Data Privacy for Digital Marketers: A Guide to GDPR Compliance & Cookie Consent
![Data - Blog - Data Privacy - Cover](https://cypressnorth.com/wp-content/uploads/2024/04/Data-Blog-Data-Privacy-Cover.jpg)
Disclaimer
We’re not lawyers, nor do we play them on TV… so we cannot give legal advice. This guide is for informational purposes only and does not constitute legal advice.
The content provided in this guide is based on general principles and should not be considered a substitute for professional legal counsel. Laws and regulations vary by jurisdiction, and individual circumstances can significantly impact legal outcomes. Before making any decisions or taking any actions based on the information here, we strongly recommend consulting with a qualified attorney or your organization’s legal department. They can provide personalized advice tailored to your specific situation. Remember that legal matters are complex, and relying solely on blog posts, guides, or online information may not address all nuances or potential risks. Always seek professional legal guidance to ensure compliance with applicable laws and regulations.
Digital Marketing + Data Privacy
Over the last few years, governing bodies around the world have adopted an increasing number of digital privacy rules and regulations. And let's face it – data privacy laws can be intimidating. When you first start researching the topic and are met with pages and pages of legal documents, you might be tempted to ignore the issue altogether, but doing so can open you up to severe consequences.
Whether you’re trying to better understand data privacy or want to ensure you’re fully covered, we’re here to help. In this guide, we’ll walk you through the basics of the General Data Protection Regulation (GDPR) and cookie consent. We’ll also help you develop a plan to get compliant so you can avoid potential lawsuits associated with privacy violations.
Read on to learn about your legal obligations regarding data privacy.
What is GDPR?
The General Data Protection Regulation, or GDPR, was enacted in 2018 and is an overarching policy meant to protect citizens of the European Union (EU) and the European Economic Area (EEA.) It consists of 99 Articles intended to strengthen and unify data protection across Europe.
GDPR impacts all organizations in the EU, but can also apply to entities throughout the world.
![Data Blog - Data Privacy - Europe Visual](https://cypressnorth.com/wp-content/uploads/2024/04/Data-Blog-Data-Privacy-Europe-Visual.jpg)
GDPR grants consumers in the EU the right to protect their personal data and outlines the rules businesses must follow to process this information. The protections granted to individuals under GDPR are considered fundamental rights.
There are also region-specific data privacy regulations that put their own spin on the overarching GDPR policy, like the UK GDPR.
What is GDPR Compliance?
Being GDPR compliant means offering users the set of protections granted to them by GDPR. Check out our GDPR key points section below for the highlighted set of protections you’re required to offer users. But be sure to keep reading for a more in-depth review of your responsibilities.
GDPR Key Points (The TL;DR Version):
- The European Union enacted GDPR in 2018 to protect citizens' data privacy.
- GDPR aims to protect personal information and mandates that individuals must give their consent before having their data tracked and stored by organizations.
- GDPR affords additional rights to users to rectify their data, erase it, and withdraw consent at any time.
- Collected data must be kept securely, and any data breaches involving personal data must be reported to supervisory authorities within 72 hours.
- If you’re not compliant, you may face substantial fines.
What data is protected under GDPR?
At its core, GDPR was created to protect users' personal information.
But what is considered personally identifiable information (PII) under GDPR?
According to GDPR, personal information is “any information relating to an identified or identifiable natural person.” This type of data comprises private, professional, and public information that could be used to directly or indirectly identify an individual. This means even if you don't collect a user’s name or IP address, you still must adhere to all the necessary requirements outlined in GDPR.
Here are some of the most common examples of direct and indirect personally identifiable information companies collect from users:
Direct Identifiers | Indirect Identifiers |
Name | Geo Location |
Phone Number | Device Model |
Email Address | Purchase Preferences |
IP Address | Website Pages Visited |
Does GDPR apply to me or my organization?
If you or your company collect any personal information from users located within the EU or EEA, you are legally obligated to provide them with the set of protections outlined by GDPR.
If you don’t offer users their required set of protections, you’re opening yourself up to substantial fines. Under GDPR, every individual has the right to file a complaint with a supervisory authority about how your business handles their data. Penalties from GDPR infractions are significant enough that even big tech firms should be scared.
GDPR Fines Are Categorized in Two Tiers:
Tier one includes less severe infringements, resulting in fines of up to €10 million or 2% of the business’ worldwide annual revenue, whichever amount is higher. Yikes… and that’s the less severe penalty.
Tier two covers more serious infringements, which can result in fines of up to €20 million or 4% of the business’ annual worldwide revenue, whichever amount is higher.
![Data - Blog - GDPR Compliance - Fines](https://cypressnorth.com/wp-content/uploads/2024/04/Data-Blog-GDPR-Compliance-Fines-1024x576.jpg)
In 2023 alone, GDPR issued a total of about €2.1 billion (equal to about 2.3 billion USD) in fines. In May 2023, Meta Platforms Ireland Limited was fined €1.2 billion for infringing upon article 46(1) of GDPR by transferring personal data from the EU/EEA to the USA.
How to become GDPR Compliant
The first step to becoming GDPR compliant is to review your business requirements. What advertisement, analytics, and other tracking platforms do you use? What users are being captured by these platforms, and are they protected by GDPR? If you’re capturing data from users protected by GDPR, are you offering them the right set of protections?
If you’ve determined that GDPR applies to your business, your next course of action should be to get compliant! But you may be asking yourself, how do I become GDPR compliant?
As we discussed, GDPR mandates that individuals must give their consent before having their data tracked and stored by organizations. This means you need to ensure you’re providing users with the set of protections granted to them by GDPR in order to become compliant.
You’ll need to ensure individuals who are protected by GDPR give you their consent before you collect and process their information. These individuals must also have the ability to withdraw consent at any time, and have the option to request that you rectify or erase their personal information.
There are two main options for putting these principles into practice:
- Geo-Fencing: This solution involves completely blocking all traffic from regions that are protected by GDPR, allowing your company to act independently of this regulation. This is an extreme solution and, for most businesses, not a route I would recommend taking. You would likely still need to adhere to other regional data privacy regulations like the CPRA, UK Data Protection Act, and more, so simply blocking GDPR may not be enough.
- Cookie Consent Banner: Deploying a cookie banner from a consent management platform (CMP) like OneTrust is my go-to solution for becoming GDPR-compliant. These platforms allow you to target users based on their location and only show specific cookie banners for regions that legally require them. That means you’ll be able to show cookie banners tailored to specific regional data privacy regulations. This allows you to maximize the amount of data you collect, since you'll only be offering opt-out options to users in protected regions.
Since a cookie consent banner is the logical choice for most businesses, this route is what we’ll cover throughout the rest of this guide.
You’re required to give users protected by GDPR the option to accept all cookies, deny all cookies, or toggle on and off specific groups of cookies.
These users also must not be tracked by default, which means they must give their consent before you begin collecting and processing data.
![Data - Blog - GDPR Compliance - Cookie Consent v2](https://cypressnorth.com/wp-content/uploads/2024/04/Data-Blog-GDPR-Compliance-Cookie-Consent-v2-1024x576.jpg)
Cookie Consent Key Points (The TL;DR Version):
- Cookies are small data files stored in a web browser that collect personal information.
- You must get consent from users protected by GDPR before any non-essential cookies are fired.
- Users protected by GDPR must have the option to withdraw consent at any time, and it needs to be just as accessible as accepting consent.
- You need to provide specific information about what is being tracked and why.
- You can’t hide content for users who reject cookies and you can’t trick people into accepting cookies
How to implement a cookie banner
Implementing a cookie banner on your website is typically done through a third-party consent management platform (CMP.)
A CMP is a service that adds a cookie banner to your website. Whether you need an enterprise-level solution like OneTrust or a small-scale WordPress plugin like Complianz all depends on your business requirements. Once you choose a CMP that meets your business needs, follow their installation and configuration documentation to set up your cookie consent banner.
There are a few things you’ll want to keep in mind during the configuration process:
Cookie Classification: It’s important to correctly identify and classify all cookies and scripts firing on your website. Most CMPs have an auto-identification and classification feature built-in that will scan your site to identify and classify as many cookies as possible. Just keep in mind that you should not solely rely on this to identify all your cookies.
It’s important to identify and document all cookies and tracking scripts manually to ensure nothing slips through the cracks. Cookies firing when a user declines tracking could put you in the line of fire for a world of legal trouble, so it’s important all cookies are identified and classified before deploying your cookie banner.
Geo-Location: Most CMPs have geo-location tracking features built in. These show region-specific cookie banners to users based on their location. This is an incredibly important feature.
Users protected by GDPR are not allowed to be tracked by default, but users located in other regions may not have these same protections. This means you don’t have to have to opt out all your users by default, only those that are actually protected by these regulations. This will help mitigate data loss post-cookie banner implementation.
Google Consent Mode V2: If you’re looking to integrate your CMP with Google Tag Manager or another Google product, it’s important to ensure your CMP is compatible with Google Consent Mode v2. Learn more about Google’s certified CMPs.
Google Consent Mode V2
You may have seen a banner in your Google Ads account recently talking about changes to consent mode for companies that collect data from users within the EEA. If you’re not familiar… Google is requiring marketers to make sure their data is configured with Google’s Consent Mode v2. This involves using a Google-certified CMP to manage user consent settings on your website through a cookie banner.
Take a look at our quick video reviewing how to get started with Google’s Consent Mode v2 within Google Tag Manager.
Processing data under GDPR
Correctly implementing a cookie banner is a big step toward becoming GDPR compliant. But you still need to ensure you’re processing data in line with GDPR, and that you clearly communicate your data processing procedures to your users.
According to Article 4 of GDPR, processing refers to the “collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction” of personal data. GDPR states that all personal information shall be “processed lawfully, fairly, and in a transparent manner” and that the data will be collected for a specific and legitimate purpose.
GDPR is expansive and exhaustive in its definition of data processing. For example, if you collect data through Google Analytics, HubSpot, or even a simple form on your website, you are processing data. Being transparent about WHY you’re processing personal data from users is a key aspect of GDPR. Will the data be used to improve the user experience or offer better value? You need to provide users with clear answers to these questions before collecting their information.
Detailed information about collection and processing procedures should be listed on your website’s cookie and privacy policy pages.
Need a hand becoming GDPR compliant?
Looking for a team to assist with compliance? Or maybe you're not sure where to start.
Contact us for a no commitment cookie consent consultation!
How does GDPR impact digital marketing?
GDPR, at its core, limits the amount of data that companies can collect from their users. This directly impacts digital marketing efforts because it limits conversion tracking, remarketing efforts, and any other marketing activities that rely on user data.
But to understand why GDPR has become such a hot topic for digital marketers in recent months, we need to understand the Digital Markets Act.
The Digital Markets Act (DMA)
The Digital Markets Act (DMA) is a newly introduced regulation that addresses big tech firms’ control over digital ecosystems. It’s designed to create a more fair environment for other online businesses.
The DMA addresses how personal information can be tracked across platforms. Meta, Alphabet, Microsoft, Amazon, ByteDance, and Apple are the first six companies, or “gatekeepers” as the DMA calls them, that fall under the new regulations.
If you’re not one of the six “gatekeepers,” you may wonder why you should care about the the DMA. The answer is simple. If your marketing team runs digital ads through platforms like Google or Meta, you’re impacted by the DMA.
The DMA mandates that gatekeepers must not track users outside of their core platform services for targeted ads without consent. In this case, consent is defined in accordance with the GDPR.
Companies classified as “gatekeepers” collect data through marketers running digital advertisements on their core platforms.
For the “gatekeepers” to become fully compliant with new data privacy regulations, they had to push some of the responsibilities under the DMA down to digital marketers operating on their advertisement platforms.
An example of that is something we mentioned earlier in this guide: the banner in Google Ads about consent mode. Google requiring marketers to configure data with Consent Mode v2 ensures the company is fully compliant with the DMA. This is the most recent example of the gatekeepers pushing data privacy responsibilities down to digital marketers, but it’s safe to say this won’t be the last.
Gone are the days when data privacy was simply an issue for your legal team. Digital marketers now need to make sure the data they’re collecting and sending into their advertisement and analytics platforms meets all the necessary GDPR & DMA requirements.
Does GDPR impact the United States?
Yes and no. Companies in the United States (or anywhere else in the world) can be bound by GDPR even if they don’t have a physical location in Europe.
If you actively market to, do business with, or collect information from users located in the EU or other protected regions, you’re bound to comply with their local data privacy regulations.
And while the U.S. lacks a comprehensive federal consumer privacy law, many states have been spinning up their own data privacy regulations. California passed the California Consumer Privacy Act (CCPA) in 2018. Since then, 13 additional states – Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia – have signed data privacy bills into law, with many states in various stages of the legislative process.
![Data-Blog-Data-Privacy-USA-Visual](https://cypressnorth.com/wp-content/uploads/2024/04/Data-Blog-Data-Privacy-USA-Visual-1024x641.jpg)
The United States doesn’t have the same level of data privacy protections as outlined in the EU’s GDPR, but it’s still important for marketers within the United States to understand what state-specific protections they should be offering their users.
Now’s the time for digital marketers to assess their current state of compliance, and implement a consent management platform that fits their business needs.
How will GDPR impact my tracking?
We hope the information provided in this guide so far has given you a better understanding of GDPR and the steps your business can take to become compliant. But you may still have some questions about what happens next. For example, how will GDPR actually impact my business? Or how will a cookie banner impact my tracking?
Unfortunately, both the quality and quantity of your tracking are going to take a hit after installing a cookie banner. But this doesn’t mean you’re dead in the water. In fact, there are some key steps you can take to maximize your data post-cookie banner implementation.
Through the use of your consent management platform’s geo-location features, you can show different cookie banners to users depending on their region. Users in protected regions can be opted out by default, while users who aren’t located in protected regions can be tracked as normal. This allows you to maximize the amount of data you’re collecting, even with a cookie banner.
We even implement geo-location-based cookie banners on our site. That means:
- If you’re located in a non-protected region of the United States, we’ll only provide you with the option to accept all cookies.
- If you’re located in a protected region of the United States, you’re shown the same banner but are provided with the option to opt out of tracking within our cookie policy.
- If we detect you’re located in the EU or EEA, we show you a cookie banner with options to accept all cookies, decline all cookies, or toggle on and off specific groups of cookies.
I strongly recommend implementing a cookie banner based on geo-location if it’s offered by your consent management platform.
First-party cookies
With the looming depreciation of third-party cookies on Google Chrome and an increasing number of regional data privacy regulations, solely relying on geo-location-based cookie banners to save your data isn't enough. You’ll need to start shifting your perspective from using traditional website traffic and advertisement conversion data to relying more on first-party data.
First-party data can be collected from your audience via direct engagement with your company. This data comes from customers willingly sharing data through interactions like an Ecommerce transaction or filling out a contact form on your website.
How can first-party data be applied to your marketing efforts?
Think about implementing more campaign-specific landing pages that don’t show up in search results. Users who land on this page and fill out a form will more than likely come from your advertisement. You can use the first-party data you collect from the form as a way to more accurately track the success of your ad campaigns.
While you’re adjusting your strategy, you may also want to test out enhanced conversions in Google Ads. Google encrypts the first-party data collected from your website (email, name, address, etc.) to protect user privacy. Using modeling, it tries to account for conversions it believes should be attributed to your ads. This approach seems to be a bit of a legal gray area to us, so if you do implement enhanced conversions, it’s a good idea to notify users that their data is being collected and ask for consent via a checkbox on any forms you’re implementing.
Data Privacy Key Points (The TL;DR Version):
Digital marketing efforts are going to be increasingly impacted by data privacy and cookie consent regulations in the coming years. So what's the solution?
Simply ignoring data privacy laws isn’t worth the risk, in our opinion. You're better off complying with all your regional data privacy regulations to ensure you're covered from lawsuits.
Beyond protecting yourself legally, it's just the right thing to do. Don't steal your users’ information, your customers will appreciate you taking their digital privacy seriously!
Don't worry about being dead in the water with tracking. As we mentioned, you'll just have to shift towards new systems like Google's enhanced conversions that utilize first-party data.
If you need a hand reviewing your compliance needs, configuring a consent management platform and cookie banner, or just aren't sure where to start, reach out to our expert data team for a consultation!
Talk to a data privacy expert
![jnovarr-headshot](https://cypressnorth.com/wp-content/uploads/2023/11/jnovarr-headshot-480x480.webp)
Jack Novorr
Meet the Author
![jnovarr-headshot](https://cypressnorth.com/wp-content/uploads/2023/11/jnovarr-headshot-480x480.webp)
Jack Novorr
Jack is the Head of Data who works out of our Buffalo office. He joined Cypress North in July 2022.
Jack has Google Analytics 4 and Google Tag Manager certifications. He's familiar with a wide range of data analytics, reporting, and visualization tools, including Looker Studio, Google BigQuery, Tableau, and Power BI.
Since joining us, Jack has grown into a leader for our data team. He works closely with our clients to help them manage, visualize, and report on their data. He also played a key role in helping our agency and our clients with the shift from Universal Google Analytics to Google Analytics 4 in 2023.
Originally from Kansas, Jack moved to Buffalo to join our team shortly after graduating from the University of Kansas with a Bachelor of Science in business analytics. While pursuing his degree, Jack gained experience writing queries for large databases, data manipulation, database management, data visualization, and general coding.
Outside of work, Jack has a cat he enjoys spending time with.
0 Comments