News | 8/12/2017

The GDPR Guide to Search Ads

Posted by Lawrence Greenlee


One of the key elements of the GDPR, which comes into play in 2018, is the understanding of the term ‘personal data’. While you might think that this only relates to elements that specifically identify an individual, such as a name or email address, you’d be wrong.

Definition of personal data:

“‘Personal data’ means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

In search ads, advertisers have access to a great deal of online data that falls under this definition, which allows us to target a specific audience by parameters such as website activity, demographic, email lists, etc.
Google has already updated its data protection policies in Europe and implemented strong privacy protections to reflect GDPR guidelines. Google is committed to complying with the new legislation and will support its partners throughout this process by answering any queries you have over email or via your Google Account Manager.

Things you’re probably doing wrong

Website cookies

Data collection from website cookies is a vital element of many search ad targeting options.

Cookies are mentioned once in the GDPR, in Recital 30:

“Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

What this essentially tells us is that data from cookies, where they are used to uniquely identify the device, or used in combination with other data (related to the individual associated with or using the device), should be treated as personal data. This position is also reinforced by Recital 26, which states that where data can reasonably be used, either alone or in conjunction with other data to single out an individual or otherwise identify them indirectly, then it is personal data.

Use of pseudonymous identifiers, like strings of numbers or letters, which cookies typically contain to give them uniqueness, still counts as personal data.

So under the GDPR, any cookie or other identifier, uniquely attributed to a device and therefore capable of identifying an individual, or treating them as unique even without identifying them, is personal data.

This will certainly cover almost all advertising/targeting cookies, a large number of web analytics cookies, and quite a few functional services like survey and chat tools that record user IDs in cookies. In addition, when it comes to offline customer sales uploads from tills, Google has changed how much and what data about a specific individual you are allowed to upload and track.

Email lists targeting option in AdWords

Currently, we can target an individual by their email address with email list remarketing. The new GDPR changes will have huge ramifications for this form of targeting, as individual email addresses are classed as ‘personal data’. As long as your email list is GDPR compliant, you are fine to continue as usual. However, if you’re not certain of email list compliance we suggest that you start again (clear the list) and read our GDPR email guide, which will guide you through a step-by-step process on how to collect a clean and consented email list that can be used for remarketing.

Things you need to do now

Website cookies – check that your use of the data being collected meets GDPR standards

If you’re not confident that your email list is GDPR compliant, clear your remarketing list and start again


How Google complies with data protection laws
The GDPR, Cookie Consent and Customer Centric Privacy
GPPR Article 4 – Definitions
AdWords Terms and Conditions
AdWords User Consent Policy
AdWords Policies
AdWords Privacy

Please note that all the information contained in this blog is for guidance only. If you are concerned about the impact of GDPR and would like bespoke advice for your business, please call 01273 208913 or email