As you've likely already heard, the new General Data Protection Regulation (GDPR) goes into effect on May 25th and includes some pretty hefty fines for violations. If you're marketing for a company in the U.S., you may have assumed the EU regulation didn't concern you. However, even non-EU companies will have some work to do if they market on the web. And really, who doesn't market on the web these days?
- What Exactly is GDPR?
- GDPR Requirements for U.S. Based Companies
- How Will the EU Impose Regulations on U.S. Companies?
- Key GDPR-Related Terms and Concepts
- What Marketing Changes are Implied by GDPR?
GDPR stands for General Data Protection Regulation and it's a European Union (EU) regulation which, as of May 25, 2018 replaces the 1995 EU Data Protection Directive (DPD). The new regulation aims to further enhance the protection of personal data for EU residents, which includes increasing the obligations of companies who collect, store, or process personal data including stronger penalties for regulation violations.
Even if you're not actively targeting the EU with your marketing, you could have EU residents visiting your website, subscribing to your blog, downloading content offers, and getting into your email marketing list. If any of this is happening, you're processing and storing personal data for EU residents.
According to Article 3 of the GDPR, the territorial scope of the regulation applies to the processing of personal data for EU residents (including U.S. citizens living in the EU) "...regardless of whether the processing takes place in the Union or not." So, GDPR has implications for your marketing if your website gets traffic from EU countries and you capture visitor data or monitor visitor behavior, which includes:
- having Google Analytics, heatmapping, or other behavior tracking installed on your website
- capturing online leads with web forms
- having EU residents in your email marketing database
- having EU residents in your CRM
- digital advertising which involves tracking pixels or cookies
- marketing to EU residents
- selling products or services to EU residents
That's a good question that we've also pondered. The information contained in this post is not a substitute for legal advice, so first and foremost, consult your company's attorney or legal counsel to ensure you're taking all the steps required for your specific situation.
All the GDPR legal documentation is overwhelming, but there are a few key terms and concepts that marketers should spend a little time digesting. Understanding these will provide you with better insights for potential marketing changes your legal team may recommend.
Data Subject: In the case of the GDPR, this is an EU resident
Controller: The organization or company that is collecting personal data and making decisions about how it's used. If your company is collecting personal data, you're the controller.
Processor: The organization or company that's processing data based on controllers' instructions, but not making decisions on how the data is used. Your sales and/or marketing software company is a processor, but may be one of many processors you use.
Personal Data: Any information related to a data subject that could be used to identify them such as name, IP address, credit card, account number, phone number, or physical address. For additional details about personal data, including what's considered "sensitive personal data" can be found on the PDF of the Regulation.
Processing: Operations (manual or automated) performed on personal data including, but not limited to, recording, collecting, storing, using, disseminating, disclosing, altering, retrieving, transmitting, restricting, erasing, destroying, etc.
Personal Data Processing Principles: Under GDPR, personal data must be:
- processed lawfully, fairly, and transparently
- processed in a secure manner and protected from unauthorized use or damage
- collected for a specific purpose and not used further in ways incompatible with the specified purpose
- relevant and limited to what's required for the specified purpose
- accurate and kept up-to-date
- retained no longer than is necessary for the specified purpose
Lawful Basis of Processing: Processing is considered lawful only if at least one of the following criteria is met:
- consent to personal data processing is given for one or more specific purposes
- processing is necessary for the performance of a contract (like invoicing your customers)
- processing is required to be in compliance with a legal obligation
- processing is necessary to protect the vital interests of the data subject or another person
- processing is required to perform a legitimate official task or a task carried out in the public interest
Consent with Proper Notice: "Consent" is one of the lawful basis of processing criteria (shown above) and it must be obtained and recorded in specific ways. Under GDPR this requires your company or organization to:
- tell data subjects what they're opting into (called "notice")
- ensure opt-in is affirmative and not a pre-checked box that has to be unchecked to opt out
- provide granular details covering all the ways you process and use personal data (marketing emails, calls from sales, etc.)
- record evidence that consent was given, when it was given, and what message the data subject saw when they consented
- retrieve the evidence of consent described above
Withdrawal of Consent: GDPR requires the controller (your company) to provide the ability for data subjects to see exactly what they're signed up for and easily withdraw consent at any time.
Data Access, Portability, Modification, and Deletion: Under GDPR, data subjects have the right to:
- request verification of your documentation on lawful processing and consent
- request access to their stored personal data
- obtain a portable record of the data (CSV, XLS, etc.)
- request update to any inaccurate data on file
- request to be "forgotten" - the permanent removal of all contact information, behavioral tracking, and history you have stored in your database. There are conditions around this detailed here.
Absolutely consult your legal counsel for specifics that apply to your company, but here are some marketing-related changes that may make your list...
Website & Marketing Technology CHANGES
Many major marketing and sales software companies (who are "processors") have been working diligently in preparation for May 25th to put added GDPR compliance features in place. For example, WordPress just announced their 4.9.6 Privacy and Maintenance Release with GDPR features, and HubSpot has added a ton of new tools and features to make GDPR compliance easier for their customers.
Whatever marketing-related software you're using, check with your "processor" to find out what they've done to prepare for GDPR and ask what you as the "controller" need to do to activate any new GDPR features. Simply using GDPR compliant software doesn't mean you're in compliance. You still have to execute the necessary steps outlined by your legal team. To help you out, I've compiled a list of GDPR announcement links below for a few popular software/technology companies.
GDPR Technology Readiness Announcements
- WordPress 4.9.6 release
- Gravity Forms
WEBSITE PLUGIN CHECKS AND CHANGES
- Investigate the plugins your website is using to determine what type of data each plugin collects and ensure your plugins are compliant
- Remove or replace non-compliant plugins
- Look into GDPR plugins like:
- Describing exactly what information your website collects and specifically how the information will be used
- Addressing collection of data for "under age" visitors - GDPR doesn't allow a company to collect personal data for anyone under 16 without parental consent
- Addressing any third-party service providers you share information with
- Addressing the process required to opt out or revoke access to personal data
- Addressing the process for personal data to be "forgotten"
GOOGLE ANALYTICS CHANGESIf you use Google Analytics, and I hope you do, your webmaster should have received several notices from Google addressing their new data retention settings and the action required due to GDPR.
- Review Google's new data retention settings to make the necessary modifications. You need to set your data retention settings in Google Analytics before May 25th, or all user-level and event-level data stored will be automatically deleted.
- Review Google's new EU User Consent policy to ensure you're properly obtaining consent, maintaining records on consent given, and providing the ability to revoke consent
- Keep an eye on Google's Developer Resources for the new deletion tool that's supposed to be released before May 25th
- Review other Google resources you may need depending on the advice from your legal team:
WEBSITE FORM(s) CHANGES
Add the ability for your website forms to:
- Obtain explicit consent before the form is submitted
- Make sure the language used to relay consent information is easy-to-understand
- Provide a way to deliver "free offers" gated forms in the event consent is not given
- Remove any pre-checked consent or subscribe boxes used in your forms
- Remove any form questions which may exceed what GDPR would deem necessary to achieve the intended collection purpose
BLOG COMMENTing CHANGES
- Obtain consent before users can leave a comment
- Disclose that your website will store comments and any other information that's tracked related to their comment (like the date or IP address)
- Let them know what information could be publicly displayed (if provided) related to the comment
- Let them know if comments and information are shared with third-parties (like Disqus)
Email Marketing Opt-in and Template Changes
- Add a checkbox to subscription forms to allow visitors to provide email marketing consent
- Provide specifics about everything a potential subscriber is going to receive once they provide consent
- If your email marketing or email newsletter uses tracking pixels to measure opens and clicks, provide this disclaimer clearly before someone subscribes
- Fully investigate your email service provider to verify the tools you're using are GDPR compliant
- Make sure you have a page for opt-in preferences (vs. only opt-out preferences)
- Ensure the email marketing templates you're using have appropriate data, notifications, and links in the footer for accessing opt-out and opt-in preferences
Contact Database Checks & Process Changes
- Check the health of your current database to ensure stored contacts have provided proper consent
- Create internal standards for what data will be stored, how long it will be stored, and establish a consistent clean-up schedule
ADDING PROCESSES FOR PROVIDING (OR FORGETTING) Personal DATA
- Create any new processes needed for EU residents to request access their data
- Ensure your process includes how you'll make updates to any inaccurate data
- Ensure you have the tools and processes in place to "forget" personal data upon request (see more on this in the marketing software check section)
DIGITAL AD RElated Changes
- If your website uses remarketing ads, set up a method to immediately inform website visitors as they enter to obtain proper consent
- If you publish sponsored content, determine if tracking pixels or cookies are used by the publisher and if they're used why
- If the sponsored content publisher will be remarketing to your visitor, you must inform the visitor and obtain consent immediately upon entering your site
Changes Related To Affiliate LInks & ADS You Display
If you use affiliate links or have third-party ads displayed on your website you'll need to:
- Get cookie usage consent before your visitor clicks an affiliate link
- Obtain immediate informed consent (by pop-up or overlay) explaining you use a third-party ad server that collects user data
- Explain explicitly and specifically how collected data will be used
CHANGES RELATED TO Sales of PRODUCTs/SERVICES
If you’re selling services or products to EU residents:
- Only collect the information that's actually necessary upon checkout (what do you really need on file to properly service this customer?)
- Obtain explicit consent from your customer prior to their purchase submission to let them know how the information they're submitting will be used. For example, will you use it to set up and service their account? If you plan to communicate with them for other reasons, you need to specify how/why and get consent.
I hope you found this post helpful! If you're searching for marketing or sales software tools with GDPR-compliant features, we'd be glad to chat with you more about some that we love using for ourselves and our clients. One of these is HubSpot, and you can or click the button below.
Disclaimer: The information contained in this post is not the same as legal advice nor a recommendation on any particular legal interpretation. Please consult your attorney for legal advice on GDPR compliance specific to your company's needs.