As the most popular search engine on the web, Google attracts businesses of all shapes and sizes to their Google Ads (formally AdWords) platform. However, one of the challenges that advertisers soon realise when using PPC marketing is click fraud.
There is now a growing market of click fraud protection software and services, but many of these are based in the US or other countries outside of the UK or EU, and may be non-compliant with UK-specific regulations.
There is normally a lot of talk about EU GDPR and UK GDPR compliance, but the PECR contains additional requirements that may have been overlooked by solution providers. In this article we will explore what is required for a click fraud solution to be compliant with the UK PECR (Privacy and Electronic Communication Regulations).
For those less familiar with the topic, let’s first understand what click fraud is.
In simple terms, click fraud is when non-genuine users maliciously click on your ads, draining your budget. This results in a reduced ROI from your ad campaigns, and sometimes a significantly wasted budget.
The fake clicks can come from individuals, click farms, or automated robots. They are often employed by competitors or their outsourced marketing agencies, disgruntled customers, or unethical web scrapers.
You can read more
about click fraud and how to prevent it here.
The PECR is an implementation of the EU ePrivacy Directive 2009. Countries within the EU will have almost identical regulations in place, but the specific guidance and enforcement policy may differ.
When we’re talking about privacy, tracking and cookies, PECR is essentially an extra layer on top of the GDPR requirements.
GDPR generally only requires consent if you are processing data that can identify an individual. Placing a cookie to collect anonymous information will not normally fall under the GDPR scope.
However, PECR has more demanding requirements. Unless the cookie falls within a very specific “strictly necessary” use, you need explicit consent from the user. PECR does still allow the use of cookies without consent for some essential website functionality, security and performance reasons.
PECR takes precedence over the GDPR, so if your cookies require consent under PECR, then you cannot rely on the lawful bases from the GDPR to be able to set them.
Knowing the risks of click fraud and the impact it could have on their campaigns, many advertisers now turn to third-party click fraud prevention systems to safeguard their budgets.
These solutions typically place persistent cookies and/or use advanced device fingerprinting techniques to keep track of users, even if they try to evade detection by masking their IP address.
Whilst the technology can provide a good level of protection against click fraud, it doesn’t usually align with the demands of the PECR law. Here are a few examples:
Unfortunately, you’d be wrong if you thought that the law would have an exception so that businesses can protect themselves. The guidance from the Information Commissioners Office explicitly lists “click fraud detection” as being unlikely to meet the “strictly necessary” exemption to the law.
Balancing the need for effective click fraud prevention with the requirements of PECR is undoubtedly challenging.
If advertisers ignore the issue of compliance, they could be risking their reputation. Non-compliance carries a fine of up to £500,000 and potential criminal prosecution.
These solutions employ various techniques, such as IP address reputation checks, behaviour analysis and even machine learning algorithms, to detect and mitigate click fraud, without resorting to placing tracking cookies or using device fingerprinting techniques.
For example, behavioural analysis can be performed without collecting personal data, via mouse movement, scroll, click or touch events. The subtle differences between sessions can identify genuine users amongst robots and malicious users.
With modern day technologies, PECR-aware click fraud solutions can provide a high level of protection without the traditional privacy and compliance issues.
It’s worth checking your click fraud protection, if it’s using cookies or device fingerprinting; it’s unlikely to meet the requirements of PECR. It may be down to you to select the right settings, but you could find the effectiveness of the system is reduced if it was designed to depend heavily on those technologies.
This article is based on our interpretation and is intended for general information purposes, it should not be seen as legal advice. We hope you have found this information helpful. Please link back to this page if you would like to refer to the article on your website or social media.
Using Google Ads and haven’t got a click fraud solution yet? You can get a free 14-day trial of PPCFilter, a lightweight but effective click fraud solution, developed and hosted in the UK.
An automated solution for preventing click fraud and low quality Google Ads traffic.