Admin May 31st, 2019
GDPR is a series of laws spelling out the digital rights for citizens of the European Union. It builds on an earlier policy, called the Data Protection Directive, which Europe adopted in 1995. Many of the ideas outlined in GDPR came from the earlier regulation, and an even older set of principles called the Fair Information Practices, which covers the ways consumer information should be used. Those practices have also shaped policies in the United States, though the outcomes have differed. The United States has historically regulated privacy in context, with piecemeal laws for the privacy of healthcare records, financial documents, and federal communications. There’s nothing analogous to GDPR in the United States, and likely won’t be any time soon.
In Europe, though, GDPR represents one of the most robust data privacy laws in the world. It also gives people the right to ask companies how their personal data is collected and stored, how it’s being used, and request that personal data be deleted. It also requires that companies clearly explain how your data is stored and used and get your consent before collecting it. “Personal data,” in this case, refers to things like a person’s name, email, and IP address, but also pseudonymized information that could be traced back to them. People can also object to personal data being used for certain purposes, like direct marketing. If you buy a pair of shoes through an online retailer and start seeing ads for similar shoes, you should be able to ask the retailer to stop using your personal data for direct marketing purposes. Under GDPR, those and other rights are guaranteed.
The headline on April 24, 2019 read, “Facebook expects to pay up to $5 billion in fines to FTC for privacy violations.” Ironically, Mark Zuckerberg, Founder, and CEO of Facebook is one of several business leaders who have been pressuring legislators for more clarity on privacy rights. All businesses, and especially those that sell access to micro-targeted audiences, need clear and consistent regulations. Aware of widely publicized data breaches, consumers are demanding more control over their private information. So where do we draw the line? The member nations of the European Union tackled this problem head-on. The resulting General Data Protection Regulation (GDPR) went into effect on May 25, 2018.
With the regulation in place for one-year, European authorities are flooded with reports of data breaches and complaints of mishandling personal data. In just the first 8 months after the law became effective EU citizens reported 59,000 personal data breaches. The largest penalty to date was for $56 million but many complaints have yet to be adjudicated.
US companies cannot dismiss the GDPR as strictly a European issue. The law also extends to organizations outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. The GDPR serves as a template for similar laws in Brazil, India, and Indonesia and the new California Consumer Privacy act of 2018. GDPR will affect the landscape of privacy laws and compliance for years to come.
The European Union’s General Data Protection Requirement, or GDPR, has been a hot topic since its enforcement date took effect in May 2018. Companies have faced multiple dilemmas: Is their business one that needs to comply with the GDPR privacy law? If so, what is the best way to comply? And how does a business comply without losing valuable customers?
GDPR-compliant businesses of all sizes likely have had much work to do to ensure a smooth transition, and this has impacted how many companies do business in Europe. There’s no avoiding the effects this requirement has on marketing efforts – especially email marketing and mailing lists.
“All marketing activities are likely to be affected by the GDPR in one way or another – that much is obvious,” said Nik Mehta, Director Sales at Packed Data Services. “That said, we see GDPR having an exceptionally large impact when it comes to email marketing.” Email marketing is a common advertising tactic that has been easily implemented in the past. But after GDPR, it’s another area of business that requires careful consideration.
For instance, companies need to ensure their contacts gave them consent before continuing to send emails to them. This calls for a stricter subscription process, which should involve double opt-ins and easy opt-outs, and exclude involuntary or required opt-ins.
Double opt-ins confirm that users are interested in receiving emails, weeding out any fraudulent or accidental requests (e.g., failure to uncheck an automatically checked subscription box.) If a consumer provides their email for a subscription, they will have to go into their email and agree to it for a second time.
This requirement acts as a safety net for any business sending marketing-related emails. Anyone subscribing to your emails should be able to do so freely and not feel bribed to do so for a particular product or service. They should also be able to unsubscribe from your email list at any time, and with no repercussions.
When someone gives consent, make a note of it so you have the information recorded and readily accessible should there be any issues later.
“Organize a full information audit and review the existing data you have, paying particular attention to where this data came from and who you’re sharing it with,” said Nikhil Mehta “If you’ve been marketing to an email list that you obtained using methods that are noncompliant [with] GDPR, you should no longer reach out to individuals on this list, unless they’ve double-opted into your communications.”
