GDPR is here and opt-out is gone, at least as far as the European Union is concerned. At the end of May, this major new EU legislation became effective, changing overnight the rules of digital marketing for any company that collects personal data from citizens or residents of countries in the EEA (European Economic Area). The new law has caused lots of confusion and uncertainty about its scope, so here is a short primer explaining the legislation’s major implications in terms of policy and procedures for digital marketing and data collection.
What is GDPR?
The European Union’s General Data Protection Regulation
Who is subject to GDPR?
The statute’s requirements apply to any organization doing business in the EEA, or processing personal data of citizens or people residing in the EEA, subject to limitations discussed below. It does not matter where the data was collected or stored, or where your marketing campaign is launched or managed. If the data represents a resident of the EEA, you’re subject to GDPR.
Who has adopted the EU law?
Countries in the EEA (European Economic Area) which includes all 28 EU members, plus Iceland, Norway, and Liechtenstein. Switzerland is also included, although the country is not an EEA member.
When does it come into effect?
May 25, 2018
Penalties for non-compliance
Up to €20 million or 4 percent of global revenues may be assessed in penalty for noncompliance.
Right to data access
An individual has the right to request and receive all data that a company has stored about him or her, as well as the right to know how it is stored and used. For compliance purposes, it is recommended to put your policies and procedures in writing so they can be readily presented to clients, prospects, or anyone subject to your firm’s data collection.
Access to the data controller
An individual has the right to contact the person at your company responsible for maintenance of the data.
Right to object
Individuals may prohibit certain uses of their data.
Right to rectify
Individuals have the right to correct any stored data that is incorrect or incomplete.
The right to be forgotten
Individuals can “ask to be forgotten” meaning the company must delete all data on the individual.
Right of portability
Individuals may ask that their data be transferred from one organization to another.
Any breach posing a risk to an individual’s information requires that the individual be notified within 72 hours.
This is a big deal and it has triggered a lot of concern among US companies as a result of confusion and uncertainty over the scope of GDPR’s legislative reach. Far be it for me to offer legal advice to my clients (who include some of the most sophisticated law firms in the world) but as I understand it, if you are a US-based company, even if you don’t have an office or physical presence in the EU, the collection of data on your business website may subject your company to regulation under the GDPR (i) if you collect data from a citizen or resident of an EEA country and (ii) if that person (or “data subject” in the delightful language of the statute) is the specific target of your company’s marketing services. Generic marketing that does not specifically target EEA residents (such as service or product offerings that are directed only to US citizens) might not be enough to trigger application of the statute. But any offering of products or services that are somehow specifically relevant to an EEA citizen or resident may very well make you subject to GDPR requirements and the potentially significant financial penalties for non-compliance.
[Read a brief but good journalistic summary of the scope of the GDPR statute from Forbes here.]
Leaving it to your lawyers to sort through the statute’s applicability to your firm’s website, I will offer a bit of non-legal advice on the question of what compliance means in terms of website design and sound business practices with respect to your firm’s approach to data collection. Here are some general pointers about what should be done to revise or limit the collection and use of personal data, and how to maintain it securely in accordance with GDPR requirements in the event you conclude the statute does apply to your marketing efforts:
This is perhaps the most important part of the GDPR and it is notably more stringent than current US business practice. Under the statute, an individual’s consent must be explicitly obtained in order to collect and/or use personal data for marketing purposes, and companies must clearly explain how the data is used. Personal data includes, but is not limited to, names, birth dates, and address (email addresses, physical addresses, and IP address). It’s a good idea to overhaul the data collection policies of your existing newsletters, templates and subscription forms to ensure compliance with GDPR.
- Opt-in vs Opt-out – Unlike the US’s “opt out” model, the EU has adopted an “opt in” model.
- Pre-ticked boxes do not constitute consent. Operating under the GDPR, individuals must explicitly opt-in to the collection and use of their personal data.
Collecting data via web forms (newsletters, website, invitations)
The GDPR also includes specific rules regarding disclosure requirements and the means for collecting data via submission forms.
- Data submission forms must be clearly designed and include a description of the intended use of any information collected. Specificity is critical.
- Consent must be obtained for all uses of an individual’s information. For example, if you collect information for one purpose and then decide to use it for another, you must obtain additional explicit consent for that purpose as well.
- If you are collecting information for processing by a 3rd party email service provider, then you must clearly state that in your language, i.e., if you are sending to MailChimp, Constant Contact, etc.
- Sign-ups/subscriptions must be an affirmative opt-in – remove all pre-checked boxes; double opt-ins are always a good idea.
- Data capture should include the individual’s country.
- A submission form cannot require consent to be given in exchange for something else, e.g. requiring consent in exchange for downloading a white paper. Instead the form must include clear consent that the individual agrees to receive marketing mailings.
- For all data submitted, the firm’s CRM should record the date of submission and the type of consent granted.
GDPR applies not only to how you collect personal data but how you store it in your marketing database. If you conclude that GDPR applies to your firm’s data collection efforts, then it’s critical that you undertake a thorough review and cleanup of your mailing lists and CRM. Start by segmenting your contacts into two parts:
- Non-EEA contacts
- Contacts from the EEA and those of unknown location. (Treat unknowns as if they are from the EEA until you determine otherwise.)
Important Note: The reason to undertake this segmentation is because you will need to re-engage with EEA contacts in your database before or as soon as possible after May 25th, when the GDPR goes into effect. You can continue with your current marketing practices for all Non-EEA subscribers on your list, but for everyone else you will need to devise a re-engagement strategy so you can obtain GDPR compliant consent. Until then it’s important to maintain a separate list so you don’t market to contacts in the EEA (or those without geographic identifiers) without appropriate consent. Depending on the nature of your existing newsletter subscription policy, you may be able to continue marketing to some EEA contacts, particularly existing clients, if they have given you explicit consent, which has been properly documented. If contacts are merely prospects or targets and you don’t have explicit consent, you should exclude them from any further marketing until you re-engage with them and obtain GDPR compliant consent.
General pointers about scrubbing your marketing database:
- You should delete data if you don’t know who it belongs to, or if there’s no established or defined relationship between your firm and the individual. (If possible, you should identify in the CRM who in your firm holds the relationship with the data subject.)
- You should delete all non-essential personal information (the individual’s gender, dietary preferences, or information you may be storing about someone’s family, etc.)
- You should remove personal email addresses.
What are they? When you visit a website, a small piece of data (a text file) is stored on your device in order to remember information about you – this is called a cookie. Such information might be login information. These are called first party cookies and are specific to the domain of the website you visited. By default, these are allowed and track activity as you move through a website. Most websites also use third party cookies for advertising and marketing efforts – these cookies are from a domain other than the website you are visiting. Some cookies are necessary to the website’s functionality.
Here’s an excellent resource for learning more about cookies: Cookiepedia
I hope this summary is informative. I don’t mean to put myself in the position of sounding like a legal expert (particularly to an audience of legal experts!) when it comes to the finer points of this very complicated statute. But it’s important for everyone to have a general understanding of the enormous implications that GDPR has regarding digital marketing policies and practices for any business that specifically targets customers in the EEA. The potential financial penalties for non-compliance are significant, so if there is any doubt about whether your firm may be subject to GDPR regulation, it’s best to err on the side of caution. It also makes sense to evaluate what other basic best practices should be adopted in order to create a culture of compliance and reduce the risk of liability.