GDPR drastically changes how and why companies collect or interact with the personal data of online users in the EU. Under this new law, any visitor of your website from within the EU, will need to give explicit consent for any collection, use, storage, or sharing of their personal data. What is deemed “personal data” under GDPR however, is much broader than the US definition of Personally Identifiable Information (PII). The scope expands to include cookie data and IP addresses which are commonly used by brands, agencies, and ad tech vendors in marketing campaigns. Under GDPR, these kinds of personal identifiers can no longer be accessed from EU users unless they’ve opted-in. Additionally, any data your site currently stores where the user opted-in prior to GDPR, such as email sign-ups, could potentially be non-compliant. As a best practice, publishers should prompt EU users to re-opt into their email lists.
The user’s browser will be the gatekeeper of their data preferences under GDPR. Since publishers won’t know a user’s browser preferences, they will need to fundamentally change how their site interacts with these users in order to gain clear consent on the type of data they are willing to share. EU users also have the “right to be forgotten”; meaning, at any time they can request for their data to be removed and no longer shared with a given company.
For a more in-depth information check out this guide by Digiday.