Can We Still Do Geofencing in Europe with GDPR?

Our first account in russia!

Purplegator ranks on the first page for many “geolocation” type keywords such as “geotargeted mobile ads.”  So, it was a great tribute to our SEO team a few years ago when I got a call from a business in St. Petersburg, Russia.  The Russian company wanted to use geoconquesting to promote itself at an upcoming trade show in Frankfurt, Germany.  One of the things that I’ve felt very fortunate about in my career has been the chance to see the world.  This, however, was the first time I’d ever had a Russian customer!

Mobile marketing is pretty cool.  We can be in Philadelphia and set up a trade show geoconquesting program in Frankfurt, Germany, for a St. Petersburg, Russia company!  And, we can do it just as well as if the trade show event was in New York City!  Small world.

What GDPR Means for Mobile Targeting

But, something changed on May 25, 2018 when the European General Data Protection Regulation (GDPR) took effect.  No doubt, the way we used to do geolocation targeting in Europe had changed forever with the new data protection framework that shapes the often confusing GDPR regulations.

Like the Telephone Consumer Protection Act (TCPA), GDPR is not something to take lightly, even if you are a USA company.  There are some significant fines involved if you violate GDPR.  In fact, the maximum fine can be up to 4% of a company’s annual sales or up to $20 million euros.

GDPR grew out of the Data Protection Directive (1995) that the European Parliament passed into law.  This was the first  law that attempted to regulate how an individual’s data could used in Europe.  Discussions on GDPR began in 2012 and were passed by the EU Parliament in 2016.

The Data Protection Directive protected PII (Personal Identifiable Information) such as an individual’s name, photographic image, email address, phone, and personal identifications. GDPR extended this to include “pseudonymous data” such as online usernames and mobile location data.  This means that IP addresses and mobile device IDs, critical in identifying mobile advertising targets, are now protected under GDPR.

MOBILE MARKETING KNOWLEDGE COLLEGE — What is “pseudonymous data?”

Pseudonymous data is in between personal identifiable information and completely anonymous data.  Pseudonymous data cannot immediately be used to identify a particular person.  It can, with research, however, help to ultimately identify a specific person.

Goals of GDPR

The primary goal of GDPR is to protect Europeans privacy and give them greater control over how and if their data is being used.  It also gives European citizens the following rights:

  • Right to access their personal data.
  • Right to request rectification if something is incorrect.
  • Right to have al data deleted.
  • Right to restrict processing of personal data.
  • Right to make any data portable.

GDPR and geolocation Advertising

In the United States, Purplegator uses a variety of location data to enable marketers to target the “right customer, in the right place, at the right time.”  Yeah, we know that saying is getting old, but it’s still accurate.  Geotargeting involves collecting users’ location data, demographics, and interests, and then delivering mobile and desktop ads based on that historic or real-time location data.  For example, retailers use geolocation data to target shoppers at competing stores or to up-sell customers that have previously visited its own store.  Truck driver recruiting candidates are targeted after their mobile devices are identified at truck stops.  Recruiting nurses is made easier by identifying mobile devices at competing hospitals.

Usually, the mobile location data is collected via a mobile phone’s device ID.  Often, this happens when the consumer uses public wifi such as is available at many retail stores today.  Device ID detection is a very accurate method of collecting mobile data, because it almost never changes. This is different than desktop cookies that are periodically deleted by the user.

Mobile device ID detection is provided by social media platforms that use geolocation identification.  Or, it is provided by mobile app installs on a consumer’s smartphone that send location data back to the company.  The company then sells this data to third party data companies who market it to demand side platforms (DSP’s) used in programmatic ad buying.

So What Can European Advertisers Do?

Under the terms of GDPR, it is our interpretation that “lookback” location data is indeed personally identifiable data. It is therefore prohibited in Europe by GDPR, unless consumer permission is given.  In the EU, permission to access such permissions cannot be buried in the lengthy terms and conditions that nobody reads.

It doesn’t stop there.  Personally identifiable information (PII) under GDPR also pertains to IP targeting, email targeting, phone number detection, and the aforementioned lookback data.

Lookback data, however, is different than real time data.  While we can’t use lookback data to identify mobile devices that have been at a particular location in the past, we can still use real-time data to identify mobile devices that are within a certain geofence NOW.  Hence, our trade show mobile marketing product would still be acceptable under GDPR regulations so long as we send mobile advertisements to the delegates while they are AT the event.

Looking Ahead to california

Effective January 1, 2020, the California Consumer Privacy Act will come into force.  It will grant California residents many of the same rights that GDPR provides to Europeans.

You can read more about the California Consumer Privacy Act here.

Author’s Note — This is an educated interpretation of the GDPR regulations and how it may relate to your business or organization.  You should always obtain your own legal opinion in matters such as this.

Skip to content