The GDPR passed and has officially become law. If you don’t understand how it could affect your company, you might soon find yourself in trouble.
Every company with a website needs to stay informed about the changing laws (GDPR, for example) that affect their digital presence. However, these laws have generally changed very little from year-to-year. Many companies hardly change their websites at all, and it doesn’t land them in any legal trouble at all. Now, that could change for countless companies.
What Exactly Is the GDPR?
Before we look at how the GDPR could affect your company, let’s first clarify what it is.
The GDPR is a new data privacy law that was officially adopted on April 14th, 2016 by the European Union and went into effect on May 25th, 2018.
This new law is meant to give people more control over the information private companies have about them. Among other things, this involves how these companies collect, process, and store data.
It also standardizes these laws across the entire European Union, so companies aren’t subject to different rules depending on where their customers are.
You Have the Right to Erasure
One significant facet of the GDPR is The Right to Erasure – sometimes referred to by the predecessor laws name, The Right to Be Forgotten. The EU first ruled in favor of it back in 2014.
The version included in the GDPR is far more limited than the one from 2014, but it still gives people the right to demand that a company erase any personal data they have on them provided certain requirements are met (e.g., if the company is using the information in a way that doesn’t comply with Article 6(1) – lawfulness).
Confirming Consent of Personal Data is Now Mandatory
How companies are allowed to gather data has changed significantly under the GDPR, as well.
For example, marketers can only email recipients who have previously opted-in and, therefore, agreed to receive such messages.
This has already been the law throughout most of the EU countries, but the GDPR has furthered protections by elaborating – in detail – on what “consent” must entail.
Specifically, Article 4, says:
“‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Article 32 then goes on to specify what consent is not:
“Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent.”
“When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
As you can see, the EU has gone to great lengths to ensure that people who receive emails from marketers absolutely want them.
Finally, subscribers must be informed about what the company plans to do with their information. For example, if they’re signing up for an email, but the company also wants to profile them to see which offers they’ll be most open to, that must be disclosed from the beginning.
Is My Company Unaffected if It’s Not in the European Union?
While most of the GDPR may seem fairly straightforward, one pervasive misconception about it is that it only affects companies in countries that are a part of the EU.
This is not necessarily true.
If you don’t have any customers or subscribers from countries in the EU, then you’ll be unaffected by the GDPR.
As a quick refresher, here are those countries:
- Republic of Cyprus
- Czech Republic
- The UK
Of course, if you do have customers or subscribers in one of these countries, but you don’t want to make any changes to your operation, you could always delete the information you have on those individuals and block any EU addresses from your site and signup forms.
However, looking over that above list of 28 countries, most companies with international customers would have a hard time cutting off such a potentially significant market.
To be clear, Article 3 of the GDPR stipulates that citizens of countries that are part of the EU must be in the EU for this legislation to go into effect.
So, if an English citizen travels to New York City and logs on to your company’s website, you’re under no requirement to comply with the GDPR, even if you end up collecting data from them.
Also, even though the word “customer” is often used to describe the people that this law protects, “subscriber” is just as relevant. There is no requirement that a financial transaction must happen first for this law to apply to a company in the European Union.
With all that in mind, let’s now look at what you may need to change to comply with the GDPR.
1. No More Pre-Ticked Opt-In Boxes
As we already touched on when we covered consent, you can’t use pre-ticked boxes to record consent from subscribers and customers.
Even if you’re trying to be helpful, the GDPR only approves of content that requires action from the customer.
2. Separate Consent Requests and Terms & Conditions and Other Forms
It has long been standard practice to keep consent requests and other forms right next to one another.
This is no longer allowed.
You also can’t require that someone signs up for your newsletter to gain access to a whitepaper or some other content upgrade. This is also not classified as a voluntary action.
3. Explain to People How to Withdraw Their Consent
You must make it as easy as possible for someone to later unsubscribe or otherwise withdraw their consent.
If you’re a Canadian company that already complies with CASL or a US company that’s already complying with CAN-SPAM, you’re probably already doing this.
So, you most likely don’t need to change anything to comply with GDPR as long as you’re not doing any of the following when a subscriber tries to opt out:
- Charging a fee
- Requiring other information beyond the subscriber’s email address
- Requiring subscribers to log in first
- Requiring subscribers to visit multiple pages to submit their request
4. Maintain a Record of Consent
Even if a subscriber provides consent and you have followed all the rules mentioned above, you could still be in trouble if you don’t keep a record of it.
These records must show:
- Who consented
- When they consented
- What you told them when they gave consent
- How they provided consent (e.g. through a Facebook form, landing page, etc.)
- If they have since withdrawn their consent or not
5. Review All Prior Preexisting Signups
The GDPR works retroactively, which means you’re responsible for applying its rules to all the signups that your company received before May 25th, 2018 from countries in the EU.
If the consent they provided in the past is compliant with the GDPR – and you have documentation to prove it – then you have nothing to worry about.
Otherwise, you’ll need to do the following:
- Audit Your Current Email List – Go through and figure out which subscribers already provided consent in compliance with the GDPR and ensure you have clear records of it happening.
- Enact a New Consent Program – Run a program to request permission from any email addresses that weren’t in the first list, including those you simply don’t have records for.
Obviously, you must comply with any demands to opt out, but you’ll also have to remove any subscribers who don’t respond.
What About Targeted Marketing?
The GDPR isn’t just about email marketing, either.
It also affects targeted marketing.
In short, if you are targeting consumers in an EU country, they are protected by the GDPR, provided they are in an EU country at the time they are online.
So, for example, if you have a landing page that mentions French users and is written in French, the page counts as targeted marketing and these new laws apply.
Another example would be having a country-specific domain suffix and accepting that country’s currency. Clearly, you are targeting citizens there.
On the other hand, if a French citizen is on the Internet in France and comes across your company’s English webpage that does not refer to French users, you can’t be held accountable.
The GDPR’s Silver Lining for Your Company
While this may seem a bit overwhelming, there is one big silver lining to the GDPR.
Going forward, the data you receive from users will be information they want to provide because they’re genuinely interested in what your company has to offer.
Most companies’ marketing ROIs suffer because they receive a deluge of false information from users who don’t want them to have their email addresses – fake names, emails, etc. – but they do still want the content or other reward being promised.
So, while it will take some time to adapt to the GDPR, rest assured that it will be worth it in the long-run.
We’re not lawyers 🙂
This article is intended to provide some helpful information, not legal advice. Please contact an attorney if you have questions about how this impacts your business.