Digital Marketing is all about harnessing the power of data, which is why it's one of the industries most affected by the General Data Protection Regulation (GDPR). Under the GDPR, businesses can no longer rely on implied consent and can no longer take a customer providing personal information as blanket approval to use it however is seen fit.

We'll break down how the GDPR affects digital marketers and what you need to do to comply.


Are You Affected by the GDPR?

The GDPR primarily covers the processing of personal data in the European Union. Let's break that down.

Processing

The term "processing" has a broad definition under the GDPR. In simple terms, it's anything you do with data. This doesn't just include using it, but also disclosing it, selling it, copying it and perhaps most importantly, collecting it in the first place.

Personal Data

The precise wording of the GDPR sometimes causes confusion as it refers to an "identifiable" person. This doesn't mean the piece of personal data itself has to directly identify a person. Instead it means that personal data is data that relates to a specific individual.

For example:

  • The fact that John Smith is a member of the Anytown Bowling Club is personal data because it relates to John Smith.
  • The fact that John Smith has type O blood is personal data because it relates to John Smith.
  • The fact that 42% of members of the Anytown Bowling Club have type O blood is not personal data because it relates to the membership as a whole.
  • If 100% of members of the Anytown Bowling Club have type O blood, this fact would constitute personal data if combined with the membership list since it technically could be used to identify individuals specifically.

The GDPR specifically covers "natural persons" meaning human beings. This means it doesn't cover information that's solely about a company or other business, even though companies may be classed as individuals for some legal purposes.

The European Union

The geographic threshold of the GDPR applies if either the organization processing the data is in a European Union country or if the person the data relates to (the data subject) is in a European Union country. It also applies if the processing itself takes place in a European Union country.

Despite the United Kingdom's decision to leave the European Union, the agreed terms of its exit mean that at the time of writing the GDPR is scheduled to have direct effect in the UK until the end of 2020. After this point, the same measures will automatically be in force in domestic UK law unless and until this law is changed or repealed.

Penalties for Non-Compliance

Breaching the GDPR carries a maximum penalty of €20 million or four percent of your annual global turnover, whichever is bigger. For some infringements the maximum penalty is €10 million or two percent of annual global turnover.

While these maximum penalties will be rare, dozens of organizations have already had fines of more than €100,000.

GDPR Overview: Principles and Rights

GDPR Overview: Principles and Rights

While the GDPR is an extensive regulation with many components, it's primarily based around upholding its privacy principles and user rights. Everything you do to comply with the GDPR will be based around these principles and rights. You need to bear them all in mind, but some are specifically relevant to digital marketing so we'll go into these in more detail.

GDPR Privacy Principles

Lawfulness, Fairness and Transparency

This is arguably the key principle to the GDPR. You need to make certain that you collect, use and share data in a way that's not only legal, but also fair and transparent. In other words, the best approach is to follow the spirit of the law rather than rely on a narrow interpretation of its precise wording.

Every time you collect data, you must do so using a specific lawful basis. Most of these cover circumstances where you have to process the data, for example to serve a legal requirement or as part of fulfilling a contract.

The other lawful basis is that you have the consent of the data subject. This is likely to be the most common basis for marketers, so we'll cover this in more detail later in this guide.

Many digital marketers have assumed the basis of "legitimate interest" applies to them. This isn't necessarily the case.

The GDPR says this basis only applies if the data processing is necessary and if the effects are balanced, meaning the marketing doesn't outweigh the recipient's privacy rights.

This can be a judgment call, with a big factor being the reasonable expectations of the person providing the data and the circumstances in which they do so. The GDPR also takes into account the European Union's specific rules on electronic communications, which may mean you need explicit consent anyway.

Purpose Limitation

You can only collect and use the data for a specific purpose, which you must make clear to the data subject. This is hugely important for marketing as it means, for example, if you collect email addresses for a weekly newsletter, you can't then use those email addresses to send one-off promotional messages.

You'll need to carefully organise your marketing data so that you know exactly what purpose you collected it for. If you want to use data for a new purpose you'll normally need fresh, specific consent.

Data Minimization

You can only collect and use data that's necessary for the specific purpose you gave.

Remember that the purpose will apply to a particular piece of data. For example, you might get consent from customers to use their email address for a weekly newsletter. You might also get consent from customers to collect and use their date of birth to make sure they are old enough to see advertisements for alcohol.

Both of these would be legitimate. However, you couldn't then combine the two pieces of data to send the user an electronic card or promotional offer on their birthday. You don't have the person's consent to use their date of birth for this purpose, so this is not lawful processing of that data.

Accuracy

You must do everything reasonable to make sure the data you hold is accurate. You'll need procedures to check it, update it where necessary, and respond to any complaint from the data subject about inaccuracies.

Storage Limitation

You must only keep data for as long as necessary to serve the purpose for which you collected it. For example, if you ask users to provide their email address for updates on an upcoming conference, you can't hold on to those addresses after the conference just because they "might be useful for marketing later on" unless you have specific consent to do so.

In some cases this won't be entirely clear-cut. For example, you may be considering whether to keep the addresses on file to use to send a mailout to invite people to the same conference next year. For this you'll need to consider the "fair and transparent" principle, asking yourself if users would reasonably have expected you would do this when they gave consent.

Integrity and Confidentiality

You must take all reasonable measures to keep the data secure and uncorrupted. This could include physical, technical and organizational security, including controls on who in your organization can access which data.

Accountability

You are responsible for proving you've complied with the GDPR in full. The best way to do this is to keep clear records of the decisions you make and the procedures you use when handling data.

GDPR User Rights

GDPR User Rights

The GDPR gives data subjects (the person the data relates to) eight key rights.

Right to Be Informed

In simple terms, users have the right to know what data you collect about them, how and why you'll use it, how long you'll keep it, and whether you'll share it. This is arguably the key right regarding digital marketing under the GDPR, so we've gone into it in more detail later in this guide.

Right to Access

Data subjects have the right to know what data you hold about them. Normally they can exercise this right with a data access request. You'll then have a month to respond, normally without charging any fee. This right means it's vital you organize and coordinate your data processing procedures so you know exactly what data you hold on people and why.

Right to Rectification

Data subjects have the right to ask you to correct or update inaccurate data. Usually you must do so within a month.

Right to Deletion

Data subjects have the right to ask you to delete data that is no longer necessary for you to hold. If you've complied with the Storage Limitation principle, this shouldn't usually be a problem.

Right to Restrict Processing

Data subjects can ask you to limit the way you process their data. The most common case is while they are waiting for you to correct inaccurate data or deal with a complaint that you are using it unlawfully.

Normally you need to comply with this request until the problem is resolved, though you don't need to delete the data.

Right to Data Portability

Data subjects have the right to get a copy of the data they have provided to you, usually in the easiest form for transferring that data to use with other service providers.

Right to Object

Data subjects have the right to tell you to stop processing their data at any time, even if they've previously given consent for that processing.

In some cases this right is limited: for example, you may be able to refuse if the processing is a legal requirement. However, the GDPR explicitly says that in cases involving direct marketing, this right is absolute.

This means if somebody asks you to stop using their data for direct marketing, you must do so immediately. Generally you should then retain only enough of their data to make sure you can continue to respect this demand and don't accidentally send them marketing later on.

You must tell users if you make automated decisions using the data you hold about them. In some cases they can ask you to review these decisions or have a human make the decision.

Meaningful Consent For Digital Marketers

The biggest issue for digital marketers with the GDPR is the combination of the first principle (lawfulness, fairness and transparency) and the first right (to be informed). These combine into a specific requirement of the GDPR: that consent is only valid where it is meaningful.

In other words, the data subject has the adequate information to make a genuine decision to consent to data collection and processing.

These are some of the ways to make sure this is the case.

The GDPR changed the game when it comes to marketing consent. You can break down forms of consent into four levels:

  • Bare Bones Implicit: This means simply publishing a Privacy Policy or other details about how you handle data and then inferring that the user has consented simply by continuing to use your site and services.
  • Implicit With Warning: This is the same as above, but with a specific wording to say that continuing to use the site constitutes consent. This approach is sometimes called browsewrap.
  • Explicit (pre-ticked): This requires the user to take a positive action to not give consent such as clicking a confirmation button. Where there's an option to change consent such as checkboxes or sliders, these are set to give full consent by default.
  • Explicit (not pre-ticked): This offers users one or more checkboxes, sliders or similar options to change whether they give consent and then confirm the choice. By default the options are all set to not give consent.

When the GDPR first took effect, many marketers switched from using the first two of these options to the third. That's because meaningful consent must be active, with the user giving an explicit rather than implied signal of consent.

A later court case ruled even this third option of pre-ticked consent was no longer sufficient as there was no guarantee that the user had read through the checkboxes or sliders and actively chosen to give each type of consent rather than clicking the confirmation button by accident or without reading the details. Instead only the fourth option is acceptable. This makes sure the user has intentionally considered and chosen to give consent for one or more data uses.

This example from The Telegraph shows the evolution of consent. The pop-up window shown below goes some way to achieving the need for active consent rather than relying on implied consent:

The Telegraph Cookies Consent Notice

Clicking the "Manage" button brings up a list of granular consent options, with sliders set to off by default:

The Telegraph Manage Cookies Consent screen

Remember that you may need to review how any existing web forms work behind the scenes as well as what the user sees. For example, you may have an opt-in menu created some years ago with your system set to treat any "null" result as consent. This is not acceptable under the GDPR as you must be certain consent is intentional.

You should get specific consent for specific types of data collection and use, giving as many options as possible without being unwieldy. This increases the likelihood that the user can give meaningful consent rather than thinking it is an all-or-nothing approach.

For example, they may be happy to have their data processed but not willing to have their data sold. Specific consent for these two activities means they don't have to give blanket consent.

This example from Microsoft gives users three options for email marketing:

Microsoft: Manage Communication Permissions screen

Note that pre-ticked checkboxes are acceptable in this context as the user in question had already given consent for this data processing. This dashboard lets the user easily withdraw consent, which is another key element of the GDPR.

Privacy Policies and Your Digital Marketing

Privacy Policies and Your Digital Marketing

A Privacy Policy is by far the best way to comply with the GDPR's transparency requirements and the right to be informed. Users have the right to know information before consenting to collection and other processing such as:

  • What data you collect
  • Why and how you'll use it
  • How long you'll keep it (or how you decide this)
  • Who if anyone you will share the data with

The key is to strike a balance between being comprehensive and being concise.

Usually the best approach is to list some key points whenever you are about to collect personal data and then clearly link to a complete Privacy Policy. This could appear in a pop-window or on a new page that opens in a separate tab.

This example from Scientific American covers the most important points (how and why the data is used, how to withdraw consent, whether the data is shared) while linking to the Privacy Policy in multiple places. It also allows for specific and positive consent to be obtained:

Scientific American newsletter sign-up form with consent checkboxes

Privacy Policy Style

The GDPR says information you give to users about your data processing must be clear and plainly written. You should take your audience into account.

For example, use even plainer language if you know children may be using your site. This example from Girls Health is clear without being patronizing:

Girls Health Privacy Policy: How we see your personal information clause

Use short paragraphs and bullet-point lists to break up lengthy, complicated parts of your Privacy Policy.

You can make sentences clearer and shorter by favoring the active rather than passive voice and addressing the reader directly.

For example, rather than saying "The data subject's details will be processed and archived by the data processor for one year" you can write "We will process and archive your details for one year."

Try to keep language as specific as possible. For example, saying "We may use your data for marketing purposes" isn't helpful as the reader doesn't have a good sense of how likely this is to happen or what it entails.

Saying "We will use your email address to send you a weekly newsletter about our new products and occasional messages about special offers" gives more specific detail.

This example from the Sydney Morning Herald combines all of these good style points:

Sydney Morning Herald Privacy Policy: What Happens if We can't Collect Your Personal Information clause

It uses simple, clear language, short paragraphs, bullet points, an active voice and just the right amount of specific detail.

GDPR Digital Marketing Privacy Policy Checklist

GDPR Digital Marketing Privacy Policy Checklist

As well as covering the key points listed above, your GDPR-compliant Privacy Policy should contain the following information:

  • Your contact details (including your Data Protection Officer if you have one)
  • The purpose you are giving for processing the data
  • The legal basis on which you are collecting data (which is often consent)
  • Whether you will be passing on the data to non-EU countries and, if so, what safeguards you've put in place to make sure it remains protected to the standards of the GDPR
  • The user's rights under the GDPR (such as withdrawing consent, accessing their data or making a complaint) and how to exercise them
  • Whether you use automated decision-making

It's possible some details will vary for different types of data you collect. One way round this is to simply list everything in the Privacy Policy. Another is to list any variations or exceptions elsewhere at a relevant point, for example in the form where the user submits the personal data.

Summary

Let's recap the key points you need to know about digital marketing and consent under the GDPR:

  • The GDPR covers processing of personal data in the European Union
  • Processing includes collecting and selling of personal data
  • Personal data is information that relates to a specific individual
  • The GDPR applies if you or the data subject is in the EU or the processing takes place there
  • Breaching the GDPR can lead to substantial financial penalties
  • The key to the GDPR is following principles and upholding rights
  • The principles are:

    • Lawfulness, Fairness and Transparency
    • Purpose Limitation
    • Data Minimization
    • Accuracy
    • Storage Limitation
    • Integrity And Confidentiality
    • Accountability
  • The rights are:

    • Right to Be Informed
    • Right to Access
    • Right to Rectification
    • Right to Deletion
    • Right to Restrict Processing
    • Right to Data Portability
    • Right to Object
    • Right to Object To Automated Decision Making
  • The right to object is absolute for digital marketing. If somebody asks you to stop using their data for digital marketing you must do so.
  • The main tasks for digital marketers to comply with the GDPR are:

    • Understand what data you collect, why and how you use it, and how long to keep it.
    • Get clear, specific, active consent when collecting data, where relevant, offering the option to consent to some processing while objecting to others.
    • Publish a clear Privacy Policy that tells users how and why you process their data.
    • Make sure your Privacy Policy includes required legal details such as your contact details, the purpose and legal basis for collecting data, how you handle transfers outside the EU, the user's rights under the GDPR and whether you use automated decision making.