We receive very often numerous questions about how GDPR regulations will change the way digital advertising is made nowadays. Even though, as a marketer you might consider the fact that the changes will apply on a great range of you daily activities, there might be some points still unclear. In this article today, we intend to make some aspects clearer and, since we’ve just got from a GDPR related meeting where we received this question, we decided to highlight some very important lines.

Google will act as a controller and processor

Yes, this really means that almost all your google promotional campaigns will be under the impact of GDPR.

Google acts as a controller when it comes to AdSense and AdWords services.
As we might already know, all AdWords programmes and services are  available to customers through their AdWords accounts. This not applies to those AdWords programmes and services that can be in the scope of the Google Ads Data Processing Terms, as listed - DoubleClick Ad Exchange, DoubleClick For Publishers, Google Customer Reviews.

What are the AdWords services that imply personal data collecting and procession?

Ads Data Hub: Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers; email addresses;
AdWords Customer Match: Names, email addresses, addresses and partner-provided identifiers;
AdWords Store sales (direct upload): Names, email addresses, phone numbers, and addresses;
DoubleClick Bid Manager: Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers; precise location data; client identifiers;
DoubleClick Campaign Manager: Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers; precise location data; client identifiers;
DoubleClick Search: Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers;
Google Analytics: Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers; client identifiers;
Google Analytics 360 (formerly known as Google Analytics Premium): Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers; client identifiers;
Google Analytics for Firebase: Online identifiers, including cookie identifiers, internet protocol addresses, and device identifiers; client identifiers;
Google Attribution: Online identifiers, including cookie identifiers and device identifiers; client identifiers;
Google Attribution 360: Online identifiers, including cookie identifiers and device identifiers; client identifiers;
Google Data Studio: Data relating to individuals provided to Google via the service by (or at the direction of) Customer, including to create and collaborate on reports, graphs and charts;
Google Optimize: Online identifiers, including cookie identifiers and internet protocol addresses; client identifiers;
Google Optimize 360: Online identifiers, including cookie identifiers and internet protocol addresses; client identifiers;
Google Tag Manager Online identifiers, including cookie identifiers and internet protocol addresses;
Google Tag Manager 360 Online identifiers, including cookie identifiers and internet protocol addresses;

What we should do next with our ongoing campaigns?

Until 25 of May you can leave them as they were initially started. But after this date, the game will definitely change.

How to ask for consent? Not on Facebook messenger, not on a text message, but with links and check boxes. You need proof of consent and consent withdraw for every move.
We selected for you a couple of recommendations based on Article 13 of GDPR. They are available for Google AdWords and Facebook lead collecting too.

Think, edit and put a link on websites that collect and process data, with a Privacy Policy Notice that contains the consent, the purpose of processing data, the recipients or categories of recipients with whom the data is shared; the right to make a complaint, the user’s right to access, erase, archive data, the legal basis for processing, the source of data.

What checkboxes you will need

A link or checkbox to a “consent to data processing” (the value can be a “YES” or a “NO” for their answer;
A link or checkbox to consent as of the last update (the value is the data and time that GDPR Consent was updated;
A link to the “consent notes” (containing the purpose of data processing and a history of consent provided that is documented here) — the value here should capture the purpose of capturing the data; the way the data was obtained, and any previous consent purposes.
A link to GDPR Consent Operational Program – detailing how you ensure that you respect and handle consent agreement.
A link to “Correspondence Opt-Out” — letting people opt-out of correspondence easily.
A link to enable them to opt-out of cookie collection or web tracking.

What about sending a newsletter accordingly to GDPR regulations?

When it comes to sending a newsletter, there’s mandatory to create a subscription flow. It could be a link to a page where people can register by name and address and give their consent of the use of their data and to unsubscribe. It also should provide an option of addressing questions regarding the mail they’ve received through newsletter.  
Also, there should be a link that indicates what someone needs to do in order to get out of the receiving flow. It might happen users to click on the homepage without clicking the “Opt-out” link again, the cookie may need to be re-set.