Do I need a user's consent for retargeting

What is retargeting?

In case of retargeting a user’s browser history is analyzed to address the user with products, he/she showed interest in before.

Because of a personalized address retargeting campaigns are extremely effective to bring back former website visitors and make them to recurring customers.

But retargeting only works on basis of usage and behavioural data, which are generated through tracking cookies.

The GDPR and retargeting

Retargeting uses the personal data that is obtained and processed by cookies.

This usually includes the IP-address, which has already been classified by the German Courts as personal data to the GDPR.

Furthermore the usage behaviour of the website visitor, e.g. which products the visitor looks at, which landing pages the user visits, where he/she clicks, will be captured.

In addition to that the online behaviour outside a website can be enriched with these data, so that a user profile can be generated.

For obtaining and processing of these data the GDPR requires a legal basis according to Article 6 GDPR, e.g. obtaining a consent.

Justified interest or consent for retargeting?

The question, whether retargeting can be based on justified interest (Article 6 (1f) GDPR) or on the user’s consent (Article 6 (1a) GDPR) is controversial.

To proof justified interest in accordance with article 6 (1f) GDPR the company has to be able to proof a corresponding balance of interests in favor of their own economic interests against the data protection interests of the users.

This is because of a comprehensive profiling and the “tracking” of a user with products, that he/she looked at on several websites, hard to justify.

As a yardstick the GDPR takes what the average user could expect.

The majority of privacy advocates, especially data protection authorities, therefore clearly see the consent as a prerequisite for retargeting with tracking cookies.

Large providers of retargeting technologies such as Google and Facebook are in favor of unambiguous consent as the basis for retargeting and also stipulate this in their terms of contract.

When consenting, it must be ensured that all the criteria for a valid consent pursuant to the GDPR are met.

Consents for Google Remarketing Services

The question, whether retargeting can be based on justified interest (Article 6 (1f) GDPR) or on the user’s consent (Article 6 (1a) GDPR) is controversial.

To proof justified interest in accordance with article 6 (1f) GDPR the company has to be able to proof a corresponding balance of interests in favor of their own economic interests against the data protection interests of the users.

This is because of a comprehensive profiling and the “tracking” of a user with products, that he/she looked at on several websites, hard to justify.

The biggest provider of remarketing services (e.g. Google Ads, Google Remarketing) is Google - which means that Google sets the tone when it comes to the implementation of the GDPR.

Google describes in its “EU standard for consents”, that advertisers need to obtain and proof the legally watertight consent for their advertising services, especially retargeting.

That means all Google Ads customers have the duty to obtain the explicit and freely given consent of their website visitors before Google Ads cookies collect data for personalized retargeting advertising.

Advertisers have no long-term choice, but to fulfill all criteria, if they want to use the Google Tools.

In the future, Google will demand the consent to be obtained from the advertisers not only legally but also programmatically: Google has once again confirmed its agreement to join the IAB Transparency & Consent Framework.

Consent for Retargeting on Social Media Channels like Facebook, LinkedIn, Twitter, etc.

A special case exists if the advertiser uses a special pixel or cookie of a social media channel such as the Facebook Pixel and displays its website visitors with personalized advertises.

This causes legal problems in accordance with the GDPR.

For retargeting and personalization is, based on such a comprehensive profiling, the explicit consent according to Article 6 (1) GDPR necessary.

The advertiser has to obtain this consent freely, informed, explicit, etc. for Facebook.

The user may has given - buried in the depths of the terms and conditions - his consent to enrich his profile by the data collected by pixels on external sites, but this type of consent does not comply with the DSGVO.

However, these cookies and pixels collect data from all visitors. Even those who do not have an account with a social network.

Incidentally, this consent can not be extended to all advertisers who may advertise on social networks such as Facebook.

Especially the case of Facebook Custom Audiences is strongly condemned by authorities and courts and is only possible with the consent of the user.

Facebook requires the consent

Similar to Google, Facebook states in its "Policy for Consent to Developers” that advertisers who have Facebook Pixel installed on their website or in their app must be able to obtain and prove their users' consent.

Consent for retargeting with AdTech technologies like Criteo

Consent for retargeting with AdTech technologies like Criteo.
Criteo himself does not stipulate in his terms and conditions that one must obtain the consent or prove.

Thus, it is up to the advertiser to decide if he sees the requirements for legitimate interest.

As stated above, the basis of argumentation under DSGVO is thin for this. The interests of the person concerned predominate regularly.

Result: Retargeting is only possible with a given consent.

Sources and related links:

Disclaimer

Usercentrics GmbH does not offer legal advice. The content of this article is not legally binding. The article represents the opinion of Usercentrics.

Knowledge ›
Usercentrics Knowledge Hub: Here we share our knowledge and give you in-depth insights.
Press ›
Usercentrics in the press: Here you will find an overview of our press releases and a history of our articles.
Whitepaper ›
Concentrated knowledge: Our whitepapers give you strategic and operational insights.
Webinars ›
You missed one of our live webinars? We provide the records for you here.
Newsletter icon
Legal Update
Always up-to-date: With our legal update, we keep you up to date with the latest trends around data protection.
Whitepaper Cookie Consent Management for Enterprises in accordance with GDPR
New Whitepaper
Checklists and practical tips for the correct handling of cookies and user identifiers according to GDPR.