Google AdWords and GDPR Compliance: How GDPR affects AdWords tracking and targeting

Over the past month, we’ve talked a lot about how GDPR affects data collection.

But what about online advertising? How big of an impact will GDPR have on AdWords users?

The European Economic Area (EEA) is the second largest consumer market in the world. The EEA also represents the third largest search advertising economy on the planet.

So, if you’re using Google AdWords to advertise inside of the EEA (or outside), you need to be aware of GDPR, and its implications.

In this post and video, we’ll look at how GDPR affects search advertising on AdWords. We’ll also discuss which AdWords features could cause GDPR related problems. And we’ll review some strategies to help you use AdWords within the parameters of GDPR.

GDPR is here – What does this mean for AdWords?

In case you’ve had your head down, mining keywords and building out ad groups, here’s a brief update on what GDPR is and how it impacts online marketing.

What is GDPR?

GDPR is the new European Union (EU) data privacy regulation. This legislation was enacted to protect the personal information of EU citizens. GDPR went into effect on May 25th, of 2018.

GDPR governs the way data can be collected when EU citizens interact with your marketing efforts. Under GDPR, you cannot collect personal data from your EU website users without their consent.

Does GDPR apply to your AdWords campaigns?

You don’t have to be located in the EU or EEA to be affected by GDPR. If your advertising reaches EU citizens, then your data collection methods need to adhere to GDPR.

Caveat – GDPR might protect EU citizens in the US or other areas?

There is some ambiguity about whether GDPR protects EU citizens traveling abroad. I don’t have a definitive answer or opinion about how GDPR affects EU web users in the US or other areas. For more clarity on this issue, I would advise that you follow up with an attorney who has expertise on this subject.

How does the GDPR impact your AdWords campaigns?

The bottom line is this:

GDPR affects advanced AdWords users who are running campaigns targeting EEA countries.

Let’s break down the advertising process, so we understand how to use AdWords in compliance with GDPR.

Geo-targeting for AdWords under GDPR

It’s always a good practice to geo-target your AdWords campaigns. Precise geographic targeting will often yield better data about your ad campaign performance.

With GDPR in effect, I would view geo-targeting as mandatory.

You should create specific campaigns for each GDPR country you target. And, do not target GDPR and Non-GDPR nations within the same ad campaign.

What if you’re not targeting EU users with any of your AdWords campaigns?

If you are not targeting EU users with your ads, and EU web visitors are not reaching your landing pages, then you should be clear of any GDPR issues. But your attorney is the only person who can completely clarify this for you. So, discuss your specific scenario with your lawyer if you’re concerned that your advertising strategy might violate GDPR.

The main point I want to stress is that geo-targeting on AdWords is critical post GDPR. If you don’t gain any business from EU customers, exclude those countries from your advertising. And be explicit in your targeting so that you don’t risk accidental GDPR violations.

What type of AdWords activity in the EU is affected by GDPR?

Let’s start with the good news. Basic search advertising should remain unaffected by GDPR. Standard search advertising targets keywords, not users. Search ads display for users based on their anonymous search engine queries. So, in its purest form, AdWords search advertising doesn’t rely on any personal data.

Advanced AdWords features and GDPR

GDPR impacts many advanced AdWords features like conversion tracking. Of course, I’m referring to some essential functions of AdWords as being advanced. But if you’ve taken my PPC Course, you will know that conversion tracking is a minimum requirement for being successful with AdWords. Many essential AdWords tracking and targeting strategies rely on these features.

Here are some of the features that collect and retain personal data.

Conversion tracking

Conversion tracking sets cookies in your visitor’s browser. And your AdWords tracking connects your user’s personal data to their keywords searches. That means even basic AdWords conversion tracking has the potential to collect protected data.

Remarketing

When you use remarketing, you can show ads based on previous interactions visitors had with your website. So once again, this advertising technique may be using personal user data that is protected under GDPR.

Remarketing Lists for Search Ads (RLSA)

RLSA is typically one of the most effective AdWords strategies. But the data used to generate your RLSA information may also be subject to GDPR compliance.

Customer Match and Store Shopping

These features require you to upload customer data into AdWords. If you enter EU user data into AdWords without permission, you are likely to violate GDPR.

We just identified some of the most necessary and efficient AdWords features as being risky under GDPR.

So how do you use these features but avoid the risk? It comes down to a matter of consent.

GDPR requires consent for personal data collection

Consent means that your EU website visitors permit you to track their personal data.

User consent according to the advertiser platforms

Google has issued some documentation about getting user consent. But this information is not very clear.

Facebook’s information about user consent is much more defined.

Their documentation also includes some examples of how to obtain user consent.

Facebook documentation on GDPR

Source: https://developers.facebook.com/docs/privacy

And If you’ve been following this blog, you’ve heard me talk about Cookie Consent.

Cookie consent for user data collection

Cookie consent refers to getting your users’ permission to collect their data using cookies and tracking pixels.

One of the best tools I’ve found for obtaining and tacking user consent is Cookiebot. The Cookiebot consent notification tool is transparent, simple, and effective.

There are many other consent notification tools available. You can read our article on cookie consent for a more detailed explanation of how tracking notification works.

User consent for AdWords lead generation campaigns

You also need consent from your EU users for opt-in forms and email marketing. Thrive Themes published an excellent article on email address opt-ins and GDPR compliance.

If your AdWords campaigns are collecting email addresses, you need to let users know what happens after they are opted-in. One way to be more explicit about your data collection is to link to your privacy policy in your opt-in form. Linking to your privacy policy will help your users understand what happens to their data after they submit their email address.

Consent for AdWords Customer Match and data uploads

Before we get into the details here, I am going to offer this warning: tread lightly.

Customer match involves taking personal user information from your database and giving it to Google. Did your customers opt into this process? Probably not, unless you told them what you were doing.

Under GDPR you need to let your users know how you’re going to use their data. And your EU users have to give you permission to use and transfer their data. Without consent from your EU users, data uploads to Google can put you at risk for a GDPR violation.

I’ve recorded a prior video about how Customer Match is a highly accurate remarketing tool. It’s an incredibly cool feature that matches your customer data across multiple Google platforms.

So, you might want to continue using Customer Match. But make sure you understand the risks.

Here are some things you can do to limit your risk with Customer Match

  • Exclude all you EU user addresses from your upload. You can do this by deleting your EU user data from your customer match file before you upload it to Google.
  • Let your customers know, at the time of purchase or opt-in, that you’re going to be using their data for matching in search campaigns. Be explicit with this notification in your terms of use agreement. And leave the box unchecked on this notice, so your users can opt-in as required by GDPR.
  • Discuss Customer Match with your company/attorney to see if it’s worth the risk. Do a risk-reward assessment to gauge the value of using the customer match feature.

Let your users opt-out of your AdWords tracking

Here’s a final consideration when it comes to consent, tracking and remarketing. You need to let your users opt-out of tracking and advertising. Under GDPR you need to make it just as easy for users to delete themselves from your database, as it was to opt-in. I am going to do an upcoming tutorial on user deletion tools. But for now, be aware that if you retain user data from AdWords, you’ll need to have a plan to remove that data on request.

Here’s a quick recap how GDPR affects AdWords:

  • Standard keyword search advertising should not be affected by GDPR
  • Geo-target your campaigns. Build separate AdWords campaigns targeting inside/outside EU/EEA/GDPR zone
  • You need consent for remarketing, conversion tracking, and other personal data collection/usage in the GDPR zone.
  • Do a risk/reward assessment for your more advanced targeting tactics on AdWords.

It’s time to start being careful with the collection of personal data and being judicious about how we use that data. GDPR forces us to gain consent for collecting and using the personal data of EU users with AdWords campaigns. So be clear in your consent notification and privacy policy about how you use your website visitors’ personal data.

Are you struggling to figure out GDPR compliance for AdWords?

GDPR represents a significant shift in how we use many of the tracking strategies we’ve relied on for years. Leave a comment below If you’re struggling to figure out how to use AdWords under GDPR. I’ll respond to as many questions as I possibly can.