Does GDPR Apply to Us?

Search Options
Blog Search
Sign up for our monthly marketing trends enewsletter
  • 6/7/2018

    Well, the big day came and went. The ball has dropped. The dogs are released. The milk is spilt. And we’re out of euphemisms.

    For anyone who may not know what the GDPR is, we have a handy blog post for you. For the rest of you…

    The European Union’s General Data Protection Regulation is now fully enforceable. As you may have noticed, the world didn’t end, and the GDPR enforcers didn’t come to take your data away. Mainly, you’re seeing lots of emails telling you how companies are changing policies to protect your data and pop-ups on websites begging for permission to cookie you.

    So, your worries are over, right?

    ‘Bout that…

    As with any newly enforceable law, there are still lots of questions floating around about who it really affects, what authority can enforce it and what a business might need to do to become compliant. And, yes, your organization is probably impacted in some manner or form.

    But I’m not in Europe, dammit!

    We’re glad you noticed. However, GDPR in all of its general data protectiony glory transcends geography—it crosses borders more swiftly than Edward Snowden. It’s an extraterritorial law. Not to be confused with an extraterrestrial law—that’s something different entirely. (Though, give it time. We’re coming for you, Mars!)

    In short, the law is enforceable to organizations outside of Europe if those organizations are storing or processing the data of European citizens.

    Psh… they’ll have to catch me first.

    Yeah, that won’t be hard. All it takes is one complaint to flag you. No organization is impervious to a pissed off consumer with an ax to grind. Not to mention organizations like this one that literally exist to catch you—and they started day one, by the way.

    But what can they really do?

    This is perhaps the eeriest part of all. Nobody knows. Though complaints have been filed and requests have been made for maximum penalty enforcement, nothing has happened yet. One thing is certain: The European Union will not simply pull a Miss Shields.

    So, even though we don’t know exactly how the new rules will be enforced, as CIO Dive points out, nobody wants to be GDPR’s guinea pig. And Andrea Jelinek (who?) warns that organizations can expect little leniency from the GDPR police.

    What to do… what to do… what to do…

    There are lots of options, and we’ve noticed different organizations adopting a variety of solutions ranging from total denial to simply blocking European users. Tronc-owned U.S. news sites have noticeably adopted the latter.

    Particularly with regard to marketing automation and email marketing, two of the marketing discipline’s most data-driven strategies, there are some recommendations we have that may generally help reduce the risk of GDPR infractions.

    Privacy Policy Updates
    You’ve seen lots of companies do it by now. Update your privacy policy to reflect new GDPR requirements, customer rights and how you’ll comply with them. Your privacy policy also needs to be free of legalese and easy enough for the average bear to understand. Some information on how companies are adapting their privacy policies is available online.

    Cookie Permissions
    They’re effective for tracking and oh so tasty, but, under GDPR, users need to consent to their use, understand exactly what you’re using cookies for and be able to revoke consent at any time.

    This is a tricky one depending on how many different cookies your sites are currently placing in users’ browsers. There may even be third-party cookies from plugins or additional services you use on your site that are adding cookies you don’t know about.

    Granular Permissions
    Yup, no more blanket permission. It was a good run. It was a soft blanket.

    Users now need to be able to tell you exactly how you can contact them and use their data. Thankfully, a lot of marketing automation providers are building pre-made features like this into their preference centers and forms. See MailChimp’s standard GDPR field below.

    Passive Permissions
    Pre-ticked boxes, automatic use of cookies, blanket statements saying “by using our site you agree” and other methods of the passive permission gathering gotta go. Affirmative consent is required under GDPR and, as detailed above, users must be able to freely give and revoke some or all permissions.

    Institute Double Opt-in
    Double opt-in, also known as the “are you really really sure?” method, calls for a user to provide consent twice. Most organizations operating under this consent method tend to send a confirmation email after a user signs up for a newsletter or some other form of messaging and asks them to click on a second consent call to action. This provides a second record of a user’s permission and also provides other added benefits like preventing people from using fake email addresses or email addresses that aren’t theirs.

    Add Country of Citizenship
    Since location data is often unreliable and doesn’t firmly tell you if the location someone is accessing your site from is where the user lives, adding a country of citizenship field to all forms where you are collecting user data is a nice CYA. This helps you identify what regions laws apply to that user’s data. This also can be a helpful way to refuse data from certain regions if you should choose that method.

    Re-permission Campaigns
    This is a way to retroactively apply that double opt-in method. For years, organizations have run reengagement campaigns where they ask subscribers to confirm via an email click if they are still interested in receiving messages. This method can also be used to reaffirm consent to be emailed and to notify users of updates to your privacy policy to comply with GDPR regulations.

    The drawback here is re-permission campaigns have been known to cut database sizes in half or more. However, you will also find your engagement rates will probably increase once you cut a lot of the dead weight in your email databases.

    Audit Data Collection Online and Offline
    It’s true. GDPR regulations not only apply to data you’ve collected online but also offline. This really begs the question, “Do you know where all of John Doe’s data is?” If you don’t, you really need to figure it out and put methods in place for calling up that data or deleting it upon request.

    That is one big list of things to do. Some or all may be right for your organization. Ultimately, only your legal counsel can advise you on what will best protect you from legal ramifications. However, best practices and compliance audits à la GDPR-informed marketers are a good place to start.

    So, with people out there making predictions about what companies will be hit, watchdog organizations on the hunt for violators and even an amusing GDPR Hall of Shame, pretty much everyone seems to agree on one thing…

    Don’t do nothing.

    At the very least, analyze how at-risk your organization might be and what quick wins you can institute to at least demonstrate to regulators you are making an effort.

    Not to mention it is incredibly possible Europe's GDPR will inspire other nations or organizations to fight the good fight for consumer data privacy. It may not be long before laws get stricter closer to home. Best to get your house in order now.

    Feeling GDPR FOMO? Is a little voice inside of you screaming HELLLLLLP? Click here, and we’ll come running, figuratively.

    DISCLAIMER: All data and information provided in this blog post are for informational purposes only. thunder::tech makes no representations as to the accuracy, completeness, currency, suitability or validity of any information contained herein. We recommend consulting with a legal professional for any legal advice pertaining to GDPR compliance.

    About the author::Casey Braun is a Marketing Automation Specialist at thunder::tech. He creates and implements data-driven email and marketing automation strategies for our clients. Outside of the office, he's playing piano and singing in his band or rocking to Elton John. #SaveTheManatee
  • Would a Blog by Any Other Name Smell as Sweet?
  • 967
  • Toes in the Water, Trends on the Brain
Sign up for our monthly marketing newsletters