Understanding Data Privacy for B2B Advertising: Consent for Conversions and Audiences
This article explains the privacy considerations you need to be aware of before sharing data about your customer conversions and audiences with advertising platforms like Google Ads or LinkedIn Ads.
Whether you need to get consent from your users depends on where your users and customers are located. In some regions, consent might not always be legally required. However, in this article, we will focus on situations where explicit consent is typically required, specifically under regulations like the General Data Protection Regulation (GDPR) in Europe.
In regions like the US, Canada, and others, privacy regulations often allow for implied consent. This means you can generally assume you have consent by default, as long as you give users a clear way to opt out if they don't want their data to be used.
Let's break down the considerations for two key types of data you might share:
1. Conversions (Measuring Ad Effectiveness)
- What are Conversions? "Conversions" refer to a stage model you are sharing with advertisement platforms. Dreamdata today supports LinkedIn Conversion API, Google Enhanced Conversions, Meta Conversions, or Microsoft Enhanced Conversions to share this conversion data.
- What kind of data is shared? When you share conversion data, you are sharing Personally Identifiable Information (PII). This is data that can identify an individual, and it comes from your own first-party data sources. These sources are typically systems you directly manage, like your Customer Relationship Management (CRM) system and website tracking tools.
- Do you need consent to share conversion data? Generally, explicit consent is not required for sharing conversion data, especially when it's solely used for measuring the effectiveness of your advertising. This is because:
- Conversion data isn't used for targeting individuals with ads. The main purpose of sharing conversion data is to understand how well your marketing and sales efforts are working. You want to see which advertising channels are driving conversions and improve your overall business processes.
- Legitimate Interest: As a business, you have a "legitimate interest" in understanding your marketing performance. This is a recognized legal basis under GDPR that allows you to process data if you have a valid reason and it doesn't overly infringe on individuals' privacy rights. Sending conversion data to platforms like Google and LinkedIn to measure ad performance is typically considered a legitimate interest.
- Use activity data to create the audience. Depending on your consent magement platform and configuration, you might be able to filter the audience based on recent user activity such as has performed page views the last 90 days.
- Legal Data Collection: It's assumed that you have already collected the initial PII data of your users and customers in a lawful way (e.g., when they made a purchase or signed up on your website). The act of sharing conversion data for measurement is considered a secondary use that is often compatible with the original purpose of data collection.
In summary for Conversions: You can usually share conversion data without explicit consent for the purpose of measuring ad performance, relying on "legitimate interest" as the legal basis, particularly if you operate outside of strict GDPR regions or ensure you meet the requirements for legitimate interest under GDPR.
2. Audiences (Contact Lists for Targeting)
- What are Audiences? "Audiences" refer to lists of contacts (like email addresses) that you upload to advertising platforms to specifically target those individuals with your ads. Dreamdata today supports sending contact lists to Google, LinkedIn, Meta and Microsoft Ads.
- Consent is Key for Audiences in GDPR Regions: When you share contact lists for targeting purposes, you must collect explicit consent from individuals in regions governed by GDPR.
- How to Collect Consent for Audiences:
- Signup Forms: The most common way to get consent is through your signup forms (e.g., newsletter sign-up, account creation). Here, you should clearly state in your terms and conditions (the agreement users accept) that you will use their data to send newsletters and also to target them with ads on advertising platforms.
- Opt-out Options: It's always a best practice to provide users with an opt-out option. This allows them to withdraw their consent for targeted advertising even if they initially agreed. Many advertisement platforms has this capability built-in.
- CRM Integration: If you already track consent within your CRM (e.g., you have fields indicating if a contact agreed to terms and conditions), you can use this data to manage your audiences. You can then filter your contact lists based on consent status before uploading them to ad platforms using CRM fields.
- Implied Consent and Opt-out for Other Regions: For regions where implied consent is accepted, or where no specific consent is legally mandated, you often have more flexibility. In these cases, you can frequently rely on the advertising platforms themselves to handle the opt-out process. This means you might not need to actively manage consent when creating audiences; instead, the platforms provide users with mechanisms to opt-out of targeted ads directly.
In summary for Audiences: If you are targeting individuals with ads using contact lists, especially in GDPR regions, explicit consent is crucial. Make sure you have clear consent mechanisms in place, ideally integrated with your signup processes and CRM, and always offer opt-out options. For regions with implied consent, you can often rely on platform-provided opt-outs, but transparency and user control are still recommended best practices.
3. Audiences (Company Lists for Targeting)
- What are Company Lists? On platforms like LinkedIn, you have the option to target entire companies rather than individual people. This involves uploading a list of company to the advertising platform. LinkedIn then matches these companies and shows your ads to individuals associated with those companies.
- Consent Requirements for Company Lists: Generally, you are not required to obtain consent at your end before uploading company lists to LinkedIn. This is because:
- Targeting Organizations, Not Individuals Directly: When you target companies, you are aiming your advertising at organizations as a whole, not specific individuals within those organizations. While individuals within those companies will ultimately see the ads, the targeting is based on company affiliation, which is considered public or professional information rather than sensitive personal data in the same way that direct contact information is.
- LinkedIn's Platform Responsibility: LinkedIn, as the platform, takes on the responsibility of ensuring compliance and user privacy within their own environment. They have mechanisms in place for individuals to manage their privacy settings and control the types of ads they see, including those targeted at their company.
- Publicly Available Information: Company information (like company name, industry, size, etc.) is generally considered business or professional information and is often publicly available. Using this type of information for B2B advertising is generally considered within reasonable business practices.
In summary for Company Lists: When targeting companies on LinkedIn using company lists, you generally do not need to collect consent from individuals or companies in advance. This is because you are targeting organizations, using professional/public information, and relying on LinkedIn's platform for individual privacy controls. However, use reputable data sources for your company lists and ensure your advertising is relevant and follows platform policies.
