Let’s face it: very few companies are fully prepared for the General Data Protection Regulation (GDPR) that comes into effect on the 25th of May, 2018.
Marketers have had their fun with freely handling user data or taking advantage of many gray areas, but now the party is over. The majority of professionals working in the digital industry are in the state of mild panic as they are not quite sure how to comply with the GDPR and continue their business operations without suffering through losses or risk getting fined.
Truth be told, we know the GDPR was bound to happen. The previous data protection directive from 1995 has become seriously outdated in the age of hyperconnectivity, rapid globalization, and advanced technological development. After four years of preparation and debate, the GDPR was officially approved by the EU Parliament in 2016.
So, companies and organizations had a two-year grace period to make their operations and procedures GDPR compliant? Yep. Unfortunately, a lot of misinformation, speculation, and a bit of hysteria has appeared across the web, particularly in the digital marketing industry.
This is why we decided to create an ultimate resource on how the GDPR will affect the SEO and digital marketing industry.
We are going to explain the significance of GDPR and its impact on SEO, both in means of 1) SERP rankings and 2) the inevitable changes the industry will go through.
Given the fact that SEO is an important piece of the inbound marketing puzzle, we will share our expert analysis regarding the transformations we can expect on the digital landscape.
Fasten your seatbelts, as we can expect a bumpy road ahead.
The Historical Significance of the GDPR and Key Changes it Brings
The General Data Protection Regulation represents the most important data privacy change in the last two decades. Compared to the previous directive, it firmly insists on:
- Uncompromising transparency regarding collecting and sharing personal data;
- Legal responsibility of both data controllers and data processors (e.g. both parties are liable to notify users and each of the countries’ representatives about a data breach within 72 hours of the incident);
- Shifting power to users by giving them back rightful control of their personal data (they have the right to access all their personal data records, demand a deletion of these records, or request their data to be transferred to another company);
- Making user consent mandatory (opt-ins have to be displayed clearly and are only valid for a single purpose)
More importantly, the GDPR has redefined what accounts as personal data.
Under the previous Data Protection Directive (DPD), data such as personal names, photos, contact information, social security numbers and bank accounts were considered personal data. Now in addition to these, IP addresses, biometric data, mobile device identifiers and geolocation, economic status, as well as one’s whole identity in the broadest sense (psychological, genetic, social, and cultural) – are all considered to be personal data.
The GDPR also has a broader jurisdiction compared to DPD. Namely, it is a regulation, not a directive, which means it’s immediately applicable in all EU Member States. However, in the specific case of the GDPR, the law is enforceable beyond the EU territory. Each company or organization, no matter the territory and location, is obliged to respect this law if it in any way collects the personal data of EU citizens.
Having this in mind, it’s clear that the GDPR actually sets a new global standard for data security.
GDPR Misconceptions Are Shockingly Common Among Digital Marketing Professionals
Hubspot’s research from the third quarter of 2017 shows that a worryingly small number of marketers know about the GDPR and the key changes it brings in terms of data privacy:
Only 36% of marketing professionals and businesses have heard of the GDPR regulation and are not prepared for it.
Due to the poor understanding of what GDPR compliance actually means, there is a lot of misinformation about it, as well as wrong interpretations of different legal terms and articles.
Here we debunk some of the most common ones:
1. The “My Business Falls Under the GDPR’s Legitimate Interest, so I Don’t Need User Consent” Misconception
Most marketers find the concept of “legitimate interest” stated in the GDPR confusing.
To make it crystal clear: if you’re a salesperson or a marketing professional who is looking to collect data and create more relevant and personalized experiences for users, you do not necessarily have a legitimate interest that could override the fundamental rights and freedoms of the data subject, i.e. the user in question.
If you, as a marketer, want to increase your sales and generate more leads by tracking users’ online behavior or engagement (i.e. by utilizing personal data), you are bound by the law to:
- Explicitly ask for specific consent
- Ensure you are not collecting any data from children
Within the GDPR document, you can find the following excerpt:
The processing of personal data for direct marketing purposes may be regarded as being carried out for a legitimate interest.
The verb “may” indicates that direct marketing could, in theory, fulfill all of the legal requirements and constitute a legitimate interest. However, if you keep reading, you will see that the consent is non-negotiable and mandatory for marketing purposes:
Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.
To sum it up, you need user consent. Your personal interest to generate more revenue or acquire more customers through marketing practices – is not equal to the legitimate interest concept as legally defined in the GDPR.
2. The “My Business is Not in the EU, so I’m Safe” Misconception
Marketers operating outside of Europe often disregard the GDPR as an EU law that does not apply to their businesses.
However, as we already mentioned in the first section of this article, the GDPR is applicable not only in the Member States, but worldwide, for each company or organization that collects and handles data of EU citizens.
That being said, it’s crucial to understand that businesses outside of the EU can be sued for misusing collected personal data or for collecting it without user consent. Users from the EU have the right to perform class action lawsuits.
Penalties are extremely high: up to 20 million euros or up to 4% of annual global turnover. Maximum fines can be charged in the case of processing consumer data without consent (or without sufficient consent) or by breaking the Privacy by Design rule. Privacy by Design implies a higher level of responsibility for companies as they now have to take in mind new privacy rules during the design of all stages of their projects.
High fines only underline just how serious the EU is about respecting new data security rules.
3. The “I’ll Just Block EU Users, That Should Do It” Misconception
Some companies that don’t do business in the EU and have no interest in engaging people from Member States – choose to block visitors by countries, i.e. cut off EU site visitors completely.
This is clearly the path of least resistance, but it is also an extreme measure that’s not advisable, for several reasons:
1) The GDPR has EU citizens in mind, but it, in fact, imposes new security standards that and look to resonate with today’s digital era and build more digital trust on a global level.
2) Blocking by country is not an unusual practice for webmasters, but in most cases – it’s intended to block an IP of a country that has been identified as a source of a series of malicious attacks and does not bring any business value. However, refusing to comply with the GDPR by blocking all EU countries does not only reflect an unwillingness to show respect for users and give them full control of their data, but also creates a division in cyberspace; we might even call it discrimination by location.
3) EU is the world’s second-largest economy generating $19.9 trillion in 2017. It boasts great purchasing power and a versatile and rich market. By turning their back to the EU, companies are actually missing out a valuable business opportunity.
4) According to Gary Southwell, VP and General Manager of the cybersecurity division of CSPI, other countries and regions (e.g. Asia, Australia, even the US) are also considering more strict consumer data privacy laws. The GDPR could serve as a role model legal document. Having in mind this global wave of change in privacy laws that seems to be catching on, ignoring EU users is not a very smart, long-term solution.
5) Blocking traffic from the EU can also affect your SEO, especially if you have a significant number of visitors and followers from the Member States. For instance, if a lot of EU webmasters linked towards your content and you forbid them for accessing your website, it can result in high bounce rates, lost links, and even a bad reputation for your brand.
Now, let’s move on to examining how the GDPR affect SEO (both in terms of rankings and changes within the industry) and the overall digital marketing landscape.
Digital Marketing and SEO Industry Will Go Through Disruption Under the GDPR
1. Personalization Becomes Extremely Challenging
Today’s consumers expect highly relevant and personalized experiences when they interact with brands. Marketing has evolved to the “me selling proposition” that allows consumers to symbolically “take ownership” of the brands and adjust their products and services so that they fit their wants exactly.
By giving away their power to users and customers, brands are actually empowering themselves.
Sometimes, personalization doesn’t have to heavily rely on collecting data. Take the shoe industry for an example: globally recognized brands like Vans, Adidas, Reebok, Nike and Converse, all give users an opportunity to create their custom pair of sneakers and additional accessories, then make a purchase, and get their uniquely made products delivered to their doorstep within just a few weeks.
In these cases, the personalized product is created by the customers themselves and they are in the driver’s seat.
However, in the data-driven sense, personalization is about crafting highly individual experiences for each customer or segmented group, without them participating in the actual design of these experiences. Actions like sending targeted emails, exposing prospects to relevant ads that are likely to convert, or tracking online behavior via cookies – all will go through severe changes.
The GDPR will make collecting data a challenge.
However, consumer behavior is not likely to change. Consumers have become accustomed to receiving personalized content and they somewhat expect it. But, they might not be that open to share personal data due to skepticism and mistrust, especially after the recent Facebook Cambridge Analytica scandal or reading various stories about data breaches.
The GDPR gives users more authority and a right to protect their personal data, which is why businesses will probably struggle to find a way to both:
- respect users’ right to data privacy
- satisfy their expectations regarding personalized interactions and content
Transparency remains an imperative. However, in addition to asking for explicit consent, it is a good idea to try to educate users about the ways their data is being used and how they can benefit from it. Working on building digital trust can give businesses a competitive edge.
2. In General, SEO Will Become More Valuable
It’s pretty clear that under the GDPR, typical digital marketing practices such as remarketing, email targeting, and various forms of highly specific paid ads will suffer a blow.
In this context, SEO will become more valuable as it is not necessarily affected by the GDPR.
If you’re using Google Keyword Planner or Ahrefs, you are safe to do your keyword research as both tools rely on anonymized data, which does not break the GDPR rules in any way.
For instance, Ahrefs uses clickstream data as a “source” for its keyword data which perfectly complies with the regulation. Take a look at the excerpt from the GDPR’s Article 26:
The principles of data protection should therefore not apply to anonymous information, namely, information which does not relate to an identified or identifiable natural person or to
personal data rendered anonymous in such a manner that the data subject is not or no
As personal data becomes harder to reach, content marketing and SEO are likely to become techniques for attracting new visitors and building relationships through less aggressive methods. Optimized content could likely become a primary way to reach new customers and users, with the assumption that fewer data subjects will be willing to share their personal data for advertising purposes, after getting to know their rights.
3. SEO and Geo Targeting Gets Harder; Mobile Marketing is Affected, too
As we mentioned, the GDPR broadens the list of data that is to be considered personal, adding geolocation and mobile identifiers to it, too. When requesting geolocation from users, marketers will now have to require explicit consent and respect users’ right to know what purposes the data be used for.
Geotargeting can be a valuable SEO technique, but under the GDPR – things are about to take a turn. However, Google has made it easier for webmasters to make necessary changes to their Google Analytics profiles. In summary, you will need to:
- Audit your existing data for any PII (Personally Identifiable Information)
- Design transparent opt-ins and opt-outs
- Turn on your IP address anonymization (this reduces the geographic reporting accuracy)
- Analyze your existing collection of pseudonymous identifiers
Google Maps already notifies users about what happens when they turn on their location. As a user, you encounter the following message:
To continue, turn on device location, which uses Google’s location service.
By clicking on the drop-down menu, you get additional information regarding the way your data is collected:
Google may collect location data periodically and use this data in an anonymous way to improve location accuracy and location-based services.
From the GDPR persepctive, this might be perceived as not being an explicit and transparent enough way of asking for consent, specifically because users are not openly informed about their data being used for advertising that uses geographical proximity to target users.
However, Google has announced the release of new tools that help search marketers meet GDPR requirements within its Accelerated Mobile Pages (AMP) Project.
4. GDPR and Rankings: What We Can Expect
Google has always advocated web security (e.g. favored secure websites with SSL certificates), which is what sparked speculation that it might reward GDPR-compliant websites with a ranking boost.
However, there have been no official announcements from the company that would confirm any GDPR-related changes in the search engine algorithm. Some in the digital marketing industry are still not convinced, particularly because Google has a reputation for being secretive about algorithm updates.
But, let’s look at the facts and try to analyze possible correlations between the GDPR and rankings in the future. There are two main things we need to consider:
a) To a Large Extent, Google Dictates Web Security Protocols
When it comes to the HTTP vs. HTTPS debate, a lot has changed since 2014, when Google stated that secure websites (i.e. HTTPS) might experience a ranking boost. One of Google’s Chromium Projects implies a three-phased plan that should result in creating an improved and more secure web. Although this plan revolves around Chrome updates, not algorithm changes, the biggest security novelty is that, as of July 2018, all HTTP pages will be marked as “not secure”.
This brings us one step closer to HTTPS websites becoming a standard, not just a preferred security choice. Businesses that choose to obtain the SSL certificate for their websites typically understand the importance of preserving secrecy and data integrity, which makes them more trustworthy and credible. Needless to say, their contribution to web security is recognized by Google and they enjoy a slight ranking boost.
b) Google’s Primary Goal is to Deliver the Best Possible User Experience
Google has always been focused on users and both its algorithm and technology have become extremely advanced.
It is estimated that up to 50 million websites use Google Analytics for measuring their website’s performance and collecting data. Given the fact Google Analytics captures data regarding page, browser, and user information, it acts as a data processor and is held accountable just as data controllers are under the GDPR.
Of course, Google has made Google Analytics and other products GDPR compliant, making it easy for both its customers, users, and data subjects to take necessary action in accordance with the GDPR rules.
However, Google did not have EU citizens in mind when complying with the GDPR. In the spirit of user equality and out of respect for each data subject (regardless of their location), they have updated their privacy policies and took “the opportunity to make improvements for Google users around the world”.
When you use our services, you’re trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control.
So, what can we conclude about the possibility of GDPR compliance becoming a ranking signal?
- The GDPR is legally binding, whereas owning an SSL website certificate isn’t (although it’s likely to become a norm), which means there is a strong probability that Google might take the role of an additional authority that ensures webmasters are responsible and respect the regulation.
- Google has no way of knowing whether companies have fully complied their businesses with the GDPR, but in theory – it can scrape websites and establish some sort of scoring system in terms of how transparent webmasters are about asking for consent and explaining to users how their data will be used.
- Although it had no legal obligation to do so, Google has adjusted privacy settings for all users, regardless of their location, which says a lot about the way they feel about uncompromising web security for all. In addition, GDPR-like regulations are likely to emerge from other jurisdictions around the globe in the next few years making it more likely that Google will take some action with their algorithms.
5. The Data Economy Will Drastically Change
In the past few years, it has become crystal clear just how valuable data is going to be in the 21st century. Often referred to as the currency of the Internet, various types of data (personal data in particular) fuel digital strategies and provide businesses with precious insights about how well they are performing in the market.
Facebook and Google are known as the biggest names in the data economy and they hold somewhat of a duopoly over digital advertising: the recent report from Pivotal’s Brian Wieser shows these two tech giants control 83% of all digital advertising growth and account for 73% of all digital advertising in the US.
Those in the digital industry are well aware of how these function: both offer free services and products, but in exchange – they collect unimaginable amounts of data from users they can monetize through collaboration with third parties. With the GDPR and global media interpreting the changes it brings, the general public has become more aware and more educated about this too.
For instance, various websites request a sign up via Facebook login. Most users don’t really think about this, they just click on the usual “Continue with Facebook” button. They are then briefly notified a site or app in question won’t post anything to their profile page, they click “Proceed to Website” and that’s it. Since everything is designed to be quick and user-friendly, not many people will ask themselves why do they need to sign up with Facebook in the first place.
The truth is, companies collect data this way and combine it with their own, so they can place highly specific, targeted ads or create personalized experiences that lead to more profit. In addition, data is shared among different companies without the knowledge of users and despite the fact they gave consent to only one company.
Users are currently vaguely informed about this fact, but the GDPR is about to change that. Both Facebook and Google are obliged to comply with the GDPR and this could be quite.
So, what will change?
- Users will have to give consent to sharing their personal data and data collectors will have to explicitly state the purpose of collecting data. We cannot say for sure what will happen when users encounter a message that fully discloses a company’s intention to sell their personal data to a third party.
- Users will begin to understand just how valuable their data is and maybe even choose to sell their data willingly.
- Businesses of data brokers will be heavily affected.
- All data controllers will have to provide clear and sufficient information about privacy settings for users.
- Personal data will increase in value.
6. Marketing Professionals Will Now be Supervised by the Data Protection Officer
The GDPR introduced a new job role called Data Protection Officer and companies are obliged to employ one for greater data privacy and optimal web security.
According to the Breach Level Index report, there were a total of 1765 breach incidents. Equifax is one of the best-known examples. Even before the GDPR, businesses (particularly those that handle sensitive data on a daily basis) had to employ a cybersecurity expert or even an in-house security team.
As defined in the GDPR (Article 39), the role of the Data Protection Officer comes with a great amount of responsibility as the person acts as a security expert, crisis manager, and the PR face of the company. In summary, the main job of DPOs is to provide advice and guidance for businesses (i.e. data controllers) and act as a contact point for the supervisory authority. They are also responsible for raising awareness and educating staff about the compliance requirements, as well as running regular security audits.
In a way, Data Protection Officers function as independent bodies within companies as they are also protectors and ambassadors of data subjects and their rights. They are “bound by secrecy or confidentiality” and should not receive any instruction from company management regarding their specific tasks. In addition, they are expected to be great communicators as they need to both know understand the law and know how to explain the importance of it to different audiences – be it users, company officials, or the EU authorities.
All of this makes the job role quite challenging.
It is expected that the GDPR will create around 75,000 new DPOs job positions, which is not a number you can easily disregard. Globally, we are making a significant step towards more security and privacy for users that rely on methods such as monitoring, prevention, and education to keep everything inline with the law.
So, what does this mean for marketing professionals and digital agencies? Two important things:
- Company budgets may need to be reallocated to employ a DPO
- Marketers will be under increased scrutiny and surveillance so that the EU can ensure they comply their practices with the new regulation
With rapid globalization and development of the digital landscape, we have witnessed new, sophisticated ways of collecting and sharing personal data. The GDPR acknowledged these important changes by defining how, where, why, and under which circumstances personal data can be legally collected.
The GDPR sets a new global standard for data privacy and security and brings historic change, giving users full control of their personal data.
Thank you for reading this article from top to bottom. We tried our best to thoroughly explain how the GDPR will affect SEO and the digital marketing industry. Undoubtedly, industry experts can expect a lot of challenges and obstacles in the near future, especially when it comes to rightfully collecting data, being transparent, and surviving through the shifts that are already happening in the data economy.