By now, you’ve probably seen the wave of emails in your inbox letting you know that companies have updated their privacy policies as part of their GDPR compliance efforts. But, do you know what GDPR is and if your site is GDPR compliant?
What is the The General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) was adopted by the European Union (EU) Parliament in April, 2016 to protect personal data of European Union citizens and regulate how such data may be used. As of May 25, 2018, failure to comply with GDPR is now enforced by the levying of hefty fines. For example, a company found guilty of a data breach that jeopardizes an EU citizen’s data could be penalized up to 20 million euros, or four percent of an enterprise’s worldwide revenue, whichever is larger.
This regulation not only applies to business enterprises, but also other organizations — like data controllers and data processors. Additionally, it doesn’t matter if your organization is not strictly located in the EU. If your business offers goods or services to EU citizens and you use analytics tracking on your site — GDPR also applies to you.
Provisions of GDPR include things like a user’s “clear and affirmative consent” to the processing of their private data, a user’s right to transfer their data to another service provider, access to privacy policies that are explained in clear and understandable language, and stronger enforcement and high fines as a deterrent to breaking these rules.
To learn more about the specifics of GDPR check out the recording of our webinar: Everything You Need To Know About GDPR.
What it Means to be GDPR Compliant
There are six principles of GDPR which provide the foundation for compliance when collecting, processing, and storing personal data in the European Union. To learn more about the 6 Principles of GDPR, download our eBook: Everything Marketing and Advertising Professionals Need to Know about GDPR.
These principles state that personal data:
- Should be collected for a specific, legitimate purpose
- Collection should be limited to the data points that are necessary in relation to the purpose set forth
- Data should be processed in a legal and transparent manner
- Processing should be done in a way that ensures appropriate security of personal data and should not occur for a longer period than necessary
- All collected data should also be kept up to date and accurate at all times
Geofencing for GDPR Compliance
There are multiple ways a company can work towards becoming GDPR compliant. One way of instituting GDPR compliance is to geofence advertising tags on your site. This means that you could use a user’s geographical location to determine whether or not your advertising tags should fire. In this way, you would be prohibiting advertising tags from firing and collecting data for EU users and thereby ensuring GDPR compliance.
You can achieve the above result by choosing to inclusively or exclusively trigger your pixels to fire. Whether you inclusively or exclusively trigger your pixels depends on the level of risk your company is comfortable with and the legal strategy you’ve agreed upon.
Implementing Geofencing – Inclusive or Exclusive Triggers?
Where your business is located, where your potential users are located, and where the most significant portion of your revenue comes from (geographically speaking) are key pieces of information that should factor into whether you should inclusively or exclusively trigger your advertising pixels.
You may decide that you would like to target all users globally except for EU citizens. If this is the case, you would be excluding the EU region from you geofencing. This would allow you to obtain data from users globally, unless they are in the EU.
The more extreme method of geofencing in this scenario would be to have tags only fire and collect data if users are located within the United States. This is a very stringent means of compliance which eliminates tracking ANY users outside of the United States, rather than having tags fire if a user is located outside of the European Union. Depending on your business structure and legal strategy, this may be the best option for you.
You can implement this type of geofencing by using a combination of: 1) determining your users’ geolocation, and 2) by altering the triggers within your tag management system. Within Google Tag Manager (GTM) or your TMS, you would create a variable and use the value of that variable to determine whether or not the tag should fire (the value of the variable will vary, depending on whether you’ve decided to inclusively or exclusively filter).
While this approach to compliance can be technically involved, it is a great way to ensure GDPR compliance by making sure you are only collecting data from users either outside of the EU or only in the US. Because it is a technically involved approach you will want to have backup measures in place to ensure that your geolocation variable is set up properly (and pulling geolocation properly) and take into account that some tools may not have cross-browser compatibility (you would need a backup in this case). You will also want to allow time for adequate testing, quality assurance and legal review of your process.
If you have questions or require assistance with the implementation of geofencing tags within your tag management system, please contact your Tag Inspector consultant – we are here to help!
Using Tag Inspector to maintain GDPR Compliance
You can also use Tag Inspector validation rules and alerts to let you know if something is amiss with data collection on your site, including something related to your geofencing implementation.
Regardless, we recommend the use of Tag Inspector to enable you to track your GDPR and site optimization efforts, whether it is tracking whether you are collecting PII or if your dataLayer variables are being set properly.
Our Tag Inspector Team can answer all your GDPR questions and assist with ensuring your company is GDPR compliant. Contact your Tag Inspector Consultant today to go from ARRGH! to AAHH! for all things GDPR.
The materials are provided AS IS without any warranty and InfoTrust, LLC disclaims all warranties, express and implied, regarding these materials. The information contained in these materials was prepared for general informational purposes and it is not intended to provide legal advice. Before applying any of the information to your situation, you should consult your legal advisors.