GDPR: Impact on SEO, Compliance Themes and MoreDecember 19, 2022
Technology has impacted the online marketing world in numerous ways throughout the decades, and one prominent theme here within recent years is tracking. Advances in AI have allowed for high levels of tracking within areas like ads and marketing, but this has also led to concerns about privacy and whether users have consented to bring tracked.
At SEO Werkz, we’re here to help with numerous SEO areas, from on-site optimization to link building, keyword density research and more. You may not have realized it, but these kinds of privacy areas have made their way into themes that may impact your SEO efforts; one important element here is the GDPR, or General Data Protection Regulation. Let’s go over exactly what GDPR is, plus how it impacts the SEO world – including several positive impacts this development has had on search engine optimization and related areas.
GDPR Basics and Broad Impact
GDPR refers to a set of regulations that went into effect on May 25, 2018. While this law technically only applies to the European Union (EU), the simple size of this area and economy means it’s had a major impact around the world.
GDPR requires that online users explicitly opt into any form of online ad tracking. It also requires they be given a choice about how they’re tracked, if they consent to this.
The law also speaks to specific definitions of personal data that fall under its purview. Any information that could uniquely identify a person qualifies: Name, phone number, date of birth, IP address, biometric or genetic info, health records, photos, bank information, social security number, driver’s license and many others will all fall under this category.
This sort of thing has a potentially massive impact across numerous forms of marketing – but it actually has shown several benefits to those in the SEO world. Our next several sections will dig into many of these.
For starters, GDPR had an instant impact on SEO budgeting, especially for larger companies. In particular, it caused many such companies to rethink their paid advertising budget, which is generally locked at the start of a given year. Now, many companies are holding larger funds in reserve instead of earmarking them for paid campaigns, which opens up many SEO avenues.
Privacy and Link Architecture
Reductions in Paid Search Crossover
We mentioned a possible reduction in paid search above, and much of the reason for this is a connected decrease in the crossover between paid and organic search. These two channels have always cannibalized each other to some degree, but GDPR all but blocked many types of retargeting – this impacted paid search and led to more reliance on organic listings, which in turn limited this cannibalization that wasted your money in the past.
Despite Google making regular noise about moving their search results away from personalized formats, the fact remains that this is a big factor. Think about all the factors Google considers while spitting out results for a given search: Their prior searches, where they’re located, and even what time of day, week or month it is during the search.
While results themselves might not be personalized, queries still absolutely are. For this reason, search quality is improved massively when users accept cookies – a requirement under GDPR, as we went over earlier. Without these cookies, search will be muss less specific for each individual, which in turn benefits SEO companies less.
Down related lines, GDPR allows for much more specificity when targeting user intent with content. Areas where GDPR is in effect will allow content to directly match the user intent, which – as we just discussed above – the user can already find for themselves using their search.
Consider a case where a consumer is looking for a new car. Rather than using paid marketing to target them in ways that basically amount to guessing which kind of car they might want or their budget, GDPR allows SEO experts to create content directly for users who are looking for more detailed searches, such as a specific car brand, color or year.
Part of what’s great about GDPR within the SEO realm compared to many others: There’s no requirement that users give up any private data while searching. Contrary to a social media platform, for instance, where logins and personal information are often required, search can be done 100% anonymously without breaking any of the regulations of GDPR. It can still provide great results without risking any privacy concerns.
SEO is Fully Compliant
One vital theme for those within the SEO world: While there was initially some panic about various online marketing channels when GDPR was first introduced, this has subsided quickly. This is because SEO and related forms of organic search require no personal data to be given out – while certain specific SEO services utilize cookies or related customization trackers, these don’t have to be included in a given SEO program.
Rather, SEO experts wary of GDPR compliance have a variety of tools available to them. Keyword research tools, for instance, use anonymized data like clickstream formats or keyword volume to collect information, tools that comply with GDPR and do not create any concerns.
Issues With SEO Retargeting
While this may seem like a downside, it’s generally beneficial for the online marketing world as a whole. It levels the playing field, so to speak, between paid and organic search, making for a more equitable situation for all involved.
GDPR Compliance in the US
Why Do US Companies Need to Be GDPR Compliant?
Since GDPR is exclusive to the European Union, some in the US wonder why they have to worry about compliance with these regulations. The reasoning here is relatively straightforward: Not only does GDPR apply to organizations actively operating within the EU, it also applies to those outside the EU who offer any kinds of goods or services to customers or businesses within the EU – and as you may have guessed, that represents a pretty huge swath of customers or companies.
To get a bit more specific, GDPR is meant less to regulate businesses, and more to protect individuals and their data rights. Even if you don’t operate within the EU at all, it’s entirely possible you’ll receive business from someone who lives there – after all, tens of millions of people call this wide area home.
As for enforcement, this is a cooperative effort between the EU and other foreign governments. Don’t simply assume that because you’re outside the EU, you won’t have to worry about actually following these laws – this could land you in some hot water quickly.
Tips for GDPR Compliance Among US Companies
Here are some of the basic themes we recommend when it comes to compliance with GDPR for US companies:
- Information audit for EU data: First and foremost, you must confirm that GDPR compliance is indeed a requirement for your company. This involves determining the sorts of personal data you process, plus whether any of it belongs to anyone within the EU. If it’s determined that you do, you must next determine whether this processing is related to specific goods or services. If so, continue on to additional steps.
- Communicate with customers about consent: If you are able to receive consent to justify your use of personal data, this will typically allow you to continue with various data collection practices that involve EU customers. There are also some other justifications for processing data, and these can be found in Article 6 of the GDPR text.
- Improve data protections: Next up, you should evaluate all your data processing and any security or privacy risks that exist within it – and begin looking for ways to eliminate these risks. There are a variety of different encryption and other methods you can use to limit data breach risks and stay in compliance with GDPR.
- Vendor agreements: If any of your vendors violate GDPR regulations, be aware that you may be held partially accountable as the data controller in question. For this reason, it’s vital to establish clear data processing agreements with all your vendors, maintaining the rights of all parties – not just you and your vendor, but also cloud storage providers and any other contractors who deal with personal data.
- Officer and representative: For larger companies or organizations, appointment of what’s known as a data protection officer may be required. Whether or not this is required for your business can be ascertained within the GDPR text. In addition, Article 27 states that many non-EU organizations must appoint a representative based in an EU membership state.
- Data breaches: In case of a data breach of any kind, Articles 33 and 34 of the GDPR text go over the duties held by companies if personal data is exposed in any way.
- Cross-border transfer laws: There are also strict regulations on the transfer of personal data to non-EU countries, with Article 45 going into further detail here.
Definitions of Personal Data Under GDPR
Per Article 4 of the GDPR text, “personal data” is defined thusly:
“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This applies to personal data processed wholly or partially by automated means, plus by personal data processed in a non-automated format that still uses a filing system of any kind.
Let’s get a bit more specific on a few parts of that definition so our clients know exactly what they’re dealing with:
This item, which sits directly at the start of the GDPR’s definition of personal data, is extremely broad and wide-ranging. It includes both objective information (height, weight, DOB, etc) and subjective information (employment evaluations, etc), and can be presented in any medium, whether it’s audio, video, graphical, photographic, or even numerical. If you’re wondering about a definition that’s right on the fence here, chances are it’s included.
This area is very straightforward: Individuals’ personal data is protected by GDPR, but company data is not. The individual in question must be living to be afforded protections.
In fact, even if this data is not accurate when it’s attributed to an individual, it’s still covered by GDPR. If the data is so inaccurate that it can’t be linked to a specific person, however, it will not be considered personal data at all.
“Identifiable Individuals” and “Identifiers”
Anytime a person is differentiated from another in any way, this is considered identification of that individual. A name is the most popular way of identifying someone, of course, but there are many other types: Identification numbers, location data, biometric data (fingerprints are a good example) and more.
One particular category that can be a bit complex here is an online identifier. This can refer to anything ranging from an IP address to a cookie identifier, an RFID tag or certain other types.
Finally, information that allows an individual to be identified, even if it doesn’t contain direct identifiers like those we just went over, may still qualify as personal data. If it’s being processed in any way that allows you to learn something about the individual or impact them, for example, this data will be protected.
For instance, even if your name has been removed, utility data for your home could be considered personal data, as it is related to your identity. There are numerous other such examples here depending on your situation – once again, this area is quite wide-ranging and protects a variety of different individuals.
To learn more about GDPR, why it’s necessary for US-based companies and SEO experts, and how we’ll help you stay GDPR compliant and even potentially find great benefits through the optimization of this area, speak to the staff at SEO Werkz today.