“The processing of personal data should be for the good of mankind.”
That’s straight out of the new European Union Privacy law that is getting ready to send ripples through marketers and list-builders all over the world. It’s 80 pages and 50,000 words long…. And I read it.
That’s how much I love you guys.
Here’s the Deal:
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will take effect, replacing the EU Data Protection Directive (the prior privacy law and other sporadic laws enacted by member countries). Folks that violate the GDPR can be fined up to 4% of annual global “turnover” or 20 Million Euros—whichever is more. YIKES.
On its face, the GDPR applies to companies that:
1. Have an establishment in the EU
2. Provide goods or services to EU residents, or
3. Monitor the behavior of EU residents.
With the way marketing works today—think Pixel tracking, retargeting, email opt-ins, heat maps, abandoned cart recovery—this means the GDPR basically applies to anyone who offers products or services to consumers in Europe—or who doesn’t exclude European consumers from their offerings. Do you offer freebies, courses, digital downloads, or other information? Are you collecting personal data of any kind on your website? Then yes, the GDPR will apply to you—even though we’re in the U.S.!
Some Heavy Lifting:
“Personal Data” means any information relating to an identifiable “Natural Person”—meaning a real live human (sorry, your dog doesn’t count). An Identifiable Natural Person is someone who can be identified, directly or indirectly, by an identifier such as a name, an identification number, location data, email address, an online identifier like a screen name, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Personal Data includes technical identifiers, location data, IP address, photos and other information that directly or indirectly can identify the person, regardless of context. Even business emails can be considered Personal Data. For example, Patty@PlannersUnlimited.com would be considered personal data, but hello@PlannersUnlimited.com would not, as it is not directly tied to a Person.
Processing means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Ugh, what a mouthful. The breakdown? You’re processing information when you collect, keep, retrieve, store, move, or use that information in any way. Sending emails? Retargeting? Zapping that info to another app? Yep, yep, and yep. That counts.
Yes means Yes, Silence means No: How the GDPR is like Sex.
Under the GDPR (and, really, U.S. law as well) any time you collect information, you must get consent from the person whose data you’re collecting. This consent must be a “freely given, specific, informed and unambiguous” indication of a data subject’s agreement to processing. It must be provided by a clear affirmative action - not by silence or pre-checked boxes, or “bundled together” or “tied” with other terms and conditions.
Consents obtained prior to May 25, 2018 through via pre-ticked boxes probably won’t satisfy the GDPR’s clear, affirmative action requirement. Evaluate your methods of obtaining informed consent, and for any instances that do not satisfy GDPR standards, seek to obtain GDPR-compliant consents from those legacy individuals--or else no longer use the earlier acquired personal data. Requesting of consents from individuals whose previously obtained consent did not meet GDPR standards is what is referred to as a “re-permissioning” or “re-engagement” campaign.
Consider this common scenario: you go to a conference, collect business cards, and add those names to your email list. Under GDPR, you probably need actual consent from these business contacts in order to 1) process their information and 2) contact them for marketing purposes. Remember, under GDPR Article 4(1), this consent must be a “freely given, specific, informed and unambiguous” and provided by clear affirmative action. But how do you get that?? A conservative approach—one I predict we will see a LOT of—is providing a form fill on an iPad—and having them “opt in” and give consent that way.
How does this affect your Freebies? E.g., giving people some cool content in exchange for filling out a registration page with personal contact information? To comply with the GDPR, you likely should clearly state at the time of information collection what the specific uses of the information will be. Any non-disclosed purposes—meaning data that’s been repurposed without an explicit opt-in—are a NO GO.
Example: an organization could not use email addresses obtained solely for contest entry purposes to then market the person. They can’t then share that information with partners. Unless, of course, the person GAVE CONSENT and actively agreed to the organization using their personal data to do so.
If you ARE collecting data for other matters—e.g., a freebie opt-in, a quiz, or a contest—the consent must be “presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
Soooo.....What does this mean for you?
Don’t do a bait and switch! Don’t collect info for a giveaway and then use it for marketing—unless you tell people. Don’t collect emails for a free webinar and then turn around and share it with your business bestie—unless you tell people. Just be clear and upfront!
Also, get those Privacy Policies Updated. Tell people what you're collecting, y'all! Name every program you use, and tell people what information you're giving them. We've released a version for you (see left) if you need help.
Tea and Sex and the GDPR:
Let’s face it: the GDPR is like Sex. And Tea.
Yep. I said it.
One way to think about the “consent” factor required by the GDPR is to use the wonderful “tea” analogy the Brits so lovingly use when we talk about sexual consent. Ask “would you like [tea]?” Saying “Yes” means “Sure, I would love tea.” No means “No, I do not.” Silence? We wouldn’t give them tea. If you’re really feeling spicy here, think about sex: In the U.S., we want there to be clear consent when engaging in sexual encounters. Anything but “Yes” is a no!
In the same fashion as sex and tea, to comply with the GDPR don’t give someone a spot on your mailing list without them saying YES!
The Right to be Forgotten
Article 7(3) of the GDPR gives data subjects the right to privacy, e.g. the right to withdraw consent at any time. The GDPR requires that “it shall be as easy to withdraw consent as to give it.” Meaning: if you clicked a button to opt-in, you have to be able to click a button to opt-out!
Once consent is withdrawn, data subjects have the right to have their personal data erased. Pull a boy band and wave “bye bye bye” to that data!
Your Plan of Attack
There is a lot of “stuff” to do here. It seems a LITTLE overwhelming. That’s why I’m giving you a LIST of nine actionable steps to make this easier to manage. Follow these directions to get your Wedding and Event business on track to comply with this wild-wild-west (East?) of privacy and data laws.