Over the last year or so we’ve all heard about it, thought about it and talked about it. The big question is – does your business have to do anything about it?
We can answer this right now:
If you haven’t updated your tracking procedures and/or privacy policies but use third-party tracking from tools like Analytics or Facebook and have users from Europe visiting your website there is a very high likelihood that you are offending EU laws.
Your website and online marketing channels may not be compliant with the new European GDPR law and your company may be vulnerable to lawsuits.
On May 25th 2018, everybody freaked out and got worried when they heard about the new GDPR law being implemented. In retrospect, very few businesses took action to update their privacy settings according to the new law.
No surprise. It was hard enough to understand the law (both on a technical and then on a reasonable level) and it was almost impossible to foresee how to implement the changes, without banning all visitors from the EU on our websites. There simply wasn’t an easy solution available.
As a result, it seems that most companies didn’t change anything. Until now, most businesses seemed to ignore the new laws and are simply hoping that they won’t be part of the first law case.
There haven’t been any lawsuits yet, hence the interpretation of the law is still blurry.
One thing is for sure:
Many business owners have their heads in the sand, hoping that your business doesn’t become a target for European authorities. This is clearly a mistake as it makes your business vulnerable to lawsuits.
Good news is, a few weeks into the GDPR era, there are now some established best practices. And most importantly: best practices that are both easy to implement, and that won’t drastically hurt your online marketing performance.
We’re in no way authorized to give you legal advice, we’re simply here to share our observations on how many established companies have updated their online presence, and to present 3 easy steps for how you can do the same for your business:
Update your online presence for GDPR in 3 easy steps:
- Add a pop-up notification on your website
The pop-up notification that most websites are using usually doesn’t ask for permissions to use the data. Instead, they simply inform website visitors that by being on the website the user’s are accepting the updated privacy policies.
Here is an example of Accor Hotels – one of the biggest hotel websites in the world – using a simple pop-up notification:
If you are using WordPress you can easily create a pop-up notification by using a plugin like this:
Note that this is different to what Facebook recommends, as they are offering a function to only start tracking data after people have explicitly given their permission (https://developers.facebook.com/docs/facebook-pixel/events-advanced-use-cases/v3.0). It is also different from what some of the bigger companies do, who explicitly ask users to opt-in before tracking the data.
- Updated Privacy Policies
Note that you still might need to do some manual edits inside the policy generator.
- Update your email subscribers
Another important step is to update all of your email subscribers about the updated privacy policies.
Again, some companies do it by asking subscribers to opt-in again (which will most likely cause them to lose a lot of their subscribers who don’t opt-in again), while other companies simply inform their subscribers about their updated privacy and take their acceptance for granted, unless they opt-out.
Here is an example of Air Asia’s notification:
If this is good enough for major companies, then it should also be good enough for your company.
Now we’ve addressed how to easily update your website and email marketing to follow the new GDPR law, you might still be wondering what GDPR is and why it matters. Here’s some clarify on the matter:
What is GDPR and why do I need to bother?
The European General Data Protection Regulation (GDPR for short) has been created to give citizens and residents of the EU more control of their personal data. “Personal data” is any information that can be used to identify a natural person.
- Examples include: name, identification number, address or location data, religion, ethnicity, marital status, IP addresses, cookie strings, social media posts, online contacts, and mobile device IDs.
Any company that collects data of EU citizens has to conform with this regulation, regardless of their location. BUT those data subjects must be targeted. Some evidence of targeting of EU consumers could include accepting the following:
- currency of an EU nation
- providing marketing content in an EU nation’s language, or
- having a domain suffix that corresponds with an EU nation.
It is difficult to know for certain how GDPR will be enforced against foreign companies until legal decisions applying the regulation have been rendered.
The key points:
- Data breaches must be reported within 72 hours to the DTA and to the affected people “without undue delay”.
- Data subjects have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
- Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format upon request.
- The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.
- Data processed must be necessary for the Service and defined in the contract
- Under GDPR, a company may not collect personal data of anyone under 16 without parental consent. Implement a process to verify age and to obtain parental consent when necessary.
We are not in the position to give you legal advice and are only sharing our observations here.