The GDRP has become an essential element to take into account when deciding to advertise online. It now governs display advertising: it is therefore necessary to know all its specificities in order not to be pinned by the authority in charge of monitoring its proper application: the CNIL. Find out what rules you have to respect when you advertise online.
Summary of the article: GDPR and advertising: How to adapt?
- What is the GDPR?
- What is a personal data?
- What are the rules to follow?
- What is the impact of the GDPR on advertising?
- How to advertise online without cookies?
What is the GDPR?
GDPR stands for "General Data Protection Regulation" (in french, it is called RGPD, "Règlement Général sur la Protection des Données"). It was put in place to regulate the processing of personal data throughout the European Union. It strengthens the control of citizens on the use of their data, which is granted to them by the French Data Protection Act of 1978.
All organizations that process personal data must comply with this regulation, as long as :
- they are established in Europe ;
- their activity targets the European population.
Professionals thus benefit from a harmonious regulatory framework throughout Europe.
What is a personal data?
In order to protect users, the notion of personal data is defined very broadly. According to the French National Commission on Information Technology and Civil Liberties (CNIL), when we talk about personal data, we mean "any information relating to an identified or identifiable natural person". This notion applies even when a person is indirectly identifiable.
A person is directly identifiable when his or her first and last names are given.
A person is indirectly identifiable thanks to :
- an identifier (customer number);
- a number (telephone number);
- a biometric data;
- several specific elements of identity: physical, physiological, genetic, psychic, economic, cultural or social, but also voice or image.
What are the rules to follow?
To comply with the GDPR regulations, the CNIL introduces 6 simple reflexes to adopt:
- Only collect data that is truly necessary to achieve your goal.
- Inform users of the use that will be made of their personal data.
- Organize and facilitate the exercise of people's rights.
- Determine how long the data will be kept.
- Secure data and identify risks.
- Check the legislation and update its procedures.
What is the impact of the GDPR on advertising?
As far as the advertising sector is concerned, the GDPR has a strong impact on online advertising. Indeed, in order to be able to offer users personalized advertisements, it is necessary to know their centers of interest: a significant collection of personal data is therefore necessary when browsing the various sites.
This data collection is done through cookies.
Before being able to collect information from Internet users who have accepted cookies, the website must inform "in a clear and synthetic way" of the use that will be made of the information. Thus, when it comes to advertising, the CNIL recommends that sites present the following messages:
- for personalized advertising: "Personalized advertising: [name of the site/application] [and third-party companies/our partners] uses/use tracers in order to display personalized advertising based on your browsing and your profile";
- for location-based advertising: "Location-based advertising: [name of the site/application] [and third-party companies/our partners] uses trackers to send you advertising based on your location".
However, it is not enough to simply explain to the user the use that will be made of his/her personal data, he/she must also be given the possibility to refuse the cookies "as easily as he/she is offered to accept them".
This reinforcement of users' right to their personal data leads Google to put an end to the use of third-party cookies on its Chrome browser.
This doesn't mean that it will be completely impossible to do targeted advertising, companies will still be able to rely on first-party data, i.e. information collected from visitors to a site (without tracking them). The risk being that Internet users will be more likely to be confronted with less relevant ads.
It is also possible to opt for programmatic display, which allows to target advertising not according to personal data, but according to the keywords used on a site or a web page.