The GDPR guide to online marketing

Posted by Fox&Bear

In this guide, we’ll cover:

  • Best practice GDPR compliant marketing tips
  • Guidance on how to make your website GDPR compliant
  • Advice around what you are probably doing wrong with your PPC activity
  • An understanding around email marketing compliance and consent
  • How to continue running social ads that won’t fall foul


By now, the majority of marketers are aware of the upcoming GDPR and the changes it brings. As a digital marketing agency, we wanted to dig down into each of our marketing services and unearth some of the common mistakes we’ve seen amongst a variety of industries and help give advice on how to be compliant come 25th May 2018.

Multichannel marketing strategies means we’re using a mix of platforms to carry out numerous data capture methods, as well as different ways we process and use data. This diversity is great for generating sales, leads and engagement around brands, however it also means an increased risk of data breaches and misuse of data without permission.

In this guide, we explore things you’re probably doing wrong and the things you need to know. We’ll dive into how the GDPR will affect websites, SEO, email marketing, social advertising, Search ads, PPC display and remarketing.

How will the GDPR affect websites & SEO?

By the end of May 2018, all online data collection will need to be compliant to the rulings of the GDPR. What does it mean for your website optimisation, and for potential changes to organic search?

The main things to look out for will be search engine announcements regarding changes to their policies, differences in analysis and consent and compliancy policies on your site.

Things you’re probably doing wrong

Assumed consent on website usage

Consent is the main driver behind GDPR, and cookie pop-ups that say ‘by using our website, you are agreeing to our Cookie Policy and Terms & Conditions’ are not within the new guidelines. This is because they assume consent, as opposed to receiving affirmative action for consent. However, it is likely that browser settings will be treated as consent under new GDPR regulations.

IP addresses

Many e-commerce systems perform automated security checks against IP addresses and location data to detect spam orders. IP addresses can be used to personally identify a user. If your website system collects IP addresses, location information, cookies, etc. you might be liable for ensuring the consent of your user when they complete a purchase.

User surveys & testing

User surveys, third party testing software and heatmap software all collect user behaviour data. It is important that users are aware of this kind of analytics happening and what it might mean for their privacy. If customer surveys and user testing is a part of your conversion rate optimisation strategy, ensure that it does not contain any data that can be used to identify a person – without their explicit consent for how you intend to use it.

Things you need to do now

Eyes and ears

Search engine algorithms frequently use search and browser history to search engines store search data. They collect data according a person’s IP address and device and use this to personalise search results, which is why not everyone sees the same results for the same searches. This data is stored, but there is never explicit consent gathered from the user when they click Search.

Search data can be sensitive, and can be used to identify political interests, demographic data, health concerns and other sensitive information. With personalisation being such a huge part of search, that personalisation data might soon become illegal to keep.

Security, security, security

Your e-commerce CMS will be collecting user data – and if your CMS is accessed by third-parties (with or without your permission) you might be liable for protecting that data from extraction and processing.

Update your passwords regularly, ensure your website’s security updates are up to date, and always store your passwords in an encrypted file.

Analysis data

Every user testing, CRO and personalisation tool that you are using should be audited and reviewed. Find the GDPR compliancy documentation for these tools, and if they are not available, contact the developers or the support team. Check for instructions within these guides.

For example, Google clearly states, regarding Google Analytics:

Let your users know about these Analytics features, and give them proper notice about your implementation changes. Get consent or provide an opportunity to opt-out of your services. When you implement Universal Analytics, it is your responsibility to ensure that your use is legally compliant, including with any local or regional requirements for specific notification to users.

How will the GDPR affect email marketing?

Data regulations currently differ from one European country to the next. What the upcoming GDPR will do, is align all of these countries so they are all following the same laws. The GDPR itself is a hefty document made up of 99 articles and 173 recitals. But what exactly does this mean for us email marketers? We’ve dissected the most relevant rulings and given some advice on what you can do to make your email marketing efforts comply in time for May 2018.

The change is coming…

Email marketing has always been a fast paced, ever-changing industry, but the upcoming rulings of the GDPR are by far the biggest to come into effect in recent years. There’s no denying it – it really will affect your entire email marketing strategy. Yes – your lists won’t grow with the speed they have previously but, all is not lost. In fact, quite the contrary. It’s good to note that the changes that we’ll all be making in the next few months, will eventually mean that your email marketing will become more reliable and effective.

Thing you’re probably doing wrong


You probably know by now that the entire process around collecting consent will be the biggest change to email marketing as we know it. There are three areas that this will encompass; how we seek, how we collect, and how we record consent.

When seeking new email subscribers, we’ve all employed many different tactics over the years to attract sign ups. Whether it’s providing gated content on your site or running competitions with conditional email sign-up – both of these, or any similar techniques you’ve used will incur some changes. The GDPR has introduced a number of requirements that must be applied to the way you’re seeking consent.

Article 7 of the GDPR States:

‘If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be

Valid email consent

When collecting valid email consent, you must use plain, unambiguous language that clearly defines what you will do with the data you’re collecting and exactly what the customer will receive. This wording must be set apart from any other information on the page so it stands out and not hidden deep within lengthy T’s & C’s.

Let’s use running a competition as an example for how you’d collect new email sign ups. You’re running a competition to give away an iPhone in return for answering a question. When collecting the entries, you ask for the name and email address for every person that enters. In the past, you might have included that being added to your mailing list was a conditional part of the competition. This might have been written up in the T’s & C’s, and after collecting the contact details, you’d then upload these email addresses into your mailing list.

How this will change

You’re running a competition to win an iPhone. You collect the email address and name of each entrant when they submit their answer. Under the email address field, you’ll now need to include a tick box (not pre-ticked) which will read ‘Sign up for our email newsletter’. Underneath this, will be a description of what the subscriber will receive if they sign up. This will look something like the following:

We’d like to send you our monthly email newsletter packed full of helpful hints and tips on how to make the most out of your marketing. We will keep your data safe and will never share it with anyone else. You can opt-out at any time. To read more about our privacy policy click here.

Collecting email addresses

When it comes to the collection of email addresses, Recital 32 of the GDPR states:

‘Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.’

Are you currently using a pre-ticked box to collect consent upon email sign up or perhaps no box at all? Are you collecting conditional consent as part of a competition or to access gated content? If you answered yes to any of the above, you are not GDPR compliant. To qualify as valid consent from May 2018, a clear, affirmative action has to take place at point of sign up. If your current data has fallen short of this requirement, you’ll have to seek affirmative action to qualify these historic sign ups in order to continue sending to them.

Recording consent

When collecting valid email consent, you must use plain, unambiguous language that clearly defines what you will do with the data you’re collecting and exactly what the customer will receive.

This wording must be set apart from any other information on the page so it stands out and not hidden deep within lengthy T’s & C’s.

This might be the most difficult change to implement. You must record the exact wording agreed to (or a screenshot of the agreement) when your subscribers signed up. This information must be stored in your database so that you can easily show proof, if required, of exactly what the agreement was.

To ensure you’re collecting everything you need to make sure every email subscriber complies with the new GDPR regulations, we suggest recording the following as a minimum for each new email sign-up:

  • Name
  • Email address
  • IP address
  • Opt-in time/date
  • Consent wording
  • Source

Opting out – As easy as opting in?

When it comes to opting-out and unsubscribing from email communications, there are some rules around this too. It should be as easy to remove yourself from a list, as it is to join.

Article 7 of the GDPR states

‘The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.’

‘The right to be forgotten’ comes into play here; when a subscriber wants their information to be removed and forgotten, you must delete the record you hold for them. You are allowed to keep minimal information in order to use as a suppression. So, for email marketing purposes, we’d recommend keeping the email address of the subscriber who has opted out to use for suppression purposes only. All other information you hold on this data subject should be destroyed.

When you’re reviewing your email consent process, it’s vital to keep this advice in mind throughout all three steps of your strategy. Also spare some time to work out what changes you’ll need to make to your database and how you can qualify any data you currently have that doesn’t meet GDPR standards.

How will the GDPR affect search ads?

One of the key elements of the GDPR, is the understanding of the term ‘personal data’. While you might think that this only relates to elements that specifically identify an individual, such as a name or email address, you’d be wrong.

“‘Personal data’ means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

In search ads, advertisers have access to a great deal of online data that falls under this definition, which allows us to target a specific audience by parameters such as website activity, demographic, email lists, etc. Google has already updated its data protection policies in Europe and implemented strong privacy protections to reflect GDPR guidelines. Google is committed to complying with the new legislation and will support its partners throughout this process by answering any queries you have over email or via your Google Account Manager.

Things you’ re probably doing wrong

Website Cookies

Data collection from website cookies is a vital element of many search ad targeting options.

Recital 30 of the GDPR states:

“Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

What this essentially tells us is that data from cookies, where they are used to uniquely identify the device, or used in combination with other data (related to the individual associated with or using the device), should be treated as personal data. This position is also reinforced by RECITAL 26, which states that where data can reasonably be used, either alone or in conjunction with other data to single out an individual or otherwise identify them indirectly, then it is personal data.

Use of pseudonymous identifiers, like strings of numbers or letters, which cookies typically contain to give them uniqueness, still counts as personal data.

So under the GDPR, any cookie or other identifier, uniquely attributed to a device and therefore capable of identifying an individual, or treating them as unique even without identifying them, is personal data.

This will certainly cover almost all advertising/targeting cookies, a large number of web analytics cookies, and quite a few functional services like survey and chat tools that record user IDs in cookies. In addition, when it comes to offline customer sales uploads from tills, Google has changed how much and what data about a specific individual you are allowed to upload and track.

Use of pseudonymous identifiers, like strings of numbers or letters, which cookies typically contain to give them uniqueness, still counts as personal data.

So under the GDPR, any cookie or other identifier, uniquely attributed to a device and therefore capable of identifying an individual, or treating them as unique even without identifying them, is personal data.

This will certainly cover almost all advertising/targeting cookies, a large number of web analytics cookies, and quite a few functional services like survey and chat tools that record user IDs in cookies. In addition, when it comes to offline customer sales uploads from tills, Google has changed how much and what data about a specific individual you are allowed to upload and track.

Email lists targeting option in adwords

Currently, we can target an individual by their email address with email list remarketing. The new GDPR changes will have huge ramifications for this form of targeting, as individual email addresses are classed as ‘personal data’. As long as your email list is GDPR compliant, you are fine to continue as usual. However, if you’re not certain of email list compliance we suggest that you start again (clear the list) and read our GDPR email guide, which will guide you through a step-by-step process on how to collect a clean and consented email list that can be used for remarketing.

Things you need to know

  1. Website cookies – check that your use of the data being collected meets GDPR standards
  2. If you’re not confident that your email list is GDPR compliant, clear your remarketing list and start again


To learn more about how the upcoming GDPR will affect search ads, we’d recommend the following for further reading:

How will the GDPR affect PPC display & remarketing?

With PPC becoming an ever more prominent digital marketing channel because of the monopoly it has on both the search and display network, it’s important that you get it right or you could be jeopardising upward of 50% of your monthly revenue.

We’re going to help you get your display advertising and remarketing in order so that you can continue your day-to-day operations without falling foul of GDPR restrictions. You should be able to walk away confidently understanding:

  • Changes to AdWords advertising policies that affect the work you do
  • Opt-in and opt-out of cookies and how this will affect your audiences in AdWords
  • How to handle your data with the new regulations
  • Safari audience data collection on iOS devices
  • Changes to YouTube and Gmail remarketing

Things you’re probably doing wrong

Assuming you’re not affected

The first mistake that any advertiser can make is to assume that these data regulations won’t affect you. Even minor changes can have a big impact on the safety of your business and your customers. Ultimately, as Google writes in its Terms and Conditions: “Customer [you] is solely responsible for its use of the Programmes.”

Delaying your opt-out option

While no common practices will be subject to change, remarketing and display lists (affinity and in-market audiences) may decrease in size due to the new opt-out option on cookies.

To stay ahead of the decline, implement your opt-out option on site as soon as possible so that you can address more quickly how many new customer acquisition campaigns you may need to implement. Also, ensure that your users have a reason to opt in, for this will need strong content and persuasive advertising copy.

“Certain disclosures must be given to and consents obtained from end users in the European Union where EU data protection law requires such disclosures and consents.”

Ignoring Changes to Safari

Apple has recently updated Safari in an attempt to tackle GDPR; these changes have affected the way that cookies are being treated within the browser.

The intelligent tracking prevention (ITP) feature will stop agencies and businesses alike from capturing browsing data across sites, which will impact largely on advertising audience and targeting.

To condense, cookies are said to be available for 24 hours after your customer has visited your website. After that 24-hour window, the cookie can still be used for things like username, email and password logins, but won’t be able to do a lot regarding most forms of tracking (remarketing). After 30 days, your cookie will have been completely devalued.

This may make you feel that smaller businesses will have their advertising efforts limited by more than just their smaller budgets. Rest assured, this move by Apple can be regarded as the next big step in ensuring that your advertising is as targeted as possible, while at the same time uprooting advertisers who use remarketing cookies as a way to spam customers with low quality ads – the people that give advertisers a bad name!

You’re more likely to increase return visitors (to refresh the cookie time limit) if you’re targeting customers at the right time and place, as well as with ad copy or deals that appeal to them. In essence, dynamic remarketing could be more vital than ever on iOS devices.


Similar to other Google advertising products, YouTube advertising is affected by those formats which use prior knowledge of a user to their advantage; it’s this use of data that matters, rather than the platform it is advertised on.

The ad formats which need to gather some form of consent are:

  • Remarketing
  • Affinity audiences
  • Demographics
  • In-market audiences
  • Similar audiences

The formats which aren’t as affected are:

  • YouTube Search Results
  • YouTube Videos

Things you need to do now

Opt-out buttons

Include an opt-out button on-site for your cookies. You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products.

Include further information

Include further information on what customer data is collected from cookies and how it is used by you and third parties (agencies). You must use commercially reasonable efforts to ensure that an end user is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the end user’s device where such activity occurs in connection with a product to which this policy applies.

Data uses

Only use data collected by Google advertising products to ensure GDPR and general data compliance in AdWords advertising, and do not try to gather further customer data from adverts.

The Customer will not use any automated means or form of scraping or data extraction to access, query or otherwise collect Google advertising-related information from any Property except as expressly permitted by Google.

In essence, you want the amount of people coming to your site naturally (without remarketing) to increase. To do that, you need to give users a reason to choose you over competitors. To achieve this, you need to understand what your audience want, how they want it and the best way to deliver it to them – and to find that out you need to understand your data.