We’re used to asking people to sign up to newsletters and email lists. We might need to tweak how we do it and refine our “consent process”. But the basics stay the same:
People actively send us their details.
But personalized advertising and analytics happened in the background. No questions asked.
Who is this article for?
Unlike most other requirements we’ve learnt about, consent for personalized ads and cookies is only a requirement in the EU. If you definitely don’t target Europeans with your ads and get very few visiting your shop, you can relax a bit. Use your own discretion about how much of this you want to apply to your own shop.
Jump straight to it…
When do you need consent?
Using personal data for personalized ads: yes!
Under the GDPR, storing and using personal data to show someone personalized ads will need prior consent. This includes browsing and activity histories that build a picture of someone’s preferences, opinions and lifestyle.
Ads that are not personalized or targeted: no!
If you show ads on your website that are the same for everyone or that randomly cycle between different ads, then you don’t need to ask for consent.
The GDPR will not let anyone opt out of ads entirely! It only impacts collecting of personal data that allows ads to be personalized or targeted to the individual.
Using cookies that help run ads, analytics and other non-essential features: yes!
Cookies are handled by a different piece of legislation, called the ePrivacy Directive. The way it interacts with the GDPR can be confusing, but in general, you will need to tell people about all cookies you use and let them opt-out (or require an explicit opt-in), regardless of whether you’re a Data Controller for that service. [skip to the full section on cookies]
Etsy sellers: stop here!
If you only sell on Etsy and have no other website, then most of this information is not relevant to you. You have no control over how Etsy asks for user consent for cookies, so you just have to rely on them doing the right thing.
The consent requests that Etsy will show to European users will refer to third parties, like you as a seller.
The only action you should take is to explicitly exclude European visitors from any Google Analytics Remarketing Audiences (even better, include countries you do want, like United States or Canada). It’s possible that the consent Etsy collects won’t cover this specific use of Google Analytics, so you’ll have to make sure you don’t use European user data for this purpose.
If you don’t use Remarketing Audiences inside Google Analytics, then just make sure it’s turned off and you are good to go!
Who is responsible for what?
Remember the idea of a “Data Controller”? That’s the party who’s responsible for getting informed consent from an individual before collecting or using data for personalized ads.
Just because you run targeted ads, that does not mean that you are a Data Controller and need to ask for consent yourself!
The type of personalized ads you need to worry about use data you put there. This will generally be ads using an audience based on data you uploaded (Custom Audiences, look-alike, Customer Match ← those kinds of things). In some ad networks, it might also include remarketing or retargeting ads, based on the individual’s behaviour in your shop.
Even if you’re not the Data Controller, you’re still responsible for telling your visitors about cookies.