Ready, Set, Privacy: A GDPR Checklist For Brands

GDPR is upon us. Here is a last-minute checklist to help businesses make sure they’re ready, from data classification to user interface changes, along with expert advice to avoid common pitfalls along the way.

First and foremost, don’t ignore GDPR. It’s easy to assume that if your company is based outside of the European Union (EU), GDPR won’t apply to you.

“We advise that US-based businesses still need to comply with (let alone care about) GDPR, for a few reasons,” Anne P. Mitchell, attorney, GDPR compliance consultant and author of Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) told AListDaily.

She warned that assuming GDPR won’t apply to your business can have dire—and expensive—consequences if that turns out not to be the case.

“You really have no way of knowing whether someone with whom you are interacting online is actually in the EU or not,” said Mitchell. “IP address geolocation is not only unreliable, but it is also prohibited by GDPR.”

Mitchell explained that GDPR prohibits companies from using automated means to determine information about a data subject, including location. In other words, companies cannot simply exclude a user from accessing a web page because they are located in the EU.

“Second,” she continued, “GDPR applies to ‘people in the union,’ not ‘residents’ or ‘citizens.’ If I, a US citizen, do business with your US-based e-commerce site with my US-based email account—but I happen to be mid-flight over Germany at the time—I am, at that moment, technically, in the union.”

Some Assembly (And Help) Required

GDPR compliance will take a global, group effort. Here are some steps businesses should take to make sure everyone is ready by May 25.

  • Appoint a data protection officer (DPO) and create awareness among chief decision makers about the GDPR guidelines.
  • If you are outside the EU, appoint a representative in the EU.
  • Train staff to be aware of new data requirements.

The Interactive Advertising Bureau (IAB) has also released a set of tools to help attain GDPR compliance.

Classify Your Data For Proper Handling

Much as you would label packages “urgent,” “fragile” or “return service requested,” all data collected and stored by a company must be classified to ensure that sensitive information is handled properly. Correctly labeling data should also raise awareness to the end user so that they understand what information is stored and how it will be used.

Data classification is typically the responsibility of the chief information officer (CIO) or chief information and security officer (CISO). In order to ensure compliance, make sure your technical data is up to date so that it can handle data classifications properly as well as requests from users.

Time For A User Interface Makeover

Make sure users can easily:

  • Request access to their personal information
  • Update their own information to keep it current
  • Request that their information be deleted
  • Request that your company stop processing their data
  • Request that their information be transferred to them or a third party

Even if you’re not sure that GDPR applies to your company, becoming compliant makes good sense, Mitchell explained, adding that companies should announce GDPR compliance right on their websites, marketing materials, etc.

“At a time when data security (and lack thereof) is front and center on consumers’ minds, being able to say you are GDPR compliant is a huge plus in terms of giving consumers peace of mind,” said Mitchell.

Knowing Is Half The Compliance Battle

It’s a big world, and the internet connects us all. You never know who is accessing your business’ website or services and where they are at the time. For that reason, Mitchell says it’s better to be safe than sorry—and fined €20 million (nearly $25 million USD) or four percent of a business’ gross annual worldwide income, whichever is higher.

“GDPR specifically states that they will go after anyone—anywhere—who violates GDPR with respect to someone ‘in the union,’” warned Mitchell. “Plus, GDPR also has a private right of action, meaning zealous individuals will be filing their own grievances against companies wherever those individuals feel their rights under GDPR have been violated.”

According to a report by Crowd Research Partners, 60 percent of companies admitted that they are likely to be in breach of the law by the GDPR compliance deadline, and close to a third have not even started the compliance process. Will you be ready?

Editor’s Note: The information provided in this article is for educational purposes only and should not be construed as legal advice. Companies seeking GDPR compliance should consult legal counsel prior to making decisions regarding data privacy.

Facebook Now Requires Political Advertising Disclosures

At long last, Facebook is putting one of its transparency principles into practice, requiring all political advertisers disclose their identity and personal address to Facebook, and disclose their funding source to the public.

The program is currently limited to political and issue ads in the US, meaning that advertisers hoping to influence elections in other regions need not change their strategy just yet. However, Facebook promises that the policy will be expanded to the rest of the world “in the coming months.”

“In order to get your Page authorized to run political ads, we need to know that there’s a real person who has US residency who is responsible for the Page, and we need to know who’s funding the political ads,” the company states in its Facebook political ads guidelines.

Advertisers that abide by this new policy will see their political ads displayed as normal, but with a header declaring the ad to be a “Political Ad,” and a disclaimer displaying the ad’s source of funding “as provided by the advertiser.”

“We’re making these changes to increase ad transparency and as part of our election integrity efforts on Facebook and Instagram,” the company declared, but as its new policy operates at the moment, it’s doubtful that it will have any substantive effect on Facebook political ads.

To start, the authorization process only requires one of a Page’s admins to provide proof of US residency—a roadblock easily circumvented, given how simple it is to change Page administration privileges. Additionally, political ad funding disclosures are entirely self-reported and unverified by Facebook itself, meaning that users can easily just lie if they choose to.

“We’ll review your entry against our advertising policies, but you’re responsible for making sure your ad complies with any applicable law,” the company states.

Furthermore, the Facebook political ad disclaimer will not appear beside the post if it is shared organically, negating the original purpose of the disclosures if they are spread through word-of-mouth.

“An ad that a person sees and chooses to post is now a piece of organic content rather than an ad,” Facebook states.

All of these quibbles aside, Facebook’s new policy leaves doubts as to the effectiveness of a small header at mitigating the effectiveness and spread of vitriolic or misleading ads in the first place.

Overall, the new policy seems to be obeying the letter of election transparency law rather than the spirit, bringing Facebook legally in the clear without making much of a dent in the actual problem.

Only 3% Of Marketers Agree With Video Viewability Standards

Marketers continue to invest in video this year, but are frustrated with the current advertising landscape, according to a report by the CMO Council and ViralGains.

The report, “Engage at Every Stage: An Investigation of Video Activation” surveyed 233 senior marketing leaders during the first quarter of 2018, of which roughly 109 hold the title of CMO or senior vice president of marketing. Some 43 percent of respondents represent companies with revenues greater than $1 billion, and 47 percent hold the title of CMO or senior vice president of marketing for their organizations.

Digital video is considered more important than other media investments by 28 percent of respondents and 40 percent say that video is growing in importance. However, nearly all marketers disapprove of viewability definitions.

According to the Media Rating Council, a video view is defined as 50 percent of content playing for two consecutive seconds with the sound off. The survey found that only three percent of respondents agree on this definition. Of those who agreed, 30 percent admit that they can only approve of it because there isn’t a better metric to embrace.

Inspired by companies like Proctor and Gamble and Unilever drawing lines in the sand for digital advertising to provide better transparency and trust, 95 percent of respondents agree that digital media’s “free ride” is over. Despite this zeal for change, 52 percent of respondents were unclear about how to act or facilitate change, indicating a need for improved leadership and direction across the digital advertising industry.

Of the respondents, 163 indicated that they are actively investing in digital video advertising. According to the report, 96 percent of marketers intend to increase video investments in 2018, with nearly half increasing spend by up to 25 percent and 15 percent indicating an increase of more than 50 percent.

Marketers are placing an emphasis on social media for their video efforts, the survey found. Twenty-six percent of respondents have earmarked more than half of social media investments for video ad placement.

Advertising Drives Alphabet, Inc. Revenue Up 26 Percent in Q1

Google parent company Alphabet, Inc. reported first quarter 2018 earnings of $31.1 billion, a year-over-year increase of 26 percent.

Non-ad revenue streams such as Google Play, cloud apps, services and hardware rose 36 percent in the first quarter to $4.35 billion.

The Price Of Programmatic

A majority of Alphabet’s income in the first quarter—$26.6 billion—comes from Google’s programmatic advertising services. Paid clicks on Google’s own sites and apps rose an impressive 59 percent year-over-year, compared to 48 percent year-over-year in the fourth quarter.

Cost per click (CPC) on Google’s own sites and apps fell 19 percent annually, a slightly larger drop than 16 percent in the fourth quarter.

Google CFO Ruth Porat said that the company benefited from strong mobile search growth, as well as desktop search and YouTube.

All About That Assistant

A major emphasis was placed on Google Assistant during the first quarter earnings call—not surprising considering the company’s experiential marketing efforts at SXSW and Assistant-focused commercials aired during the Academy Awards.

Google Assistant can now help users with over one million tasks, according to the company. During the Q&A session, Google CEO Sundar Pichai said that their goal is to help users complete actions on mobile devices, rather than simply give search results. Pichai said they are “very excited” about mobile opportunities.


Brand safety was addressed, as well, with Pichai outlining recent efforts by YouTube to prevent offensive content before it has been posted. Using a combination of human and machine learning, over six million videos were flagged and removed before going public, Pichai said. Monetization requirements were changed for users recently, as well, restricting monetization to channels with over 10,000 minutes viewed. In the first quarter, channels earning more six figures per year rose 40 percent.

YouTube continues to grow. Pichai noted that over 100 videos have surpassed one billion views and the exclusive Coachella livestream boasted one million views.

IAB Continues Transparency Push With Acquisition Of DigiTrust

IAB Tech Lab has acquired DigiTrust and will integrate its neutral identifier technology into services for the digital marketing ecosystem.

As it comes just a month before the GDPR compliance deadline, IAB’s acquisition of DigiTrust is timely. DigiTrust’s technology and services can provide additional infrastructure for IAB’s GDPR Transparency and Consent Framework initiative, the company said. IAB Tech Lab is developing standards for transparency, consumer protection and “appropriate consistency” across its services.

DigiTrust creates a neutral identifier for its members to use online that replaces third-party requests such as cookies. Since thousands of companies use their own cookies to track user behavior, a universal token would, in theory, provide more accurate tracking data to marketers and speed up web page viewing, since multiple cookies would no longer be necessary.

A neutral ID would serve as a baseline for related commercial offerings, explained IAB Tech Lab senior vice president and general manager Dennis Buchheim in a press release.

“Audience recognition is central to ad relevance and effectiveness, privacy and consent, measurement, attribution, anti-fraud efforts, brand safety and more,” said Buchheim. “Our vision is to bring together Tech Lab’s expertise and technical standards portfolio with DigiTrust’s footprint, storage mechanism and real-time services to help move the industry forward in audience recognition, privacy controls, etc.”

Despite the acquisition and all the consumer data that comes with it, IAB Tech Lab promises to remain a neutral third party. IAB Tech Lab and DigiTrust will not collect, store, share, use, buy or sell consumer behavioral data or personal information, the company said.

“We recognize that audience recognition and privacy standards necessarily entail great responsibility by our members on behalf of the consumers they reach globally,” added Buchheim. “This work must be governed appropriately and implemented responsibly, without bias. We’re looking forward to working with and supporting all DigiTrust members.”

P&G Returns To YouTube, Wary Of Programmatic

After taking a year-long break from buying ad space on YouTube due to numerous ad fraud and brand safety concerns, Procter & Gamble is tentatively back on the platform.

P&G, which spends $2.75 billion on advertising annually, will manually okay videos and channels it advertises on. So far, it is only considering ad space on 10,000 channels, compared to the 3 million it placed ads on back in 2017.

“We paused advertising, and for the past year, we’ve worked extensively with YouTube to improve brand safety,” said Tressie Rose, a P&G spokesperson, in a statement to Bloomberg. “We now feel the right measures are in place for P&G brands to have the option to advertise on YouTube.”

This special relationship with YouTube may serve P&G well to keep its brand safe, especially since YouTube is embroiled in yet another brand safety scandal, as CNN reported on Thursday. More than 300 different companies saw their ads algorithmically placed in front of white nationalist content.

“We have strong values-led guidelines in place and are working with YouTube to understand how this could have slipped through the guardrails. We take these matters very seriously and are working to rectify this immediately,” a spokesperson for Under Armour, which has paused its advertising on YouTube, said to CNN.

Despite YouTube’s efforts to compensate for the flaws with its algorithmic moderation systems, such as promising to drastically expand its human review team, video ads continue to appear beside extremist content without the video hosting service intervening.

P&G seems to understand the platform’s limitations, taking moderation into its own hands, in line with its previous efforts to “cut waste” from its digital advertising budget. If YouTube can’t (or won’t) step up to protect its brand partners, P&G has committed to protecting itself.

“We are committed to working with our advertisers and getting this right,” a YouTube spokesperson said in a statement to CNN. The company has not specified just how it plans to do that.

Frosted Flakes And PRETTYMUCH Premiere Single On Cereal Record

Bringing unprecedented innovation to the grain industry, Kellogg’s has announced today that it has set records by manufacturing the first-ever vinyl out of chocolate Frosted Flakes cereal.

Partnering with Simon Cowell–assembled boy band PRETTYMUCH, Kellogg’s is releasing the single “Hello” for the first time on a 3D-printed, edible, chocolate-flavored record.

“Through our music, we’ve always advocated for having fun and living your greatness in everything you do ’cause it’s just so important to stay true to yourself and have a good time doing it!” said PRETTYMUCH member Brandon Arreaga in a statement, adding in a bit of a non sequitur: “So, we thought, what better way to do that than release our newest song on the first ever record made of Chocolate Frosted Flakes?

The record, which according to Billboard will survive seven to ten play-throughs of the single, will be distributed to select members of the band’s fan mailing list at a Kellogg’s-branded cafe in New York City. For the less fortunate, the record will be passed out for free to customers at the cafe while supplies last.

Additionally, the official music video for the single features Frosted Flakes mascot Tony the Tiger dancing alongside the boy band, who also sit down in front of a blue screen to have a hearty meal of the chocolate cereal.

Those that miss the chance to visit the New York location will have a second chance to buy the record on April 21 at Reckless Records in Chicago, in celebration of Record Store Day.

The vinyl itself is as loosely based on Frosted Flakes as it is around the concept of a vinyl itself, with a substantial dark chocolate coating forming the actual grooves read by a record player’s needle.

It should also be noted that while vinyls are known for their durability and unmatched sound quality, the PRETTYMUCH/Frosted Flakes single is somewhat lacking in both categories.

This is hardly the first time Kellogg’s has taken advantage of bizarre brand partnerships—to promote its family of products in 2016, the company released a Captain America: Civil War–themed virtual-reality experience.

60 Percent Of Organizations Still Unprepared For GDPR Compliance Deadline

Despite ample time to prepare and numerous compliance tools made available by trade organizations like the IAB, the GDPR compliance deadline of May 25th is barely a month away and, according to a new report by Crowd Research Partners, the majority of businesses are on track to fail the law’s privacy standards.

Of the 531 organizations surveyed, only 7 percent claimed to be in full compliance with the law. A full 60 percent admitted that they are likely to be in breach of the law by the GDPR compliance deadline, and close to a third have not even started the compliance process.

“While this is an improvement over last year’s survey results, where only 5 percent indicated compliance readiness, it is still an alarmingly low number,” the report reads.

The majority of companies—53 percent—see the “right to be forgotten,” allowing data subjects to request their information be deleted from company servers at any time, as their largest concern.

Several organizations have announced working on tools to help companies comply with consumer data requests, including, unsurprisingly, one that takes advantage of the blockchain. However, external tools aren’t enough—the law mandates that data protection measures be “baked in” to a company’s processing operations from the bottom up.

Part of this unpreparedness may stem from ignorance of the law itself. While 80 percent claimed that GDPR compliance is one of their organization’s top priorities, only half attested to having significant knowledge of the law, and a quarter admitted to having either limited familiarity or no knowledge at all.

For those making efforts to comply, lack of staff and resources represent a major burden to meeting the GDPR compliance deadline. Forty-three percent of respondents claimed that they do not have employees with the necessary skills to get them on track to comply with the law, and 40 percent do not have the money they need to make necessary changes.

For most companies, complying with GDPR in time will not be a close call: 53 percent of those surveyed expected to need six or more months to fully follow the law. A full 26 percent of companies will need two or more years to get their affairs fully in order.

The penalties for violating provisions of GDPR can be as much as €20 million or 4 percent of global revenue for the year, whichever is higher.

See our rundown of the law and what it means for you here.

Zara AR App Hopes To Draw Teens In-Store

In a bid to engage younger audiences with retail locations, Zara has released an augmented reality experience, called Zara AR, that displays a virtual fashion show to interested shoppers.

Zara AR allows users to “shop the look,” placing virtual models in three-dimensional space that twirl and walk to show off clothes that app users can then purchase directly through the app.

Unlike many branded AR apps, especially those pertaining to the beauty industry—which strive to be available according to the whims of their users—Zara AR trades in exclusivity. To use any of the app’s features, users must first travel to a physical Zara location or visit its website.

For online purchases, the app features alternative clothing displays on delivered packages, breathing a little life into the inescapable “recommended item” box on ecommerce sites.

The app also includes social media support, with a press release touting “a tool for sharing the experience on social media, encouraging users to take and submit photos of the holograms, establishing a virtual connection that appears remarkably real.”

Even so, since the app requires users to already be shopping at a Zara location, it focuses much more on closing sales than spreading brand awareness.

Though the fashion brand promises to fully roll out the AR experience in the future, there are currently only 120 Zara locations worldwide that support the new app, of which only seven are in the United States. In the AR-supported locations, Zara has done away with mannequins entirely, replacing them with blank walls and podiums bearing the message “Experience the Look.”

Zara AR bears the greatest similarity to Wayfair’s AR activation, which likewise gives users the opportunity to get a sense of how their purchases will look on bodies as opposed to the tightly controlled two-dimensional space on their computer screens.

Duolingo Adapts Social Strategy To Reach Bilingual Users

At the end of 2017, Duolingo, a popular online language learning service, did something unusual for an edutech firm: They started a podcast. As a “freemium” educational product, Duolingo uses a variety of avenues to attract new customers and keep (and monetize) the ones they already have. Podcasts are just one part of a social media strategy aimed at courting an audience split across countries, continents, and languages. 

Facing Freemium Challenges

Pittsburgh-based Duolingo was founded in late 2011 and was recently valued at over $700 million. The company quickly took on industry incumbents like Rosetta Stone by offering a completely free product that helped them become a dominant player in the online language learning space. Users access Duolingo either through its website or smartphone or tablet apps.

The company monetizes in three primary ways. Free users are served ads on their website and mobile apps, and there’s also an option for users to pay a monthly fee for an ad-free experience that includes extra freemium functionalities like offline downloading. Duolingo also offers non-English speakers a $49 online English proficiency exam which Sam Dalsimer, the company’s senior PR manager, says is primarily used in college and universities admissions.

Depending on the prism it’s viewed through, Duolingo is either an edutech company or an app maker. Their major social media marketing challenges are the same either way: A fragmented user base that uses Duolingo for very different purposes, and a wide variety of social channels preferred by very different users.

Going Across Platforms

Duolingo has official presences on Facebook (~1.5 million likes), Twitter (259,000 followers), Instagram (~5,700 followers) and Google Plus (~298,000 followers). According to Dalsimer, Google Plus remains popular in international markets like Brazil, where Duolingo has a presence.

The company maintains a unified visual opportunity for social media content; the same artist creates unique illustrations for all of Duolingo’s social media content, and the company deliberately carries the same cartoon-y aesthetics from their website and apps into the social media world.

Complicating things for Duolingo’s social media strategy is the fact that Duolingo serves two very different core constituencies. The first consists of native English speakers learning a wide range of foreign languages for instances like work opportunities, travel and heritage. The second, approximately 55 percent of their user base, consists of non-native English speakers learning English for primarily work-related purposes.

Dalsimer said Duolingo reevaluates their social media strategy every quarter, and have two current goals: Promoting their core value of diversity and informing users about new product launches, features and other company news.

However, despite teaching users everything from Spanish to Vietnamese to Russian, almost all of Duolingo’s social content is currently in English. Duolingo says that may change in the future.

Official And Unofficial Presences

Duolingo’s official Facebook page is accompanied by unofficial pages like Duolingo English-Spanish and Duolingo Greek Learners, the multi-platform Shit Duolingo Says, which highlights awkward and humorous translations, and the popular-but-unsanctioned Duolingo subreddit.

These unofficial sites arguably boost Duolingo’s engagement and name recognition, but exist outside of the service’s officially sanctioned social media presences. The Duolingo subreddit, for instance, is a mixture of praise and complaints about the service, while Shit Duolingo Says often features off-color content that doesn’t necessarily align with Duolingo’s brand.

In the case of Duolingo, the company balances the fact that they have an officially sanctioned user forum with a very active user base. Unofficial social media presences present service feedback and bug reporting.

App Lessons

Duolingo is a good example of how a mostly free educational app is trying to avoid user churn through social media strategy and marketing. But Dalsimer says there are foundational goals that should be set no matter the company.

“As we set our social media goals, we also think about deciding what our most important metric is and the optimize for that,” Dalsimer says. “For some brands and companies, it might be downloads or subscribes–you have to create and tailor content for that purpose. For other people, the goal might be engagement rates on posts, or calls-to-actions to put in posts–that is one of our biggest challenges. Once we make that decision, it helps us focus on what exactly we post, and best way to do it.”

As for the podcast, it could be a bellwether of sorts in terms of social content for the growing company. The Duolingo Spanish Podcast is an important foray for the into content that is emphatically bilingual and is aimed at the company’s approximately 110 million English speakers who have signed up for free Spanish-learning courses. The first eight episodes debuted this past winter and Dalsimer likens it to “This American Life, but in Spanish.”