Do I need a user’s consent for retargeting?

With retargeting, a user’s browser history is analyzed to address the user with products that he/she showed interest in before.

Because of a personalized address, retargeting campaigns are extremely effective to bring back former website visitors and turn them into lucrative recurring customers.

But retargeting only works on the basis of user and behavioral data, which are generated through tracking cookies.

Retargeting uses the personal data that is obtained and processed by cookies.

This usually includes the IP-address, which has already been classified by the German Courts as personal data to the GDPR.

Furthermore the usage behavior of the website visitor, e.g. which products the visitor looks at, which landing pages the user visits, where he/she clicks, will be captured.

In addition, the online behavior outside a website can be enriched with these data, so that a user profile can be generated.

For obtaining and processing these data, the GDPR requires a legal basis according to Article 6 GDPR, e.g. obtaining a consent.

The question, whether retargeting can be based on justified interest (Article 6 (1f) GDPR) or on the user’s consent (Article 6 (1a) GDPR) is controversial.

To prove “justified interest” in accordance with article 6 (1f) GDPR the company has to be able to proof a corresponding balance of interests in favor of their own economic interests against the data protection interests of the users.

This is because comprehensive profiling and the “tracking” of a user with products, that he/she looked at on several websites, is hard to justify.

As a yardstick the GDPR takes what the average user could expect.
The majority of privacy advocates, especially data protection authorities, clearly see the consent as a prerequisite for retargeting with tracking cookies. Large providers of retargeting technologies such as Google and Facebook are in favor of unambiguous consent as the basis for retargeting and also stipulate this in their terms of contract.

When providing consent, it must be ensured that all the criteria for a valid consent pursuant to the GDPR are met.

The biggest provider of remarketing services (e.g. Google Ads, Google Remarketing) is Google – which means that Google sets the tone when it comes to the implementation of the GDPR.

Google describes in its EU standard for consents, that advertisers need to obtain and proof the legally watertight consent for their advertising services, especially retargeting.

That means that all Google Ads customers have the duty to obtain the explicit and freely given consent of their website visitors before Google Ads cookies collect data for personalized retargeting advertising.

Advertisers have no long-term choice but to fulfill all criteria, if they would like to profit from and use Google Tools.

In the future, Google will demand the consent to be obtained from the advertisers not only legally but also programmatically: Google has once again confirmed its agreement to join the IAB Transparency & Consent Framework.

Unique cases exist such as if the advertiser happens to use a special pixel or cookie from a social media channel such as the Facebook Pixel and displays its website visitors with personalized advertisement.

According to Article 6 (1) GDPR, this will cause legal issues seeing as in order to use retargeting and personalization, explicit consent is necessary.

Therefore, the advertiser has to obtain consent from users in a freely, informed, and explicit, manner when using data for Facebook.

Although, the user may indeed have given – deeply buried within the terms and conditions – consent to create a profile through the data which he/she has provided and which is being collected by pixels on external sites, it must be noted that this type of consent does not comply with the DSGVO.

Still, these cookies and pixels collect data from all visitors. Even those who do not have an account with a social network.

Incidentally, this consent can not be extended to all advertisers who may advertise on social networks such as Facebook.

In this regards, Facebook Custom Audiences is strongly condemned by authorities and courts and is only possible with the consent of the user.

Similar to Google, Facebook states in its “Policy for Consent to Developers” that advertisers who have Facebook Pixel installed on their website or in their app must be able to obtain and prove their users’ consent.

Consent for retargeting with AdTech technologies like Criteo.
Criteo itself does not stipulate in their terms and conditions that one must obtain consent.

Thus, it is up to the advertiser to decide if he or she sees the requirements for legitimate interest.

As stated above, there lacks a strong basis of argumentation under the GDPR. The interests of the person concerned predominate regularly.

Sources and related links:

• Press release of the BayLDA on the need for a consent for Facebook Custom Audiences: https://www.lda.bayern.de/media/pm2018_18.pdf
• Facebook policy of consent for advertisers who use the Pixel: https://developers.facebook.com/docs/privacy?locale=de_DE
• Google EU Consent Policy: https://www.google.com/intl/de/about/company/user-consent-policy.html
• Google confirms membership of the IAB Transparency & Consent Framework: https://martech.org/exclusive-iab-europe-to-release-updated-consent-framework-later-this-year-google-to-sign-on/

Disclaimer

Usercentrics GmbH does not offer legal advice. The content of this article is not legally binding. The article represents the opinion of Usercentrics.