You have undoubtedly heard a lot about GDPR lately. This probably involved a slew of emails in your inbox asking you to update your privacy settings, or (depending on the industry you work in), several other changes made to the way you do business.
GDPR stands for General Data Protection Regulation and is a law within the European Union (EU) that governs how companies should govern and disclose the data they collect from consumers. The exact language of the law is available on the EU’s GDPR site located here. The implications of not following GDPR are severe, with penalties of either 4% of global revenue or 20 million EURO, whichever is greater. So, there are some very high stakes here.
Since the May 25, 2018 deadline for compliance with GDPR has already passed, your company must have already made some changes and modifications to the way you collect data and manage other parts of your business if you are affected. But it’s important to note that GDPR takes consistent, ongoing diligence to maintain compliance. And, just in case you have not already made provisions to comply with GDPR, it’s good to make sure there’s nothing you’ve missed.
Let’s explore what a marketer working for a company based in the United States should know about GDPR and what you should do to maintain your compliance.
How does GDPR affect US-based companies?
Let’s now look at how this EU law applies to companies that are based in the United States.
Companies that are affected
GDPR affects commercial, nonprofit and public sector organizations who do business in the EU or market to consumers living in the European Union. GDPR also applies to you if your company has an office in, has customers who reside in, markets to, or otherwise targets citizens of the EU. This means that GDPR’s requirements can be quite far-reaching and are likely to have an impact on your organization if you have contact with citizens of the EU. As with any compliance issue, your legal counsel will have specific feedback on how and when this applies based on your business practices.
Consumers that it affects
GDPR applies to citizens of the EU. It should be noted that this affects consumers that are in the EU at the time the data is collected. If they are a citizen of the EU, but are in the United States when the data is collected, GDPR does not apply.
What does a US-based marketer need to know about GDPR?
There are several things that you need to know and understand as a marketer. If you’ve been approaching consumer privacy and data collection in a compliant (with U.S. law) manner thus far, this will be mostly a refresher with a few additional steps. If, however, your privacy and data collection practices are not up to date, you may find yourself with a few things to do.
Website and cookies
Now, let’s talk about cookies. Chances are, as a marketer, you are placing several cookies on consumers’ machines in order to learn more about them, retarget them through advertising, and other things.
Please note that it is a good idea to provide a cookie warning on your site anyway, even if you are a US-based company only serving US-based customers.
GDPR takes this to a new level by requiring websites to provide additional information about the types of cookies and how they are being used. Services such as Cookiebot provide this as a 3rd party cloud service and allow users to:
Prevent any tracking from cookies if/until the user consents
Select the types of cookies they allow
A list of the actual cookies
Pay close attention to that first one. GDPR dictates that no tracking can occur until the user consents to allow it. This means that your website needs to pause all cookie activity until the user accepts. Traditional consent notifications to not always allow for this.
Another important thing to note about cookies is the length of time that they are stored on a user’s machine. According to GDPR, they should exist no longer than 12 months. This is a setting that you can easily apply.
Any good email marketing in the United States has paid close attention to our own CAN-SPAM laws for years, so following that is a start. CAN-SPAM includes many provisions, including making it easy to opt out of receiving marketing emails and requiring an easy “unsubscribe” option in your emails.
But GDPR takes this a step further by requiring an opt-in for consent. This means you can’t simply have a pre-populated “check” on a consent checkbox. The user has to opt in to your mailing list for marketing purposes.
Many different companies are dealing with this in different ways, with EU-based pub chain Wetherspoons deleting its 700,000 person email list in order to guarantee compliance. You may not choose such an extreme method, but an important thing to note is that (much as it was with CAN-SPAM) you need to make sure you can verify the source of the people on your list and their level of consent.
Data collection, storage and the right to be forgotten
A critical piece of your data collection is undoubtedly going to rely on 3rd parties. In addition to the countless emails you’ve received that notify you as a consumer of how vendors are handling your data, you have most likely received several from vendors and 3rd parties you work with. It’s important to make sure you understand that your partners are compliant, what they are doing, and how to request data from them should you need to.
Providing data to consumers
As important as understanding how you are storing data, you need to have a process for providing data to consumers if and when they request it from you. GDPR allows consumers to request a copy of all of the information you have about them, including tracking and behavior information. This extends well beyond their e-commerce order history to other information you might have collected in a CRM, from the website and other activities.
In addition to providing the data you have about a consumer, GDPR, also includes a provision about the “right to be forgotten,” or have your data purged from a vendor’s records. Make sure that you understand this and have a plan in case this is requested.
Finally, if a data breach occurs, providers are required to give notification within 72 hours of the incidence, depending on the type of data breached. This is one area (of many) that requires some additional research to understand exactly what type of information requires this notification and to whom.
Opportunities that GDPR Presents for Marketers
While a lot of what we’ve focused on thus far are the negatives, or the time-consuming aspects of complying with GDPR, there are some opportunities that you can take while you are complying. For instance, if you are re-confirming your email subscriber base, why not take the opportunity to make sure you better understand what their preferences are?
Also, for companies that may not have as much of a reason to comply with GDPR, doing so still shows your customers that you take their privacy seriously. It is also quite likely that similar to many other cases over the years, what starts in the EU will eventually be adopted elsewhere in some form or other, including in the United States.
If you don’t have a company policy on GDPR, your immediate next step needs to create one that outlines the following:
Your risk profile that details where your company is affected by the law (this varies depending on your involvement with customers from the EU)
How and where you collect data from consumers
How you store this data and how long it is stored
Information from third parties you work with so you can easily contact them in case of an information request (or a data breach)
As with any compliance issue (such as HIPAA for health information collection and storage, or the Rehabilitation Act’s Section 508 for federal agency website accessibility), it is best to consult with a lawyer who best understands your business and industry. There may be additional items which apply based on the industry you work in, or the nature of the data that you collect and manage as part of your operations.