Implications of the GDPR on (your) video marketing

January 17, 2018

It’s becoming a bit of a buzzword. And if you’re in digital marketing, its very likely that you heard at least something about it: the General Data Protection Regulation (in short: GDPR). So, what is it and what does this mean for digital marketing? In this article we’ll give you a brief summary of some of the general implications of the GDPR, and more specifically, the implications on data handlers such as StoryTEQ.

In a nutshell, the GDPR provides European wide regulation on how organizations must collect, store and use (customer) data. The set date for everyone to be compliant to the GDPR is the 25ht of May 2018.

Good to know is that the GDPR is more an abstract framework than an elaborate ‘how to’ guide. In essence, it tells organizations that users are in the driving seat, and as an organization, you’re responsible if you screw up.

The focal points of the GDPR are the following:

• Active consent: In order for an organization to collect and use user data, that user has to actively agree to this. This means a simple (cookie) notification that you’re saving and using their data if they continue using your site won’t suffice anymore. E.g. you can only set cookies after someone actually clicked the ‘Agree’ button.

• User has the controls: a user must be able to access, delete, transfer and alter their data at all times. Making this hard for users can be very costly (see fines).

• More data is becoming ‘personal’ (and thus less is ‘pseudo-anonymous’): the GDPR is stricter in what can be seen as ‘personal’ data. E.g. an IP-address or the entire flow of a user through a website (e.g. Hotjar) will be seen as ‘personal’ data.

• Documentation & policy: as an organization, you’ll need to be explicit in telling your users how and where you use their data. Simply writing ‘Marketing purposes’ won’t go well with the legislator. Something like ‘showing users products they’ve seen on our site on Facebook’ will do better. Using consumer data for analyses or profiling? You’ll need to explicitly tell them.

• Registration and accessibility: as an organization, you’ll need to make sure you know where all data is stored, and how and by whom, it is used. You also need to be able to prove that a user gave active consent and when and how he/she did this.

• Security: the basic point is that you must take appropriate measures to secure the storage and transfers of your data. So no parsing in the URL, saving in databases without passwords, not using HTTPS etc. Basically: things you wouldn’t want to do anyway. The GDPR comes up with one suggestion: encryption. Light bulb: storing your stuff in the cloud? Encryption is probably a good idea. You also need to actively notify your users if you had a data breach.

• Geographical expansion: even businesses outside the EU serving customers in the EU will be held to the GDPR rules.

• (Much) higher fines: serious offences can be fined up to €20 million or 4% of the total worldwide turnover, whichever is higher. Lesser offences are still no picnic: up to €10 million or 2% of the total worldwide turnover.

All right, so what does this exactly mean? Here are some implications:

• Make sure your cookie notification it GDPR compliant, so only setting cookies whenever someone actually, actively, complied. The EU is currently working on more elaborate legislation telling you more explicitly what is allowed and what is not, called the ePrivacy. Keep an eye out to see whether you’re good.

• Want to use user data for marketing? E.g. remarketing on Facebook? You guessed it. Make sure you only set cookies after active consent and

• Make sure your privacy policy is up to date and actually tells in simple terms what you’re doing. So no legal jibber jabber.

• You can still run analytics (like Google Analytics) without active consent. Really? Yes, with certain alterations. As described above, and without going too much in to detail: there is a difference between ‘personal’ and ‘pseudo-anonymous’ data. Basically, if you make very sure that data can’t lead back to the user, you can use it (although users can still opt-out for this). You can find how you can tweak Google Analytics for this here.

• You’ll probably lose a % of your remarkable audience, the completeness of your user profiles etc. However, in reality it’s very likely that a lot of users will start using browser build features to accept cookies to rid themselves of the annoying notifications. Time will tell.

• Don’t have a direct relationship with ‘your’ users? You got a big challenge. Third party data handlers are hit hard by the GDPR. Also if you’re using a DMP with third party data, you need to critically evaluate this.

• Make sure you know where and how your data is stored and make sure you take the appropriate measures to protect your data, while at the same time making it easily accessible for users so that they can control what data you can use for what.

To summarize: When thinking about the implications of GDPR, think active consent, simple and clear internal and external documentation of what you’re doing, direct relationship with your user and making it possible for users to control their data. And make sure you do it before the 25th of May.

Completed Netflix? You can find the entire regulation document here.

How does this work for ‘data handlers’ like StoryTEQ?

So, at StoryTEQ, we use data to make video more relevant for the viewer. This means we ‘handle’ data of organizations using our solutions. As an organization, you’ll need to be aware of the following things when working with ‘data handlers’ like StoryTEQ:

• We can only use user data when users actively gave you as an organization permission to do so. Meaning:

• You’ll need to tell your users in your cookie / data policy that you’re using their data to provide them with a more relevant user experience (e.g. on your website), by using their data in video

• We can only use data of users that accepted cookies / your data policy

• You as an organization are responsible of having the correct permissions

• You will need to make sure the data handlers you use, handle the data in a GDPR compliant way

Share this article

See also

Never miss our latest updates

Get our latest blog posts directly in your inbox