European Union flag with Google logo and "GDPR"In late March, many marketers received an email from Google AdWords (now Google Ads) announcing the steps the company is taking to prepare for the General Data Protection Regulation (GDPR), which enters its enforcement stage on May 25. We’ve put together a brief overview of the issue, including industry recommendations for American companies.

What is the GDPR?

The GDPR is a major shift in European data privacy regulation; it affects European and non-European businesses that use online advertising, tracking, and analyzing products when their sites and apps are accessed by European Union (EU) residents.

The law is designed to protect the data and privacy of EU residents anywhere they go online. While it goes into enforcement on May 25, experts anticipate a grace period of about 90 days before the EU begins investigating compliance and applying penalties as appropriate.

We anticipate that two aspects of the GDPR will have a significant impact on digital marketing, and should be priorities for your organization in the coming weeks:

  • Affirmative consent: Users must be offered a choice regarding whether or not to allow their personal data to be collected. For instance, the statement “by using this site, you are agreeing to our cookie policy” violates the GDPR. Consent is no longer implied; it must be clearly requested and given. Also, evidence of user consent must be recorded, stored, and accessible on request
  • Transparency: Users must also be informed of how their personal data will be collected, what it will be used for, and why. The challenge and opportunity here will be to identify and inform visitors of data-gathering methods and purposes in a way that indicates a benefit to users to increase the likelihood they will opt in.

What is Google changing?

Starting May 25, Google’s consent policy for advertising in the EU will read:

For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area, you must obtain end users’ legally valid consent to:

  • the use of cookies or other local storage where legally required; and
  • the collection, sharing, and use of personal data for personalization of ads or other services.

When seeking consent you must:

  • retain records of consent given by end users; and
  • provide end users with clear instructions for revocation of consent.

You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.

What does this mean for American companies?

If a company wishes to continue advertising in the EU through channels such as Google Ads, they must follow these provisions. However, based on an individual business’s interests, company leadership could decide to minimize their risk by no longer advertising there. This would, of course, be something to discuss with an attorney familiar with the GDPR.

Unfortunately, as this is a new law, even GDPR experts are unsure of how the law will be enforced for companies with no presence in the EU. Because of this, most of the digital marketing industry is adopting a wait-and-see stance regarding GDPR compliance by American companies, and that’s the position (un)Common Logic is taking as well.

What does (un)Common Logic recommend?

We are urging our clients to consult their companies’ legal counsel regarding their options for using digital marketing channels in the EU, and other aspects of GDPR compliance.

Google has outlined four major questions for businesses to ask their legal counsel regarding the GDPR:

  • How does your organization ensure user transparency and control around data use? How do you explain the benefits to users of sharing their data with you?
  • Are you sure that your organization has the right consents in place where these are needed under GDPR?
  • Does your organization have the right systems to record user preferences and consents?
  • How will you show to regulators and partners that you meet the principles of GDPR and are an accountable organization?

Whatever our clients’ legal counsel determines to be the best policy for their company, we will apply our usual diligence and conscientiousness to delivering excellent results for digital marketing campaigns.

We’ll also advise our clients on changes in digital marketing products and best practices that are likely to evolve in response to the GDPR. As a Google Premier Partner agency, we have a designated team of specialists at Google to keep us informed on the company’s next moves in response to the GDPR.

We think that eventually, many parts of the GDPR will be viewed as best practices in digital marketing and become an expected component of a good customer experience. In the meantime, we’re keeping a close eye on this law and how it will be applied and enforced outside the EU.


For more information and insight on the GDPR, we recommend these trusted resources:

Given the potential impact this law could have on digital marketing worldwide, we’ll continue staying on top of GDPR news and sharing our insights on it.