How New Privacy Laws Can Affect Your Lead Generation and Retargeting Tactics

How New Privacy Laws Can Affect Your Lead Generation and Retargeting Tactics

Ever been chatting with your friends on Facebook and an ad in the margin catches your eye for the exact pair of hiking boots you had been shopping for on Amazon last week?


Or how about that time you were flipping through your email inbox and in pops a Pinterest update with the perfect idea for your 8-year old daughter’s birthday party – how do they know these things?


The answer is simple: because you told them.

Whether you specifically asked for information or visited a webpage and showed interest in a product or service, you were telling that brand everything they needed to know: what you do and don’t have interest in.

How Privacy Regulations Impact Marketing

This personal and behavioral information is invaluable, particularly to marketers, who are always looking for better ways to target promotional content. Because audiences are much more likely to engage with a brand who understands where their last engagement left off, this information allows for sequential messaging that’s more useful to consumers. This is because the information is based on their recent behavior rather than the “shotgun” method of showing a generic ad to as many users in a market as possible.

Find out how you can map your content to the customer journey to keep visitors in your sales funnel and generate the best ROI from your marketing efforts.

Great! More relevant ads sound nice and efficient, what’s the problem?

Well for every example of a brand using user data to better target messaging, there’s at least one example of a company abusing that privilege. Like brands selling your personal data to third parties – ever gotten a phone call offering you a “Free Cruise to Davenport, IA?” without asking? – or don’t protect your personal information well enough so that external breaches become commonplace.

That’s horrible! But, isn’t that old news?

Sort of. These revised privacy regulations significantly impact the way brands can collect, store, and utilize the personal data that allows for sophisticated retargeting messages. This should make it easier for consumers to see what a brand is holding onto in terms of your personal information, force brands to quickly report when their data has been compromised and implement more extensive penalties for brands not adhering to these new regulations.

As of right now, here’s what you should know:

What in the heck is GDPR?

General Data Protection Regulation (GDPR) is a landmark EU privacy compliance regulation in force starting May 25th, 2018. The new regulations would apply to any business marketing goods or services, or more specifically the collection and storage of personal identifiers, to individuals based in the EU.

What if I have a US-based business with customers in Europe – would I have to make any changes to the way I conduct business prior to May 25th, 2018?

Yes, indeed!

What if I have no customers in the EU – do I need to pay attention?

While the US does not currently feature GDPR style regulations applying to US residents, they will observe the GDPR standards as it relates to EU citizens. In addition, it’s highly likely the US and others (UK, Canada) develops and approves a similar, if not the same, style of privacy regulations in the very near future. Getting to know and preparing your site for these potential changes is a great idea.

So, what? I do what I want!


The maximum fine for non-adherence is 4% of global revenue or $20 million euro (roughly $24.4MM USD).


You have my attention – what data does this concern exactly?

Anything that could be used to identify a single person – things like:

  1. Name
  2. Photo
  3. Email, Phone, Address
  4. Social Profiles
  5. Medical Info
  6. Device Address
  7. Internet address

Got it – what do I have to do that I didn’t before?

Users will have new rights pertaining to when and where their information has been harvested, how it’s being used, and most importantly, if it has been compromised in any way.

Anyone remember any of the last few enterprise-level data breaches?

  1. Yahoo (2013-2014): 3 billion user accounts compromised
  2. eBay (2014): 145 million user accounts compromised
  3. Target (2013): 110 million user accounts compromised
  4. Uber (2016): 57 million users has personal information exposed
  5. And on it goes…

Were any of you affected by one of the above? How did you find out?

…You found out in the news a few weeks or months later, right?

This is a great example of what these new regulations will try to stop. Under the new standards, the user has certain rights to know when and where this occurred with enough time to do something proactive about it. There’s more:

Here’s a list of the new expectations these regulations are designed to ensure:

  1. Breach notification: Any breach must be reported “without undue delay” to all customers that were affected.
  2. Right to access: A copy of all personal data being housed for any user must be provided for free at the request of the user.
  3. Right to be forgotten: The right of the user to ask that all their data be purged from a system on request
  4. Data portability: The right of the user to ask that their personal data be moved to another data controller.
  5. Privacy by design: A requirement for all data controllers to hold and process ONLY the data necessary for completing an on-site or off-site action as well as minimizing internal access to user data to only those required to process.
  6. Data protection officers: An individual tasked with ensuring adherence to the new privacy regulations, training any staff involved with handling user data, and conducting data audits. In a larger setting this person may be a new hire but in a smaller setting, this can be an existing staff member who would assume these tasks.

As you can see, this isn’t intended to stop marketing or to stop advertising, but to make it easier for a user to understand when, where, and how their information is being used or misused. That said, we (marketers) have a little more work to do in order to make sure this gets done.

That’s a lot of stuff – what must I change?

While some of the regulations and how they may apply to a US-based business are still in a grey area, here are a few things we recommend you start doing by May 25th, 2018.

1. Cookie Notice Pop-ups

Brands must do a better job of informing a user what their personal information might be used for. For example, ever seen a notice like this (see below)?


This is becoming more of a standard practice for any website tracking user behavior because it provides the user explicit notice they’re being tracked and what will happen from that point forward.

2. Submission form “Bill of Rights”

Right below any of your user-facing form fills, you should document what information you are collecting and how it will be used, along with a link to your Brands privacy policy. Adding a checkbox increases the likelihood a user will commit to the end result.


Will you lose conversions? Yes, most likely because you are adding points of friction to the sign-up process. An intended consequence, however, is that those who check the box and submit their information may be more expectant of any future correspondence (email, search, social, video) and that will, in turn, increase your overall click-through rate during future engagements.

In other words – lower conversion volume in favor of higher engaged conversions – everyone’s dream, right?

3. User Data Storage

It will become very important to quickly and easily send a digital file detailing personal data for any user should they request it. This may require new back-end systems, process, and or personnel, but whatever the cost, make sure it’s a function you have going forward.

Here’s an example of software built explicitly for this purpose called – it can help identify how personal data is moving within an organization, whether there are any potential security breaches, and tracks process and security measures should documentation need to be provided to a regulatory body.


While GDPR regulations do not currently apply to US citizens, understanding how it will impact EU audiences, as well as where US regulations may be following, will give you a leg-up on remaining privacy compliant.

Keep in mind, these changes should help improve advertising audience relations as we, as brands and agencies, only want to provide answers and protect user data in the process. Adhering to these standards could result in lower impression volume overall, but the impressions that remain should be more well informed of what to expect going forward from each brand they interact with and that means higher engagement!

We hope these 3 steps help your brand take steps towards GDPR compliance for today and beyond!

Retarget Your Audience with Our Help

Vertical Measures can help you set up and maintain a successful remarketing ads campaign – whether your goal is to target shoppers who have abandoned their cart or simply encourage people to re-visit your site. We offer remarketing campaign management for AdWords, Bing, and Facebook.

Find out how!

Erik Solan

Erik brings 8 years of experience in the field with specializations in landing page strategy, PPC strategy, cross-channel attribution, and bid strategy automation. Erik has worked personally to improve ROI performance on clients such as Pep Boys, Wyndham Vacation Rentals, and Panasonic Healthcare and showcases vertical experience in Automotive, Healthcare, Restaurant, Fitness, Travel & Hospitality, Finance, Law, and Consumer Packaged Goods. When not attached to his laptop, Erik can be found enjoying life with the fam – camping, smoking meat & tipping ales, and contemplating when it was exactly LEGO sets became so ridiculously expensive. Also Tom Waits is his spirit animal.