Before we move on, please understand that nothing in this article should be considered legal advice. For legal advice, you’ll need to contact your business attorney. Implementation of GDPR for US businesses is a work in progress as, like many laws, the language of GDPR is open to interpretation. Implementation will become more clear as it occurs and litigation precedents are set. This process is already underway. Mere hours after the deadline for implementation took place, complaints were already filed against Google, Facebook, Instagram and other large internet services.
What does the GDPR mean for US Businesses?
Here’s what we know so far: GDPR does impact US businesses. For any business that markets itself across the web, GDPR is a concern and you’ll need to do your homework. This applies to businesses of all sizes; not just big business.
The regulation is applied geographically, which makes sense; EU laws apply in the EU. So if you collect data from someone while they are in the EU, the law applies. It does not apply to EU residents while abroad. The regulation addresses any type data collection that is considered to contain personally identifiable information. A financial transaction is not required.
While working with our clients to implement GDPR, we created a list of items to consider. This is not a final list, but a work in progress. You’ll need to decide for yourself which items to implement and how to go about it. Again, please speak to your business attorney as needed.
Items to consider for GDPR compliance of your US business:
- Implement SSL site-wide
- Set up explicit opt-in on forms to receive email, default not checked
- Implement double opt-in for email marketing
- Set up cookie usage acceptance prompt
- Ensure all Marketing technology is GDPR compliant
- Ensure any personally identifiable information used in remarketing audiences is GDPR compliant (e.g. manage deletion of anyone in remarketing campaigns who has requested to be forgotten)
- Implement ability for person to request deletion of information (right to be forgotten)
- Ensure every database contact has explicitly opted in to receive emails. Alternatively, determine legitimate reason for communications under GDPR regulation.
As you might imagine, that last bullet item can have a major impact on marketing activities by dramatically reducing the size of your contact database. However, there are exceptions to the explicit opt-in. For instance, if the contact is an existing customer or sales contact, you have a legitimate business interest. This area, and other unclear definitions in the regulation language, is where you would likely benefit from legal council.
For more detailed background, definition and review of GDPR details, read on….
What is GDPR?
As we struggle to figure out data privacy here on American shores, the Europeans are moving full steam ahead with a suite of updated regulations that modernize privacy laws to align with today’s internet data harvesting and marketing techniques. The update, called the General Data Protection Regulation (now more known as GDPR for obvious reasons), seemingly couldn’t have come at a cannier time.
The GDPR enshrines data protection and digital privacy laws for EU citizens, replacing the last set of such regulations, like the Data Protection Directive, a golden oldie from 1995. Determining that the Data Protection Directive was woefully inadequate at protecting Europeans from today’s internet practices, the EU passed the GDPR in 2016, with a transitional period that ended with full enforcement on May 25, 2018.
In a nutshell, the primary driver of the GDPR is to give internet users more control over how their data is used (sound familiar, 87 million Facebook users?). The law mandates how companies collect, store, and use data, and it unifies what was once a patchwork quilt of privacy laws among the EU member states.
Let’s take a look at the new rights established for European internet users under GDPR. This is relevant to all internet users, including those here in the United States where we do business, since companies are expected to take a monolithic compliance approach with regard to traffic, no matter the geography of its origin. Keep in mind that these rights can pertain to data that is perceived to be in the public domain, such as name and address, all the way to the most private and highly-regulated data, like medical information.
New Individual User Rights under the GDPR
The headliner here is that if any company collects and processes a person’s private information, that entity is now bound to protect that information and provide a number of services to the individual person to whom the data pertains. Under the rules of the GDPR, the company must inform the internet user about what data is being collected, how it’s being used, and how long it will be retained and stored.
You can already surmise that legions of privacy policies will need updating and add much greater depth of detail as to use and storage of data. But GDPR doesn’t stop there.
In a move sure to disrupt internet marketing as we know it, users may now object to the practice of profiling, where websites and services create a profile, based on a user’s unique data, to use for other purposes, such as selling marketing on its platform to outside companies. Thus, users have the right to have sites cease and desist from engaging in these types of operations with them. This could have huge implications for entities like Facebook and Google, since their entire revenue models are based on such practices.
The Costs of Non-Compliance with GDPR
The penalties for non-compliance are stiff. As outlined in the GDPR, companies could face fines as high as 20 million euros or four percent of a company’s revenue. With the GDPR, the EU is getting deadly serious about data privacy and data security, and while written warnings could arrive for non-intentional non-compliance, failure to comply could trigger subsequent audits and fines.
While it’s still uncertain whether GDPR compliance will rule corporate legal spend here in the US for the foreseeable future, as it has been in Europe in preparation for the end of the two-year transition period, it’s likely that due to the multinational nature of a vast majority of internet companies, many will choose to comply with the GDPR for all users, not just those with EU-based IP addresses. It may be that much of the non-EU-based internet commerce community takes a wait-and-see-approach, calculating the potential business risks of non-compliance as added potential expense.
What About My Business?
While it’s true that not all businesses will be affected by the European Union’s GDPR, it’s going to affect more of you than you may think. Again, it’s about where your traffic comes from and how your data collection policies, as well as how you use that data and market to visitors, can impact those visitors as they arrive from European Union IP addresses.
For most businesses, it’s probably worth at least a quick inquiry with your business lawyer; one steeped in data privacy and information security compliance and proactive risk management strategies. Many of you, at a minimum, will need to update your privacy policies, while others should consider a host of compliance strategies, including detailed, publicly-available disclosures showing how you use site visitor data and how you store that data.
Header image sourced from Blogtrepreneur.
Diona is a managing partner at Knowmad. Her areas of expertise include digital marketing strategy, project management, brand management, search engine optimization (SEO), pay per click advertising, inbound marketing, content marketing, conversion rate optimization, social media marketing and website design.