Have you noticed lately that, when you’re browsing the web, there are a lot of websites that use a pop-up to ask you to accept their cookie policy? Or maybe when you’re filling out forms, you’re suddenly seeing a checkbox at the bottom of many of them, asking you to acknowledge their policies? There’s a reason for that: They don’t want to get sued.

We’ve all heard about GDPR (the General Data Protection Regulation) at this point, right? As a result, many website owners and advertisers have made sure they have a privacy policy that covers what it needs to cover — plus maybe a cookie acceptance pop-up, for good measure. What kinds of compliance measures like these have you implemented? Are you asking for consent from your website visitors and/or form submitters? Are you putting those consent notifications or checkboxes in the “right” spot on your website?

The start of a new year is an awesome time to take a deeper look at how you’re handling consent and GDPR compliance. What your privacy policy says, where you place it, and how you make users aware of it really matter. Let’s make sure you’re on the right track with yours.

GDPR and privacy policy compliance: What you should know in 2021.

GDPR and privacy policy compliance: What you should know in 2021

First things first, you must make sure you’re GDPR compliant in 2021. To do that, you need to inform individuals whose data is collected about a whole list of things you can find on the European Commission website. To do that, you create a Privacy Policy.

According to the European Commission:

“The information may be provided in writing, orally at the request of the individual when identity of that person is proven by other means, or by electronic means where appropriate. Your company/organisation must do that in a concise, transparent, intelligible and easily accessible way, in clear and plain language and free of charge.”

Keep that “easily accessible” bit in mind, because we’ll be going into the placement of your policy shortly.

There are many tools and websites that allow you to create a privacy policy by plugging in your information. This will work for some, but if you’re going to get a little complex about how you use your users’ data, you may want to talk to a real lawyer.

Here are a few of those tools to check out:

Privacy policy placement: Where to put it and why it matters

Where you put your privacy policy on your website and how you call attention to it is something that advertisers should think about.

First of all, on all the main pages of your site, most people choose to put it in either the header or footer so that it’s accessible throughout all pages of your site (that use the header and footer). Since the footer is such a common place to put it, your website visitors know to look there for it and can easily locate it.

Beyond that common placement, there are some other important things to know about placing your privacy policy on your website, especially if you’re running paid ads.

Privacy policy placement on landing pages

If you browse the internet often, you’ve probably noticed lately that privacy policies are much more prominent now than they used to be on landing pages. If you’re filling out a form, you may even see a link to the privacy policy right there on the form, or a checkbox to click stating that you accept the conditions.

Facebook puts theirs on the bottom of their sign-up form:

Privacy policy placement - Facebook

Spotify does the same:

Privacy policy placement - Spotify

You can find the same thing here from WordStream to use their free Google Ads report tool:

Privacy policy placement - WordStream

Why are many companies choosing to feature that information in such a prominent spot? According to TermsFeed:

“Providing easily accessible and strategically placed links to your Privacy Policy will help prevent potential privacy complaints and legal allegations. The more accessible and prominent your Privacy Policy is throughout the user interface, the less likely customers are to complain that they “never saw the Privacy Policy.”

In other words, the easier it is to see your privacy policy, the less likely you are to get sued.

For more examples of where you can place your policy links, check out this article by TermsFeed.

Now, any platform where you run ads will have its own specific requirements. Those platforms include:

  • Google AdWords
  • Facebook
  • LinkedIn
  • Twitter

Let’s take a look at each of those in more detail.

Google AdWords, Quality Score and privacy policy placement

According to Google, if you’re advertising on their platform, “landing page experience” is a factor that contributes to how well your ads will perform:

“Landing page experience is Google Ads’ measure of how well your website gives people what they’re looking for when they click your ad. Your landing page is the URL people arrive at after they click your ad, and Google Ads analyzes it through a combination of automated systems and human evaluation. The experience you offer affects your Ad Rank and therefore your CPC and position in the ad auction. Your ads may show less often (or not at all) if they point to websites that offer a poor user experience.”

While Google doesn’t explicitly state that having a privacy policy will help your landing page experience, their “Understanding landing page experience” guide says that you should “promote transparency and foster trustworthiness on your site.” One of the specific bullet points under that topic is:

“If you request personal information from customers, make it clear why you’re asking for it and what you’ll do with it.”

That’s exactly what you do in a privacy policy, folks. So while they’re not explicitly stating “privacy policy,” they want that information to be prominent. Therefore, placing your policy in a prominent spot can help your quality score. Is it guaranteed to improve your quality score if you move your policy to a more visible location on your website? Nope. If your quality score could be higher, though, it’s something to try.

Plus, if you’re using AdWords, you’re probably also using Google Analytics, which requires you to have a Privacy Policy on your site explaining your use of cookies, among other things:

“You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies, identifiers for mobile devices (e.g., Android Advertising Identifier or Advertising Identifier for iOS) or similar technology used to collect data.”

Social media advertising privacy policy requirements

Social media advertising privacy policy requirements

In general, social media marketing is a lot like advertising on Google in terms of privacy policy requirements, but let’s go over a few specifics for each network.

Facebook

Facebook is mostly concerned about your privacy policy if you’re running Lead Ads, which is basically a lead form hosted by Facebook on your behalf. It’s like sending people to a landing page with a form to fill out, except it’s not on your website — it’s on Facebook.

Facebook’s guideline here is for a “reasonably prominent” (hello, legal speak) notice about how you’ll use a customer’s information. The term sounds murky, but they do provide an informative help page about what that means.

LinkedIn

LinkedIn’s policies are a little bit more difficult to find and not as clear to understand — as in, they’re not translated out of legal speak.

If you use LinkedIn’s conversion tracking, website demographics, or LinkedIn Matched Audiences, you must disclose your use of these services to your users:

“You agree that under Applicable Law, you have provided sufficiently clear, meaningful and prominent notice to, and have the appropriate consent from, the applicable individuals regarding any collection, disclosure, use and security of their information (e.g., Event Data and other Audience Data) for the activities under these terms (e.g., online behavioral advertising or interest-based advertising).”

Read more in the LinkedIn Ads Agreement.

Twitter

If you’re using Twitter’s conversion tracking or custom audiences functions, then you must comply with their policies. Basically, you must provide “legally sufficient notice” to users about the use of their information:

“Advertisers using these products for their websites must provide their website users with legally sufficient notice that they are working with third parties to collect user data through their website for purposes of conversion tracking and serving ads targeted to users’ interests, including the storing and accessing of cookies, and obtain legally sufficient consent from their users for these activities. These advertisers must also provide their users with legally sufficient instructions regarding how to opt out of Twitter’s interest-based advertising, including through an applicable opt-out mechanism specified by Twitter.”

A final note on privacy policy placement and a handy tool

Let’s review the legal mumbo jumbo from all these sites about the prominence and availability of your privacy policy. The big advertisers tell us that your policy must be:

  • “Reasonably prominent” – Facebook
  • “Sufficiently clear, reasonable and prominent” – LinkedIn
  • “Legally sufficient” – Twitter
  • “Our advertising partners should not misuse this information [about Google users], nor collect it for unclear purposes or without appropriate disclosures or security measures.” – Google

The main idea: Make your privacy policy unmissable in order to be as safe from legal repercussions as possible.

Now, a handy tool! The GDPR website provides a checklist for you to use to make sure you’re in compliance. Please note, it’s not for the faint of heart. It’s long, complicated, and involved. However, once you make it through, you’re pretty dang safe.