Advertising on search engines and GDPR
In these last months we all had to deal with the entry into force of the GDPR, the new European regulation on the processing of personal data.
Have we ever asked ourselves how does the GDPR really affect the collection of the data through Ads Google campaigns?
We will examine how the GDPR affects Google Advertising and which Google Ads functionalities might cause problems related to the GDPR.
What is GDPR and why does it affect advertising?
If you have lived in a cave in these last months and you have missed the GDPR, here you find a brief recap of what it is:
The GDPR is the new regulation on the processing of personal data of the European Union. Starting from May 25th, 2018 and with the application of the L.D. 101/2018, it has replaced the previous Privacy Code, mostly known as 196/03.
This law was issued to protect personal data of EU citizens, who are today increasingly at risk due to the process of digitalization of information which we have been living in these last years.
The GDPR rules also the way in which data of EU citizens can be collected when launching web marketing campaigns, especially those which include ads on both social media and search engines.
It is no longer possible to collect personal data from EU citizens without their consent despite all website operators have used this well established practice over the past years. In fact, our data are still collected every time we visit a website.
The Cookie Law in 2015 and the following GDPR in 2016 introduced the obligation to provide users with information on how and by whom their data are treated.
Does GDPR affect Advertising campaigns on Search Engines?
Yes, it does. If advertising ads reach EU citizens, the methods for the collection of data shall comply with the GDPR.
Let’s analyze the advertising process to understand when data are collected.
The basic search advertising should not be affected by the GDPR since Google provides us with no information on the identity of a user clicking on an advertising enabled by a specific key word.
However it is possible, for example, to get users’ personal information through the filling in of a form or the purchase of a product; sometimes information concern specific data that were once known as sensitive data. Let’s see an example:
Ad on baldness > The user clicks on the ad and lands on a page where there is a form he/she has to fill in to request information; by doing this, his/her data are processed for a later re-marketing that will allow to show him/her other targeted ads in the future.
In this way, the campaign or website manager acquires sensitive data and uses them to create different users’ profiles featured in specific categories regarding specific information which are considered to be of great importance by the law: medical information.
Therefore, when we enable campaigns it is mandatory, at the site opening, to display a banner explaining what data will be acquired by Google (in real time and saved using cookies) and the ones acquired through the filling in of the form on the website, through the purchase of a product or through cookies.
Google helps us since most of the major companies dealing with advertising and with headquarters in the US adhere to the Privacy Shield, a trade agreement ensuring that the company will treat the data of the EU citizens according to the regulations defined in the GDPR, but since we acquire users’ data it is our duty to properly inform users of whom will be the responsible of the data treatment we acquired, how they will be processed and what are the rights of the individuals concerned.
We remind you that the failure to comply with the regulations on personal data processing might result in a fine of 4% of the company’s turnover, luckily just up to EUR 20 million.