Skip to main content

The impact of the GDPR on digital advertising

Everybody heard from it already: the GDPR privacy statement. As an agency we would like to inform our clients and non clients about this new way of working since it has consequences for all digital marketing channels, including SEA. All our clients and new clients as well need to understand the consequences for AdWords and Bing ads the way our campaigns will continue to perform well after May 25, 2018.

For many digital marketing channels, target audience characteristics, such as demographic data, interest categories and in-market audiences are the primary means of targeting. But within SEA it is, in addition to keywords, an additional way of targeting. Nevertheless, Google has offered more and more opportunities to supplement the campaign strategy with these types of targeting methods. For that reason, there are many situations for SEA where you have to take GDPR into account.

Being an performance marketing agency we would like to explain about the impact of GDPR for us being an advertiser in the following situations:

  • Remarketing Lists for Search Ads (RLSA)
  • Similar Audiences
  • Conversion measurements in, for example, Google AdWords
  • Google Customer Match
  • The link between Google AdWords and Google Analytics
  • Targeting target audience attributes collected by Google

We will explain more about the above situations and provide you guidance how to handle these situations.

Remarketing Lists For Search Ads (RLSA)

Almost every AdWords or Bing Ads campaign currently uses RLSA (here you can read what RLSA is). You use RSLA in some cases to set a different bid for specific audiences, to show a different text or to exclude a specific group of people who have previously visited your website from your campaigns. These refinements of the campaigns often produce excellent results. It is therefore important that you can continue to use this data within AdWords or Bing Ads. Since you still would like to use these options in your campaign you need to follow these requirements:

  • Unmistakable permission must be given for the use of remarketing cookies. This can be done through a cookie bar in which you clearly state which cookies are placed and for which you use them. The user has only given permission if he has made a conscious action to accept the cookies. For example by clicking on ‘ok’ or ‘agree’.
  • In addition, you must explain in your privacy statement that you place remarketing cookies and for what purposes you use them.

Similar Audiences

Based on existing remarketing lists, Google searches for people with similar behaviour and corresponding personal characteristics and creates a separate remarketing list. So, these are people who have not been to you on the website yet and to whom you cannot request permission. However, you do offer the existing remarketing lists to Google (a third party) to create similar target groups based on those data. Again, you need to follow certain requirements to follow these needs:

  • In your privacy statement you must state that you collect this data to build interest profiles that you use for advertising purposes
  • The website visitor must have given explicit permission for the use of cookies on the website.
  • In the privacy statement you must also state that you share this information with third parties, such as Google.
  • Lastly, Google needs permission from its users to apply this data. This is therefore not the responsibility of the advertiser.

Conversion Measurements

Since we create performance based digital marketing campaigns it is important to understand the results of our campaign. This is possible since we use conversion measurements. For SEA this is done via the AdWords conversion code (either the UET tag in the case of Bing) or via an import from Google Analytics. With the AdWords or Bing tracking code, you place a cookie on the thank you page, so it automatically falls under GDPR. The moment you use Google Analytics to measure conversions, you use analytical cookies. Also, in this case you must meet the following requirements:

  • The website visitor must give explicit permission to place the AdWords conversion code cookie. In the case of import from Google Analytics, it is necessary to request explicit permission for the placement of analytical cookies.
  • The privacy statement must state that you use these cookies to improve digital marketing campaigns.

Google Customer Match

Google Customer Match makes it possible to upload collected e-mail addresses in the AdWords interface to match these e-mail addresses to Google users. This way you have the possibility to, for example, set more specific bids for this group of people. To continue using Google Customer Match, you must meet the following requirements:

  • The owner of the e-mail address must have given explicit permission for the use of his data. If you want to use the e-mail address for these purposes, you should not only include this in the privacy statement of your website. You also need to include it in the agreements you enter with customers, where you will use e-mail addresses of customers.
  • In the privacy statement you must state that you use e-mail addresses to personalize and improve your digital marketing campaigns.
  • Finally, it is advisable to always have Hashed (encrypted email addresses learn more: here) e-mail addresses before you share them with a third party. In this way you ensure that this data is seen as pseudo-anonymous data. Then you are totally safe with the above requirements.

Google Analytics Link

It is quite normal to link your Analytics account to AdWords to gain additional insights into the website after consumers clicked an ad. In this case, you need to meet the requirements for placing analytical cookies.

To meet these requirements, you need to take these requirements into account:

Connect a processor agreement with Google

You can find this under the account in the Google Analytics management environment.

Make IP addresses anonymous

You can do this by adding an additional piece of code in your Google Analytics tracking code. More information can be found on the page anonymizing IP addresses in Analytics. Another – and much easier – way to do this is through Google Tag Manager. In the ‘Google Analytics Variable’ under ‘More settings’ you can set anonymizeIp to ‘true‘. Fields to be filled in

Use SSL for Google Analytics cookies

Use SSL for the Google Analytics cookies so that the data is sent encrypted.

Do not collect data for advertising features

On the Property level of your Analytics account, under “Tracking info – Data collection”, expand “Collect data for ad functions.” You must do this at both ‘Remarketing’ and ‘Advertising reporting functions’.

Do not share data with Google

Under “Account”, uncheck the boxes for sharing data with Google. If you leave these ticks, you agree that Google will use the data of your visitors for their own purposes, for example to improve their own products and services. This makes Google a responsible person in addition to a processor. You must then request permission from your visitors on behalf of Google for the processing of personal data with Analytics cookies.

Inform visitors that you are using Google Analytics

The privacy statement must mention that

  • The data is encrypted and processed anonymously.
  • You have signed a processor agreement with Google.
  • Your ‘data sharing’ with Google has been turned off.
  • The Google Analytics cookies are not used in conjunction with other Google services, such as DoubleClick and AdWords.
  • Which Google Analytics cookies are placed, for what purpose and when they are deleted.

Targeting target characteristics via third parties

Audience characteristics offer opportunities to personalize the ads within Google AdWords. This way you can focus your campaigns on specific characteristics such as age, gender and parental status. All these features are collected by Google and made available within Google AdWords. In this case, it is Google’s responsibility to obtain permission to collect and make the user profiles available to advertisers. For the use of this data you do not need permission, because Google has this permission from its users.

To conclude

As a performance marketing agency, we are ready to help you with the challenges you face for doing your advertisement right. It is important that the data is protected and that you as a brand need to understand what data you can use within your campaigns. To meet the requirements, you can apply the above measurements to be sure you meet the requirements of the GDPR. If you need any additional information or do you need help with your SEA campaigns, we are always happy to help you further. Notice that you always must involve your legal specialist to check if the above are the right steps for your brand to take.


Mathias Aaftink

Author Mathias Aaftink

Geïntrigeerd door klantgedrag, performance marketing en klantervaring en de manier waarop organisaties daarop inspelen. Met mijn ervaring voel ik me thuis in de wereld van (digitale) marketing en branding. Ik ga nieuwe uitdagingen met veel plezier aan en voel meteen een groot verantwoordelijkheidsgevoel om er een succes van te maken. Projecten waarbij ik mijn ondernemende vaardigheden en mindset kan inzetten geven mij veel energie en dit is waar ik voor u van toegevoegde waarde kan zijn.

More posts by Mathias Aaftink

Leave a Reply

Open chat
👋Do you want to grow together online and achieve great results? 📈 Send us a message on WhatsApp and receive more information!