What Your Company Needs to Comply with GDPR and CCPA Privacy Regulations

When marketing your product, brand or company online, large ad campaigns can get you amazing results. Before your marketing team releases the latest batch of Google ads however, there is more to this equation. Here we’ll discuss privacy concerns surrounding ads, and how the policies General Data Protection Regulation (GDPR) and California Consumers Protection Act (CCPA) are being utilized so consumers feel secure while you’re not compromising your campaign.

Complying with these regulations not only will give your company peace of mind, but it will also help gain consumer confidence and land you some stellar results.

General Data Protection Regulation (GDPR) for the European Union

On April 14^th, 2016, the European Union passed GDPR as an effort to have users have more protection over their personal data. Businesses and advertisers can benefit from this as GDPR helps level the playing field. GDPR’s main purpose is to distinguish personal and public data. For instance, a person may be using their personal address book to invite people to a meeting versus going on a public website for successful meeting tips.

GDPR is primarily used in the EU, so if you advertise overseas this is relevant in order to reach the European markets.

For your ads to comply with GDPR, here are a few things for you to evaluate:

1. Controller and Data Processing Terms

Since August of 2017, Google has been complying with GDPR and has been updating its services regularly to reflect this change. This means that the types of programs you’re using to promote your ads (IE: AdSense, and Google Ads Manager and the rest of the list) along with the data processing programs like Google Analytics have all changed to comply with EU regulations. In other words, your access to users cookie identifiers and internet protocol will change significantly.

2. Changes in Consent

GDPR states that advertisers who use remarketing tags that add visitors to your marketing lists are now required to get consent from users. Google Help provides consent language that marketers can use for users to accept their cookies.

3. Use of Ad Technology Providers

Google has launched Ad Technology Provider Controls for publishers. This service provides controls for publishers to adjust what data can be received by third-party advertisers. This means a Google ad campaign will only serve as an ad impression in the European Economic Area (EEA) unless otherwise noted. There is a list of Ad Technology Providers that are in compliance with GDPR.

4. Types of Data Collection

Google will no longer be storing data in the same way in the EU. When building Customer Match audiences, Google will collect data for as long as it takes to comply with their policies and then immediately delete the data stored. Google Ads and Floodlight tags for remarketing will not be active for users who didn’t give consent on personalized ads.

5. Using Google Analytics to Comply with Regulations

Google Analytics has features that help ensure you’re complying with GDPR. For instance, the Data Retention controls can be adjusted to make sure you’re not using a user’s data for longer than consented for. You can also disable advertising features for consumers who do not want to receive personalized ads.

6. Moving Ahead with GDPR

You can adjust the settings in Google Analytics to incorporate the IAB Transparency and Consent Framework.

California Consumer Privacy Act (CCPA)

Something closer to home for many US advertisers is the large state of California. In 2018, California has passed its own privacy act called the California Consumer Privacy Act which mimics many of the GDPR’s regulations. However, if you are GDPR compliant, that does not necessarily mean you’re CCPA compliant. There are many differences between these two laws.

CCPA’s main purpose is to change practices of how businesses collect and store data of California residents. These laws go into effect on January 1^st, 2020.

Here is what you need to know about whether your company needs to comply with CCPA:

1. If your annual gross revenue is at least $25 million
2. 50% or more of your annual revenue is made from sales directly tied to personal information of CA residents
3. Whether you have collected personal information of at least 50,000 CA residents per year

If these do apply to you, consider changing the following:

1. What, why and how you collect and process personal information from users
2. Changing how you interact with consumers re: being transparent about requesting their personal information
3. Giving users the option of opting out of selling their data
4. Obtaining prior consent from minors 13-16 years old, or from their parent or legal guardian if younger.
5. Changing the methods of accessing or deleting personal data throughout your database

As seen from these privacy laws taking effect, the way we use and store user’s personal information is more important than ever. Consider taking a second look at your business practices to ensure you’re not only in accordance with these laws but are taking user’s privacy into consideration.

If you’d like to learn more about how GDPR and CCPA regulations might affect you, send us a note. We’d love to help.