like precision. They will have to implement processes for erasing data upon user requests (and to do so in a timely manner). But, we should realize at the same time that GDPR is not just a hurdle. It is a push industry needed to put an end to the long-present scourge— irrelevant ads galore and poor tracking.
To make a smooth transition, many businesses will partner up with trustworthy digital agencies that are already adapting to new reality. They are anticipating the overarching effect and mitigating the risks of violating GDPR. Alas, not everyone is dancing to the same tunes. While some are seeking professional and legal advice in order to step up, others are carefully trying to poke around and test boundaries.
Well, rest assured GDPR knows no boundaries. It is clear that ripples of this seismic shift will be felt across industries and even far outside the EU. In the wake of spectacular data breaches and public relation disasters such as Cambridge Analytica case, we might see North America going down the similar path. There is certainly an increasing pressure on lawmakers to tighten privacy regulation and bring business in line with it.
Shape up or ship out
The game has changed as the new transparent and more tightly regulated ecosystem emerges. GDPR, the far-reaching package of new legislative rules and consumer protection programs, is supposed to address the rising concerns about data privacy and safety. It affects all instances of using Google product to track on-site actions of EU residents and Falling foul of it could bring dire consequences.
All in all, there is hardly a viable option other than living up to the letter of the law. So, perform your due diligence. Solicit explicit consent from data subjects and put strong data security processes in place. Anticipate how your audience in AdWords will change and figure out new tactics for serving personalized ads.
This is no small task, which calls for strategic rethinking and reallocation of resources. Still, despite obvious friction, in the long-term, the industry as a whole stands to benefit, albeit not all boats will be lifted by the rising tide.