May 18, 2018 | Holly Yalove

How GDPR Impacts Marketing for U.S. Based Companies

As you've likely already heard, the new General Data Protection Regulation (GDPR) goes into effect on May 25th and includes some pretty hefty fines for violations. If you're marketing for a company in the U.S., you may have assumed the EU regulation didn't concern you. However, even non-EU companies will have some work to do if they market on the web. And really, who doesn't market on the web these days? 

Contents

 

WHAT EXACTLY IS GDPR?

GDPR stands for General Data Protection Regulation and it's a European Union (EU) regulation which, as of May 25, 2018 replaces the 1995 EU Data Protection Directive (DPD). The new regulation aims to further enhance the protection of personal data for EU residents, which includes increasing the obligations of companies who collect, store, or process personal data including stronger penalties for regulation violations. 

GDPR Requirements For U.S. Based Companies

Even if you're not actively targeting the EU with your marketing, you could have EU residents visiting your website, subscribing to your blog, downloading content offers, and getting into your email marketing list. If any of this is happening, you're processing and storing personal data for EU residents. 

According to Article 3 of the GDPR, the territorial scope of the regulation applies to the processing of personal data for EU residents (including U.S. citizens living in the EU) "...regardless of whether the processing takes place in the Union or not." So, GDPR has implications for your marketing if your website gets traffic from EU countries and you capture visitor data or monitor visitor behavior, which includes:

  • having Google Analytics, heatmapping, or other behavior tracking installed on your website
  • capturing online leads with web forms
  • having EU residents in your email marketing database
  • having EU residents in your CRM
  • digital advertising which involves tracking pixels or cookies
  • marketing to EU residents
  • selling products or services to EU residents 

 

How will the EU impose regulations on U.S. companies?

That's a good question that we've also pondered. The information contained in this post is not a substitute for legal advice, so first and foremost, consult your company's attorney or legal counsel to ensure you're taking all the steps required for your specific situation.

Key GDPR-Related Terms and Concepts 

All the GDPR legal documentation is overwhelming, but there are a few key terms and concepts that marketers should spend a little time digesting. Understanding these will  provide you with better insights for potential marketing changes your legal team may recommend.

Data Subject: In the case of the GDPR, this is an EU resident

Controller: The organization or company that is collecting personal data and making decisions about how it's used. If your company is collecting personal data, you're the controller.

Processor: The organization or company that's processing data based on controllers' instructions, but not making decisions on how the data is used. Your sales and/or marketing software company is a processor, but may be one of many processors you use.

Personal Data: Any information related to a data subject that could be used to identify them such as name, IP address, credit card, account number, phone number, or physical address. For additional details about personal data, including what's considered "sensitive personal data" can be found on the PDF of the Regulation. 

Processing: Operations (manual or automated) performed on personal data including, but not limited to, recording, collecting, storing, using, disseminating, disclosing, altering, retrieving, transmitting, restricting, erasing, destroying, etc. 

Personal Data Processing Principles: Under GDPR, personal data must be: 

  • processed lawfully, fairly, and transparently
  • processed in a secure manner and protected from unauthorized use or damage
  • collected for a specific purpose and not used further in ways incompatible with the specified purpose
  • relevant and limited to what's required for the specified purpose
  • accurate and kept up-to-date
  • retained no longer than is necessary for the specified purpose

Lawful Basis of Processing: Processing is considered lawful only if at least one of the following criteria is met:
  • consent to personal data processing is given for one or more specific purposes
  • processing is necessary for the performance of a contract (like invoicing your customers) 
  • processing is required to be in compliance with a legal obligation
  • processing is necessary to protect the vital interests of the data subject or another person
  • processing is required to perform a legitimate official task or a task carried out in the public interest 

Consent with Proper Notice: "Consent" is one of the lawful basis of processing criteria (shown above) and it must be obtained and recorded in specific ways. Under GDPR this requires your company or organization to:

  • tell data subjects what they're opting into (called "notice")
  • ensure opt-in is affirmative and not a pre-checked box that has to be unchecked to opt out 
  • provide granular details covering all the ways you process and use personal data (marketing emails, calls from sales, etc.)
  • record evidence that consent was given, when it was given, and what message the data subject saw when they consented 
  • retrieve the evidence of consent described above 

Withdrawal of Consent: GDPR requires the controller (your company) to provide the ability for data subjects to see exactly what they're signed up for and easily withdraw consent at any time.

Data Access, Portability, Modification, and Deletion: Under GDPR, data subjects have the right to:

  • request verification of your documentation on lawful processing and consent
  • request access to their stored personal data 
  • obtain a portable record of the data (CSV, XLS, etc.)
  • request update to any inaccurate data on file
  • request to be "forgotten" - the permanent removal of all contact information, behavioral tracking, and history you have stored in your database. There are conditions around this detailed here.

 

Use of Cookies: You must provide notice to data subjects that you're using cookies to track behavior and they must give consent (opt-in) to being tracked.

What Marketing Changes are IMPLIED BY GDPR?

Absolutely consult your legal counsel for specifics that apply to your company, but here are some marketing-related changes that may make your list...

Website & Marketing Technology CHANGES

Many major marketing and sales software companies (who are "processors") have been working diligently in preparation for May 25th to put added GDPR compliance features in place. For example, WordPress just announced their 4.9.6 Privacy and Maintenance Release with GDPR features, and HubSpot has added a ton of new tools and features to make GDPR compliance easier for their customers. 

Whatever marketing-related software you're using, check with your "processor" to find out what they've done to prepare for GDPR and ask what you as the "controller" need to do to activate any new GDPR features. Simply using GDPR compliant software doesn't mean you're in compliance. You still have to execute the necessary steps outlined by your legal team. To help you out, I've compiled a list of GDPR announcement links below for a few popular software/technology companies.

GDPR Technology Readiness Announcements

  • HubSpot 
    • HubSpot has done a ton of work to prep for GDPR compliance from automatic "forget me" data deletion features to special "consent" recording options. To learn more,get a free HubSpot demo here.
  • WordPress 4.9.6 release
  • WooCommerce
  • Gravity Forms 

WEBSITE PLUGIN CHECKS AND CHANGES

  • Investigate the plugins your website is using to determine what type of data each plugin collects and ensure your plugins are compliant

 

WEBSITE PRIVACY POLICY CHANGES

Edit your privacy policy to address GDPR requirements including:
  • Describing exactly what information your website collects and specifically how the information will be used
  • Addressing collection of data for "under age" visitors - GDPR doesn't allow a company to collect personal data for anyone under 16 without parental consent
  • Addressing any third-party service providers you share information with
  • Addressing the process required to opt out or revoke access to personal data
  • Addressing the process for personal data to be "forgotten"

 

GOOGLE ANALYTICS CHANGES

If you use Google Analytics, and I hope you do, your webmaster should have received several notices from Google addressing their new data retention settings and the action required due to GDPR. 

 

WEBSITE FORM(s) CHANGES 

Add the ability for your website forms to:

  • Obtain explicit consent before the form is submitted
  • Relay specifically how data gathered in the form is stored, used now, used in the future, etc. (consider a link to your updated privacy policy)
  • Make sure the language used to relay consent information is easy-to-understand
  • Provide a way to deliver "free offers" gated forms in the event consent is not given 
  • Remove any pre-checked consent or subscribe boxes used in your forms
  • Remove any form questions which may exceed what GDPR would deem necessary to achieve the intended collection purpose 

 

BLOG COMMENTing CHANGES

  • Obtain consent before users can leave a comment 
  • Disclose that your website will store comments and any other information that's tracked related to their comment (like the date or IP address)
  • Let them know what information could be publicly displayed (if provided) related to the comment
  • Let them know if comments and information are shared with third-parties (like Disqus)

Email Marketing Opt-in and Template Changes

  • Add a checkbox to subscription forms to allow visitors to provide email marketing consent
  • Provide specifics about everything a potential subscriber is going to receive once they provide consent
  • If your email marketing or email newsletter uses tracking pixels to measure opens and clicks, provide this disclaimer clearly before someone subscribes
  • Fully investigate your email service provider to verify the tools you're using are GDPR compliant
  • Make sure you have a page for opt-in preferences (vs. only opt-out preferences)
  • Ensure the email marketing templates you're using have appropriate data, notifications, and links in the footer for accessing opt-out and opt-in preferences 

Contact Database Checks & Process Changes

  • Check the health of your current database to ensure stored contacts have provided proper consent
  • Create internal standards for what data will be stored, how long it will be stored, and establish a consistent clean-up schedule

 

ADDING PROCESSES FOR PROVIDING (OR FORGETTING) Personal DATA

  • Create any new processes needed for EU residents to request access their data
  • Ensure your process includes how you'll make updates to any inaccurate data
  • Ensure you have the tools and processes in place to "forget" personal data upon request (see more on this in the marketing software check section) 

 

DIGITAL AD RElated Changes

  • If your website uses remarketing ads, set up a method to immediately inform website visitors as they enter to obtain proper consent
  • If you publish sponsored content, determine if tracking pixels or cookies are used by the publisher and if they're used why
  • If the sponsored content publisher will be remarketing to your visitor, you must inform the visitor and obtain consent immediately upon entering your site

 

Changes Related To Affiliate LInks & ADS You Display

If you use affiliate links or have third-party ads displayed on your website you'll need to:

  • Get cookie usage consent before your visitor clicks an affiliate link
  • Obtain immediate informed consent (by pop-up or overlay) explaining you use a third-party ad server that collects user data
  • Explain explicitly and specifically how collected data will be used 



CHANGES RELATED TO Sales of PRODUCTs/SERVICES
If you’re selling services or products to EU residents:

  • Only collect the information that's actually necessary upon checkout (what do you really need on file to properly service this customer?)
  • Obtain explicit consent from your customer prior to their purchase submission to let them know how the information they're submitting will be used. For example, will you use it to set up and service their account? If you plan to communicate with them for other reasons, you need to specify how/why and get consent.

 

I hope you found this post helpful! If you're searching for marketing or sales software tools with GDPR-compliant features, we'd be glad to chat with you more about some that we love using for ourselves and our clients. One of these is HubSpot, and you can get a free HubSpot demo here or click the button below.

Learn About HubSpot's GDPR Features

Disclaimer: The information contained in this post is not the same as legal advice nor a recommendation on any particular legal interpretation. Please consult your attorney for legal advice on GDPR compliance specific to your company's needs.

 

Holly Yalove

Holly Yalove

As VIEO’s chief strategist and one of our principals, Holly Yalove serves as the head digital and inbound marketing strategy for our clients. She has used her extensive management, sales, and marketing experience to dramatically increase our digital marketing business, helping us become the well-rounded agency we are today.

Related Post: