Remarketing (sometimes referred to as retargeting) is used to create personalised ad campaigns that target users who have already visited your site or content. The idea behind remarketing is to advertise to users that have already engaged with your brand or have already bought products from you, therefore are more likely to convert to more sales.
Through targeted ad campaigns you can offer discounts or introduce users to new products or content that might be of interest to them, based on their past behaviour on your site. The process can be broken down into three simple steps. Firstly, users engage with your brand by visiting your website, blog or social media platforms.
After this, the user is tagged with a cookie. Once the user is tagged with a cookie they can be added to a remarketing list. Finally, you launch your retargeting campaign which shows users adverts targeted to their needs and past behaviours.
While this can be a very effective marketing strategy, recent changes in the laws of data protection, most notably General Data Protection Regulations (GDPR), have affected the rules around remarketing campaigns. In this guide, we’ll look in more detail at cookies and how these have been affected by GDPR, as well as what this means for businesses running retargeting campaigns.
What are cookies and how are these affected by GDPR?
A cookie is a piece of data sent from a website and stored on the user’s device, which remembers information and records their browsing history. This can be problematic under new data protection guidelines because these cookies go some way to identifying an individual through their device. For example, users might visit sites about their religion, search something age-specific or use geotagging that reveals their location.
This is therefore classed as personal data and under GDPR, all personal data must be protected, and websites must collect explicit permission to collect and store this information. Cookies are included in this. In fact, they are mentioned in Recital 30 of the General Data Protection Regulations – which states the following:
Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
How does this affect remarketing campaigns and what are the legal requirements for those running these campaigns?
Despite, not all cookies being used in a way that identifies the user, most are and are therefore subject to GDPR. With remarketing relying on the data collected from cookies in order to personalise their ad campaigns, this makes things tricky for businesses who need to remain 100% GDPR compliant.
But retargeting campaigns are still used by many businesses to make sales, so how do they get around Recital 30 and collect this data without breaking the law? In order to stay compliant, businesses can stop collecting cookies altogether and ditch the subsequent retargeting campaigns that come from these (which of course they don’t want to do). Alternatively, they must find a lawful ground on which to collect and process this data. For the most part, this is done by asking for consent from users of their website.
What are the legal requirements for getting user consent and protecting personal data in remarketing campaigns?
In order to protect the personal data of every individual, GDPR has made it harder for businesses to obtain legal consent from those using their website or online platforms. This is usually done through a pop-up, opt-in box, which might seem simple, but there are a lot of legalities surrounding these consent forms. We’ll look at the rules and regulations for gaining consent and protecting personal data for those hoping to run a retargeting campaign. In order to collect cookies, you must:
Ensure consent is explicit – not implied
Firstly, you need to make sure that you’re explicitly asking the user for consent. This is a crucial part of GDPR and is important in a lot of marketing actions, such as accepting cookies and signing up to email lists. Before GDPR, businesses could use underhand tactics to gain consent from users, but implied consent is no longer enough and means you’re not GDPR compliant.
Instead, consent must now be given explicitly through an affirmative action – usually clicking an opt-in box. And this can’t be a pre-ticked box or one that says, ‘click if you wish to opt-out’. It must be a straight-forward action and written in clear language so that all users can understand what they’re consenting to.
Give users free choice
Businesses must also give users the freedom of choice, meaning they cannot display messages that say ‘by using this site you accept our cookies’. This doesn’t give the user a choice, this means they either have to accept the cookies or else leave the website. Therefore, freedom is a key part of gaining consent.
Provide users with an opt-out
Finally, a website must include an opt-out option for users so that they can withdraw their consent at any time should they change their mind. Part of GDPR is being able to request data and also ask for it to be deleted, so businesses must respect the right of individuals to be forgotten or to revoke their consent. As such, a clear opt-out must be available to them.
As you can see, cookies are an important part of remarketing campaigns, but as these can be considered personal data, businesses need to be very careful when using these to collect information for their campaigns.
It is the responsibility of the business to gain explicit consent from the user in order to collect and store their data (including cookies). This is a legal requirement and failing to gain permission or using underhand tactics to collect data during a remarketing campaign can result in legal action being taken and a potentially huge fine.