When it comes to GDPR and location targeting, the European Union’s new data protection framework is changing the way digital marketers do business.
Since the General Data Protection Regulation (GDPR) took effect on May 25, 2018, it has caused controversy and confusion. Despite this, there are several reasons why marketers should celebrate the GDPR.
This far-ranging regulation applies not only to EU-member countries, but to businesses and governments anywhere in the world that deal with the European market – including Canada and the United States. The goal is to protect users’ privacy and give them greater control over how their data is being used, requiring marketers to get ‘active’ consent.
But what does this mean for location targeting and its implications for digital marketers?
The Implications for Digital Marketers
Location targeting, or geotargeting, is the practice of collecting users’ location data, and then delivering ads, content or services based on users’ historic or real-time location. For example, if you’ve shopped in a particular store and that store is now having a sale, your historic location data could be used to target you with an ad or coupon for the sale.
This data is collected in a number of ways, typically via your IP address or mobile device ID when you use free public Wi-Fi (such as in a retail store) or willingly enter your postal or zip code. A device ID is a string of numbers and letters that identifies your smartphone, which is collected when you download and install an app.
Geofencing is another form of location targeting, which involves setting up a virtual boundary (or a virtual fence, if you will) around a physical location that dictates how advertisers or brands can interact with devices within that boundary. For example, if you’re in a certain geographic area, you might be blocked from accessing certain information on your device.
Browsers and social media platforms that sell advertising also collect location data for various purposes. Google collects location data, for example, but also uses your search data for implied location targeting. An example in Google’s terms of service explains that if you search “Eiffel Tower” you might then be provided with related recommendations.
GPS and Wi-Fi can be used for collecting more specific location data, and advertisers can then target or exclude geographic areas for their ads. But Google has already run afoul of GDPR regulations for its practices around the collection of location data by not allowing a clear opt-out procedure. Facebook also collects data from “where you connect to the internet, where you use your phone” and “your location from your Facebook and Instagram profile.”
Is Location Data Personally Identifiable?
Some industry players claim that, because of the use of device IDs, location data is not personally identifiable. But if data is collected on a frequent basis, and a user regularly travels at certain times between a residential address and a workplace, it wouldn’t be difficult to ascertain the user’s identity.
That’s why location data is considered to be personal data by the GDPR, as detailed in Article 4(1), and its collection and processing is governed by the GDPR. Article 3(2) states that, “This Regulation applies to the processing of personal data of data subjects who are in the Union.”
This language does not specify “citizen” and it applies to subjects “in the Union.” While there is some debate around this point, the language used seems to indicate that an EU citizen traveling outside the EU is not afforded GDPR protections unless dealing with a company that is, itself, subject to the GDPR. A non-EU citizen traveling “in the Union” is afforded GDPR protections while in the EU and, if outside the EU, when dealing with a company that is subject to the GDPR.
Changing Requirements for Data Collection
Location targeting — and certainly large-scale collection of location data — is going to become much more difficult in the EU, requiring thought, strategy and legal advice (there’s a growing number of legal firms at the ready).
Once permission is given, the data will need to be collected, processed and protected according to the standards outlined in the GDPR. Some believe that acquiring permissions will be unworkable given that multiple permissions for both the type of use and the users of the data may be required for each app or instance of location targeting.
However, it may be possible to avoid consent where the data is anonymous, such as on a city or regional basis, where the data could in no way be used to identify a specific individual. There’s also the possibility of processing location data within an app on a mobile device in such a way that any exported data is anonymous.
Bid stream data, where publishers auction slots to advertisers that “bid” to have their ad shown, often comes with location data. Under GDPR, this practice as it currently exists will no longer be allowed, because the user of that data will not have collected consent from consumers.
As a result, some industry players are altering their business models or — in extreme cases — pulling out of the EU, while others are bringing data collection in-house for the sake of compliancy.
That being said, the location data associated with ad exchanges has a reputation of being inaccurate and possibly even fraudulent, so adhering to the GDPR may ultimately lead to better quality location data for advertisers. Again, a solution where the data is processed on the consumer’s phone rather than remotely could be promising.
Geofencing that restricts data portability is already disallowed to some degree within the EU. Paid service providers such as Netflix can’t restrict you from accessing your account based on your geographic location within the EU — they must identify you by username, not IP address.
Under the GDPR, geofencing to collect data on visitors where prior consent was not given will not likely be possible (though it is conceivable that geofencing could still be used for consumers who have given prior GDPR-compliant permission).
The advertising industry is already looking at new business models, technologies and data processing methods to work within the new regulations. For example, it may be possible to program an ‘action’ into an app so the ‘action’ that occurs upon entering the geofenced area can’t be connected to the device ID.
Regardless of their requirement to be GDPR-compliant, companies might want to start examining their own location data practices, since it’s expected that more jurisdictions will follow suit and bring their privacy laws in line with the GDPR.
For example, on Jan. 1, 2020, the California Consumer Privacy Act will come into force, granting residents of California rights similar to citizens in the EU; it will apply to businesses surpassing certain size or activity thresholds that do business in the state. At a national level, Axios reports that the White House is looking at ways to improve privacy.
In Canada, the Standing Committee on Access to Information, Privacy and Ethics has recommended that the next version of the Personal Information Protection and Electronic Documents Act, or PIPEDA, adopt provisions similar to the GDPR.
GDPR is complicated and at times vaguely worded, resulting in confusion and differing opinions regarding its implications. No doubt, it will change the way location data is collected and the way advertisers target consumers. But as both advertisers and consumers adapt, the changes may be welcomed — creating better quality data and better targeted consumer experiences.