Is Web Tracking a GDPR Risk for Marketers?

During my work as a consultant, I am asked to talk about many different aspects of marketing. Technology is the lynchpin of digital marketing. It touches everything that a marketing team does from strategic planning through to campaign execution and beyond. Most of what B2B marketers do in the 21st century wouldn't be possible without the CRM systems, marketing automation tools and web platforms used to deliver campaigns through digital channels. Enterprise marketing departments have built complex technology architectures comprising dozens of separate applications linked together. This sprawling tech stack has become so complicated that many companies are now looking to simplify it.

Underlying this entire technology ecosystem is data, be that known contacts in marketing automation or anonymous prospects on a website. Demand generation is ultimately about leads and accounts, and the process of building a relationship with these groups over an extended period of time. Marketing Operations spends a lot of time and energy making sure that every action taken by a lead is tracked and logged in a central marketing database, such as a marketing automation or CRM system. The most relevant activities are them collated together and used for scoring leads, triggering follow-up activity or reporting on campaign outcomes. This benefits the business through better leads and comprehensive reporting, as well as the prospect for more relevant content and personalised campaigns.

There are plenty of technical problems with this strategy, but the legal risks are just as important and are often overlooked. GDPR was explicitly drafted to change the way businesses thought about data collection. Whilst website tracking and digital body language were not primary considerations of the law, it definitely limited the way they could be used. According to most interpretations, GDPR imposes no new restrictions on the anonymous use of page view trackers or conversion pixels on websites – the existing EU cookie directive deals with that. The moment these things are linked back to an individual with an email or IP Address, then your lawyers might have an interest in this tracking data and its purpose. Media publishers have been the most affected by this, because they use visitor website tracking to personalise advertising, and in many cases, the same data is aggregated and then sold to a wide variety of adtech firms so that they can derive intent data. These practices require separate and unbundled consent under GDPR, hence the giant cookie pop-ups whenever you click through to the website of a magazine or news publication. They need you to consent to each advertising use case so that they can make money from your visit. In a related sphere, Google were fined by European Data Protection authorities earlier this year because their privacy notices and opt-out mechanisms for targeted advertising fell short of the requirements imposed by the new data protection law. Other tech firms will likely fall foul of the same problem in due course as the initial wave of GDPR complaints are finally ruled upon.

Enterprise marketers have an easier time of things then adtech platforms or the big tech firms – and Google falls into both categories. Your website is probably not running targeted advertising. However, the same data collection requirements still apply. If you're running retargeting campaigns, then your cookie consent mechanisms might need to make this clear, particularly if you're creating lists based off named individuals. The social networks and DSPs all suggest that consent is required for retargeting but put the consent burden for getting that consent onto the advertiser, so it is important to clarify precisely what website tracking data is collected by the different tracking scripts on your website and what each one is actually used for. Also, find out whether your lawyers believe that personalisation requires separate consent. You may also need permission to share tracking data with the advertising technology you're using to run campaigns. The major marketing automation platforms provide opt-out mechanisms for website tracking that may need to be implemented if they weren't before now.

Marketers need to start thinking about activity data in the same way they think about demographic and contact data. They're not quite the same thing, but sharing it with third parties carries risks because data sharing requires consent under GDPR and businesses have to make sure that activity data is collected on a legal basis and is totally anonymised when shared. Data has to be obtained for a specific purpose specified before collection, and can only be used for that purpose once stored. Tracking website engagement for reporting or campaign response tracking is a very different use case from tracking page views for personalisation and campaign segmentation. They might require separate consent and different consent mechanisms. The former may be fine with just a cookie pop-up, but that later use case involves tracking that data back to a named individual in a marketing automation platform. As marketers, we know this happens and what this data is used for. However, you need to be clear whether your customers do and how they are informed about this practice, because some data protection authorities are being strict in their interpretation of the law. There is still a fair amount of uncertainty about how GDPR has actually impacted advertising. The upcoming ePrivacy legislation will clarify some of this uncertainty by making the rules around tracking cookies much stricter – but this law is months or years away from being ratified after repeated delays. In the interim, existing privacy legislation may still apply.

Disclaimer: This article reflects my understanding of the issues raised, but does not constitute legal advice. I am a digital marketing consultant rather than a lawyer. In practice, different lawyers will provide sharply different legal guidance about how to handle these issues, so please do consult with the relevant team if you have any concerns.