We’re used to asking people to sign up to newsletters and email lists. We might need to tweak how we do it and refine our “consent process”. But the basics stay the same:

People actively send us their details.

But personalized advertising and analytics happened in the background. No questions asked.

Until now!

This article is all about asking for user consent. You will still need to update (or create) your privacy policy for all the advertising and analytics tools you use, even if you aren’t required to collect consent for all of them.

Who is this article for?

Unlike most other requirements we’ve learnt about, consent for personalized ads and cookies is only a requirement in the EU. If you definitely don’t target Europeans with your ads and get very few visiting your shop, you can relax a bit. Use your own discretion about how much of this you want to apply to your own shop.

When do you need consent?

Using personal data for personalized ads: yes!

Under the GDPR, storing and using personal data to show someone personalized ads will need prior consent. This includes browsing and activity histories that build a picture of someone’s preferences, opinions and lifestyle.

Ads that are not personalized or targeted: no!

If you show ads on your website that are the same for everyone or that randomly cycle between different ads, then you don’t need to ask for consent.

The GDPR will not let anyone opt out of ads entirely! It only impacts collecting of personal data that allows ads to be personalized or targeted to the individual.

Using cookies that help run ads, analytics and other non-essential features: yes!

Cookies are handled by a different piece of legislation, called the ePrivacy Directive. The way it interacts with the GDPR can be confusing, but in general, you will need to tell people about all cookies you use and let them opt-out (or require an explicit opt-in), regardless of whether you’re a Data Controller for that service. [skip to the full section on cookies]

Etsy sellers: stop here!

If you only sell on Etsy and have no other website, then most of this information is not relevant to you. You have no control over how Etsy asks for user consent for cookies, so you just have to rely on them doing the right thing.

The consent requests that Etsy will show to European users will refer to third parties, like you as a seller.

The only action you should take is to explicitly exclude European visitors from any Google Analytics Remarketing Audiences (even better, include countries you do want, like United States or Canada). It’s possible that the consent Etsy collects won’t cover this specific use of Google Analytics, so you’ll have to make sure you don’t use European user data for this purpose.

If you don’t use Remarketing Audiences inside Google Analytics, then just make sure it’s turned off and you are good to go!

Who is responsible for what?

Remember the idea of a “Data Controller”? That’s the party who’s responsible for getting informed consent from an individual before collecting or using data for personalized ads.

Just because you run targeted ads, that does not mean that you are a Data Controller and need to ask for consent yourself!

The type of personalized ads you need to worry about use data you put there. This will generally be ads using an audience based on data you uploaded (Custom Audiences, look-alike, Customer Match ← those kinds of things). In some ad networks, it might also include remarketing or retargeting ads, based on the individual’s behaviour in your shop.

Even if you’re not the Data Controller, you’re still responsible for telling your visitors about cookies.

Facebook Advertising

  1. Get specific consent if you want to upload email addresses to create a Custom Audience. Store it in your email marketing platform with your other granular consent fields.

Facebook has made things really easy for us: they’re going to be the Data Controller for data our Facebook Pixels send them!

That means you do not need to ask for explicit consent for creating retargeting audiences based on what pages people view on your website, or other kind of behaviour.

Read about Facebook preparation for GDPR here.

(Remember: you might still need to get consent for placing cookies.)

You need specific consent to use someone’s email address for Facebook ads

Custom and look-alike audiences are great ways to get in front of your biggest fans (your email subscribers!) and people like them.

Facebook already expected us to have consent to import these emails but after May 25th, this will be more explicit.

Regardless of what Facebook actually implements, you should be asking your subscribers to specifically opt-in to allow you to share their email addresses with Facebook in order to show them personalized ads or improve your other advertising (with look-alike audiences).

You can store this consent with a custom field inside your email marketing system, in the same way you store your other granular consent options.

Personal data flows into Facebook

Google Advertising

  1. Get specific consent if you want to upload email addresses to create Customer Match audiences. Store it in your email marketing platform with your other granular consent fields.
  2. If you use any Google ad product other than AdWords (which includes Shopping Ads) then do further research or seek legal advice. You might be a Data Controller.

If you’re only using AdWords – including Shopping Ads – then you’re in luck. Google will remain the Data Controller and be responsible for collecting user consent around personal data.

Just like with Facebook, you will be the Data Controller for any personal data you directly import. In AdWords, this is using the Customer Match and Store Sales features, where you can import email addresses and offline sales. For these cases, you’ll need to collect specific consent to share the information with Google for advertising when you first collect the data at sign up or during the sale.

As usual, you’re still responsible for telling your visitors about cookies related to AdWords, and for getting user consent in the future.

Overall, however, the official information Google has released is a lot less clear than Facebook’s and you’ll want to do your own research or seek legal advice if you use other ad products (not AdWords) or run a lot of personalized ads targeting Europeans.

Other Ad Networks

You might also be a Data Controller if you create remarketing ads using other ad networks, like LinkedIn.

You should carefully read any information your ad tools have released about data privacy and the GDPR, especially any changes in the tools they offer, their terms and what you might need to do.

Watch out for anywhere they declare you to be a Data Controller. That makes you responsible for collecting user consent to share personal data with them for advertising purposes.

Google Analytics

  1. Reduce what you track and keep it as anonymous as possible by following these 5 steps. You can then consider not asking for consent. ← This is not legal advice. Make your own decision.
  2. You still need to include Google Analytics in your cookie notice and consent options. Use a tool.
  3. Do not create Google Analytics Remarketing Audiences using European visitors without getting specific consent. Ensure your audience definitions specify one or more non-European countries.

Can you imagine having to ask permission to run your Google Analytics code? And having anybody agree!?

Thankfully, there are a few steps you can take to reduce the data you collect, avoid using GA data for intrusive purposes or marketing, and build a case for a “legitimate interest”.

As always, if your biz is on the larger size or has a big European footprint, seek legal advice before using the Legitimate Interest lawful basis.

1. Reduce what you track

In many circumstances, it is possible to link Google Analytics data to an individual.

You should be careful to never store directly identifying information, like names or email addresses, inside GA (that’s against the terms of use), but various unique IDs can be sent as part of page URLs that you could link back to a person. Things like transaction IDs or user IDs from another system.

This kind of data is called “pseudonymous data”: not quite anonymous, but not directly identifiable by itself.

The GDPR talks about pseudonymous data directly as a way of keeping personal data more secure. However, it does include it in the definition of “personal data”, so storing only pseudonymous data does not get you off the hook of needing to declare it in your privacy policy or ask for specific consent in some circumstances.

Wherever possible, you should avoid sending pseudonymous data to Google Analytics unless you’re really going to use it.

  • Turn off settings in other systems that send this data to GA (like the “ecommerce tracking” option in a Mailchimp campaign).
  • If you can, use Google Tag Manager to remove IDs from certain page URLs before they’re sent to GA.
  • Implement IP anonymization or masking (see #3).

Bonus fact: The Google Analytics cookie ID also counts as personal data! GA doesn’t work without this and you can’t see it, except in the User Explorer tool, so the case for Legitimate Interest is very strong.

2. Set your Data Retention period

IMPORTANT: Set your “Data Retention” setting to “Never expire”

This refers to how long data is kept that is linked to an individual User ID (or cookie ID). Generally, this is the information you’ll see in the User Explorer.

Your Google Analytics data is also stored in “aggregate”. This is what’s used in the standard, built-in reports.

As soon as you make any customization to a report, it no longer uses aggregate data! If you want to use custom reports, dashboards or even special configurations of built-in reports, you need the original user data.

3. Turn on IP Anonymization

An IP number is your computer’s name when it’s connected to the internet. It’s often recorded along with other browsing and behaviour data, including by Google Analytics.

Even though it can change (a “dynamic IP”), the GDPR considers it pseudonymous personal data. Storing anonymous IPs instead reduces the personal data you keep in GA. Just like when you see a credit card number online, the last few digits of the IP are removed.

This is a technical change to your Google Analytics code. If you’re not techy, then you’ll need to check the Google Analytics plugin or settings for your website to see if it has a simple option to “Turn on IP anonymization” or “Turn on IP masking”.

IP anonymization can affect two things in Google Analytics:

  1. The accuracy of geolocation data. In most cases, this change will be pretty minimal, especially if you’re mostly looking at countries and not cities. (See this research for what kind of discrepancies you could expect.)
  2. Filters that exclude visits based on IP address, like your own visits. If you currently exclude your own visits using an IP filter – and you want to turn on IP anonymization – you’ll need to use another option, like a Chrome extension.

4. Carefully consider Advertising Features and demographics

The Google Analytics Advertising Features let you see demographics and interest data for your visits based on the information Google’s ad network knows about them.

Google’s Terms require you to put certain things in your privacy policy if you use this feature, but otherwise, it keeps this data very anonymous when showing it to you inside Google Analytics. Unlike other data, you cannot connect it to an individual user using any of the built-in tools.

As part of “data minimization”, you should consider whether you really need this feature and if not, turn it off.

If you leave it on, then you should:

  1. Notify your visitors that you’re also using the Google DoubleClick cookie, which they can opt out of.
  2. Make sure your privacy policy meets Google’s Advertising Features terms.

5. Get consent for Google Analytics Remarketing Audiences

So far, we’ve been treading the grey areas of “not intrusive”, “pseudonymous” and “Legitimate Interest”.

Remarketing blows that all away. If it’s marketing, you need consent.

You have two options:

1. Ensure that all remarketing audiences explicitly filter by Country, so that users within Europe can be excluded from any profiles and remarketing.

(If you’re comfortable having Advertising Features turned on without getting explicit consent, then this option is for you.)

2. Ask European visitors to specifically opt-in to their browsing information being used for personalized ads. Ideally, you can combine this request with the opt-in to place the DoubleClick cookie, as you need that for remarketing to work.

Cookie Notices & Consent

  1. Use a “cookie consent” tool to automate how your online shop notifies visitors of cookies and gets consent.

The GDPR is not the only legislation we have to deal with. The ePrivacy Directive (ePR) sets out the requirements for how websites set cookies and other similar technology.

What is a cookie?

“Cookies” are a way that websites remember information from page to page, and visit to visit. Otherwise, websites are very forgetful!

Cookies are just a small piece of text that a website places on a browser’s computer to store information.

Many of the functions that cookies allow are absolutely required for the website to work! Cookies remember what’s in your shopping cart and whether you signed up to the newsletter in that pop-up (and never need to see it again).

They also remember your Google Analytics ID, so each of your visits can be linked together to build up a picture of your behaviour on that site. Or it might be your Google DoubleClick ID, so Google’s advertising code can show you the most relevant ads.

In these cases, the actual information stored in a cookie is not sensitive at all. Instead, code on the website reads the cookie and combines it with other information (like a database of browsing behaviour and demographics) to provide certain functions.

The most “intrusive” function that cookies allow is personalized ads.

What does the ePrivacy Directive require?

If you’ve ever seen one of those “cookie banners” that shows up at the top of a website when you first visit, you’ve seen the ePrivacy Directive in action.

Many countries have interpreted it to require that users are given information about the cookies that are used and an opportunity to opt out using their own browser settings or other opt out tools available.

Other countries (like Italy) interpreted it to require that users must opt in to certain “inessential” cookies (especially for marketing) before they’re put on your computer.

How does this all work with the GDPR?

The GDPR covers collection and processing of personal data, which may or may not require cookies. The ePR (in this case) covers placing and accessing the cookies.

So even if you don’t have any obligations for a particular ad network under the GDPR, you might under the ePR.

Is the ePrivacy Directive changing with the GDPR?

The ePR was originally planned to be updated at the same time as the GDPR came into force. However, it’s now delayed and not expected to be agreed on until 2019.

This means that we need to combine the new GDPR requirements around personal data with the current ePR.

We don’t know exactly what will be in the final new ePR, but it’s likely to include:

  • An explicit requirement to get a user’s prior consent before running any non-essential cookies.
  • Possible exceptions for user tracking that’s sufficiently anonymous (which might include Google Analytics in many cases).

For now, we don’t need to change how we get consent for cookies or what we tell people. However, if you get a lot of European visitors you should definitely have a Cookie Policy and consider installing a plugin that will show them a “cookie banner”. Choose a solution that will let you “upgrade” to getting prior consent right away or when it becomes necessary.

Cookie notice & consent solutions

These are plugins or extensions that help you automatically notify your website visitors about cookies your site uses.

When choosing a cookie consent solution, make sure it can:

  • Block non-essential cookies until the visitor has opted in to allow them.
  • Automatically detect all the cookies your site uses.
  • List them all in a Cookie Policy that is easy for your visitors to understand.
  • Give your visitors granular control over what type of cookies to allow.
  • Ideal world: target only EU visitors. <– Not all of the tools I suggest below do this but it could be added with a little extra work in Google Tag Manager or by using some of their Pro versions.

OneTrust Cookie Consent (free) >>

Includes a generated Cookie Policy, very granular control and a detailed “consent dashboard” for your visitors.

An especially amazing tool if you are based on the EU and need to comply with the GDPR to the letter, as it comes with lots of other GDPR tools, also for free.

Iubenda Cookie Solution (paid but cheap) >>

[Affiliate link – Get 10% off the first year of their very affordable Pro version].

This tool doesn’t provide as granular control as OneTrust, but it does automatically link to an Iubenda-generated Privacy Policy, which is included. I’ll be recommending Iubenda more in my Privacy Policy article.

  • You do NOT need to use this cookie tool just because you use their privacy policy generator!
  • Comes with a WordPress plugin for easy install, but you can also easily add it to any shop where you can edit the “head” portion of your template.

This list will be updated as I investigate and can recommend any others. Let us know about any plugins you use in the comments!

Leave a Reply

Your email address will not be published. Required fields are marked *