WHAT IS GDPR?

General Data Protection Regulation (GDPR) is a data protection regulation that came into effect on May 25, 2018. The regulation includes 99 articles that govern the collection, unification, and use of personal data within the European Union, as well as in countries of the European Economic Area (Iceland, Liechtenstein, and Norway).

The predecessor of the Regulation was the Data Protection Directive 95/46/EC (1995). Unlike the directive, the new act has direct effect, mandates compliance in all member states, and only minor issues may be resolved at the local level.

What will be discussed?

• What are GDPR, personal data, and cookies?
• How to implement GDPR in an online business?
• 7 principles of GDPR
• Fines for non-compliance with GDPR
• Conclusions

What are GDPR, personal data, and cookies?

According to the regulation, advertisers may use remarketing tags only with prior clear consent from users. Consent to use cookies is required to apply conversion tags. This not only complicates the process of setting up displays of personalized ads but also limits the evaluation of the effectiveness of websites and marketing campaigns overall. The regulation applies to both mass electronic mailings and telemarketing, as well as personalized advertising on Google and social networks.

Cookies are small text files placed on a user’s computer by websites they visit. In other words, they are snippets of information that an online platform transfers to a consumer’s hard drive for storing data associated with it.

Cookies can be temporary (for example, to count the number of visits) and permanent. The latter are stored on the computer by the browser from which the web resource was visited. There are 4 types of cookies:

• Necessary files;
• Performance-enhancing files;
• Targeting files;
• Functional files.

Website owners are required to inform visitors about the use of cookies. This notification may look like the following.

“We use cookies on our website to improve the user experience. Get more information in our Cookie Usage and Privacy Policy.

Click the ‘Show Details’ button to display specific categories of cookies with all individual cookies used on our site. This will allow you to activate or deactivate cookies for each category.”

Cookies do not contain Personal Data and can be blocked by the user, however, GDPR limits their application since the law regulates the monitoring of data subjects’ behavior by companies. For example, tracking an EU resident online, which includes the use of cookies, is prohibited.

With the adoption of the law, the interpretation of the concept of personal data has been expanded.

“Personal data is any information relating to an individual, regardless of whether it pertains to his/her personal, professional, or social life. It can be anything, including: name, home address, photograph, email address, banking details, posts on social media sites, medical information, or the IP address of the computer.” “General Data Protection Regulation”, Wikipedia

Automatically collected information, including geolocation, device type, visited websites, and even search queries, is considered personal data. This information forms the basis for personalized advertising, previously known as interest-based advertising. Non-personalized information is now considered only contextual information, such as the general location (city), the content of the current website, or application.

Under GDPR, data subjects gain new rights:

• Access their data;
• Request editing or deletion of their data;
• In some cases, restrict access to information;
• Prohibit the use of data for certain purposes;
• Transfer data to another organization;
• Object to automated data processing.

The current Regulation prohibits identifying users and using data for advertising purposes without the consent of the individuals. This can reduce the relevance of ads and, at the same time, decrease the return on investment for advertisers. Although the regulation pertains to the EU, understanding and even complying with GDPR conditions is necessary for many companies in Ukraine.

How to Implement GDPR in Online Business?

After training staff and updating the Privacy Policy, it is important to establish a consent mechanism. This can be achieved using the consent mode in Google Tag Manager and a specialized consent management platform, such as CookieBot.

CookieBot checks the website immediately on several indicators related to compliance with EU personal data legislation. It evaluates the proper use of cookies and online tracking on the website.

The site performs a free check of the web resource and offers corrections for the errors found after subscribing to the service.

Among the errors, a lack of user consent request for using cookies and trackers, and automatic processing of personal data might be found. The service also evaluates whether personal data is transmitted exclusively to “adequate” countries.

If you are setting up analytics and advertising in Google, the company will partially take care of supporting the EU law for you. In May 2018, several changes were introduced aimed at complying with GDPR provisions by advertisers and publishers. In 2019, a data processing limitation feature was introduced (and expanded in January 2023), related to the California Consumer Privacy Act (CCPA).

Data processing is limited by default in Google Ads products and features such as email address lists, advanced conversion tracking for leads and website visitors, offline conversion imports, and in-store sales.

You must manually enable data processing limitations for other products and features, including the Google Media Network. The use of data by Google will also be limited. Adding users to remarketing lists, similar audiences, source lists for remarketing, etc., will become unavailable. With data processing restrictions in mobile app campaigns, ads can still be shown to users who already have the app installed.

It is important to note that even after enabling data processing limitations, the display of suitable ads, which are tracked or placed by third-party services, will continue. To stop this, the publisher must disable the display. The advertiser must take the necessary steps and ensure compliance with EU legislation.

Google’s policy requires the identification of each party receiving personal data of end-users as a result of using Google products. Information about the use of personal data of end-users must be conspicuous and easily accessible.

“If you are using tags for advertising products such as Google Ads or Google Marketing Platform on your pages, you need to obtain consent from users in the EEA and the UK to comply with Google’s EU User Consent Policy. Our policy requires consent for the use of cookies used for measurement purposes, as well as consent for the use of personal data for personalized advertising — for example, if your pages have remarketing tags”. “Help with the EU user consent policy”, Google

Steps to Implement a Consent Mechanism

Proper implementation of a consent mechanism includes several “control” stages.

• Explain to users how their personal data will be used, specifically inform them about ad personalization.
• Ensure that the consent message is displayed to all users from the EEA countries.
• Provide users the ability to confirm their consent by adding an appropriate button. Do not pre-check the consent box on behalf of the user; leave the corresponding field empty.
• Determine which third parties, including Google, will have access to your site or app’s user data. Inform users about the way and purpose of the personal data usage by Google and other third parties.
• List “Google Advertising Products” as the provider if you are using a CMP or IAB certified.
• Check the presence and correctness of the user consent mechanism for the use of cookies or other local storage. This applies even to non-personalized ads, as they also require cookies.

“If you are not showing personalized ads to users visiting your site, and visits to your site do not affect the ads shown elsewhere, you still need to obtain consent for the use of cookies or mobile identifiers, if required by law. Consent for the use of cookies or mobile identifiers is still necessary, as non-personalized ads still use cookies or mobile identifiers to combat fraud and abuse, limit ad frequency, and for aggregated ad reporting.” — “How we help advertisers in Google Ads comply with individual US state privacy laws”, — Google Ads Help

In addition to advertising announcements and analytics features, references to the privacy policy are included in other Google products: “Google Maps Platform Terms of Service”, “YouTube API Services Terms of Service”, “reCAPTCHA Terms of Use”, Blogger.

Mobile apps typically do not use cookies. For Ad Manager and AdMob displays, you can choose monetization with a limited number of ads. In this case, advertising identifiers are provided by Android and iOS operating systems. Therefore, the user notification should include information about the identifier on the device, not about cookies.

When using Google AdSense or Google Ad Manager tools, measures should be taken to integrate the desired solution with advertising tags on your pages. This way, user preferences will be considered. Each provider offers their own instructions or support services for this. Otherwise, users will be convinced that they have disabled advertising cookies, while they will still be used. We recommend carefully testing any new tools on your site from a GDPR compliance perspective. User consent from the EEA is only unnecessary if Google services are removed from the site for users from these countries.

7 Principles of GDPR

The data processing requirements introduced by GDPR are based on 7 principles of privacy. It’s unlikely that anyone could fully understand the complex and voluminous text of the law at first attempt, but understanding the 7 GDPR principles will certainly facilitate the implementation of the Regulation’s rules.

1. Lawfulness, Fairness, and Transparency

GDPR provides several legal bases for processing personal data. The most common is obtaining user consent for information processing. This is where lawfulness comes in. Fairness means that data processing aligns with the best interests of the individual.

Transparency means that users are clearly informed about the collection of their data, the methods and purposes of this processing. You can ensure transparency, for example, by posting a clear privacy policy on your website and providing your subscribers with an easy way to contact the data protection officer.

2. Purpose Limitation

Collected data must be used only for purposes agreed with the user (e.g., receiving promotional offers). Storing data “just in case” or using it for advertising other products or applying it in any new purposes is prohibited.

3. Data Minimization

Only the amount of data necessary can be collected and processed. For example, for an email newsletter, subscriber email addresses are required, but data on their job positions and ages are likely unnecessary.

4. Accuracy

Regularly check whether you have subscribers with invalid email addresses. Similarly, with social media followers — ensure you are communicating with real people. If a user has provided a corporate email, verify whether they still work at the same company or if their email has changed.

5. Storage Limitation

Data from users who have unsubscribed from the newsletter or have opted out of advertising in another way should not be stored on a device or in cloud storage.

6. Confidentiality and Integrity

Integrity means ensuring that personal data is correct and cannot be falsified by others. Systems must be protected from hackers. Confidentiality means that personal data is processed only by authorized persons. For newsletters, according to this principle, only specialists who need it to perform the mailing should have access to subscriber data. This also applies to securely posting photos and videos online.

7. Accountability

This involves not only complying with all GDPR requirements but also being able to document the company’s compliance. A special system will be required for documenting user consent.

These 7 principles are relevant for email newsletters, Instagram contests, advertising displays, and other marketing tools and individual events targeted at consumers in the European Union.

Fines for Non-Compliance with GDPR

As mentioned earlier, GDPR violators can be fined up to 20 million euros or up to 4% of the annual global turnover for the previous financial year. Over the last five years, several massive fines have been imposed on various international companies for GDPR violations.

In 2021, Amazon Europe was forced to pay a fine of 746 million euros. The violation involved non-compliance with the general principles of data processing. The National Commission for Data Protection of Luxembourg (CNPD) fined Amazon Europe for using customer data for targeted advertising.

In 2023, the Irish Data Protection Commissioner (DPC) fined TikTok 345 million euros for violating several GDPR rules, particularly for the default accessibility of minor users’ accounts. The principle of transparency was violated as users did not receive clear information about the publicity of their data. Additionally, any adult could “pair” with a child in a “family pair” on TikTok.

One of the most prominent cases was a 50 million euro fine imposed on Google. In 2019, the French data protection authority (CNIL) accused the company of “lack of transparency, inadequate information, and lack of valid consent regarding ad personalization.” Information about ad personalization was placed in several different documents, which hindered users from obtaining accurate and transparent information. The choice to receive personalized advertising was “pre-ticked” upon opening a new account, which also contravenes GDPR.

Frequently Asked Questions

Legal and Regulatory Documentation Regarding GDPR

To learn more about GDPR and its impact on online advertising, refer to the articles listed below.

• Article 29 Working Party guidance on User Consent under GDPR (2018 р.)
• Article 29 Working Party guidance on Transparency under the GDPR (2018 р.)
• Article 29 Working Party guidance on Legitimate Interests (PDF, 2014 р.)
• Five Practical Tips for Companies on Complying with the Privacy and Electronic Communications Directive (IAB Europe recommendations, PDF, 2015 р.)

To access regulatory documentation on obtaining consent for the use of cookies in advertising, follow the links below.

• Article 29 Working Party guidance on obtaining consent for cookies (PDF, 2013 р.)
• Article 29 Working Party guidance on exceptions to the rules concerning user consent (PDF, 2012 р.)
• Article 29 Working Party guidance on online behavioral advertising (PDF, 2010 р.)

Conclusions

Complying with GDPR is crucial not only for European entrepreneurs. SaaS companies, advertising agencies, e-commerce sites, marketplaces, financial institutions, and HoReCa sector businesses planning to enter or already serving the Western market with clients in the EU and the European Economic Area, should be well acquainted with the requirements of the regulation.

Special attention should be paid to the creation of a consent mechanism, which allows the user to permit the use of their information for specific purposes. To implement such a mechanism, use specialized consent management platforms like CookieBot. Proper configuration of Google Analytics and advertising in Google Ads is also necessary.