Understanding the New Rules
The new rules in Europe apply to everyone who does business online with people from Europe, regardless of where YOU are located. Not only are there new rules, as a result, there are new penalties for non-compliance. This share is a result of my investigation into the requirements to participate in the global economy without infringing on citizens of the EU privacy and rights.
DISCLAIMER: I’m not an attorney. I’m merely a fellow entrepreneur who must learn the rules. The information in this blog is NOT legal advice. Consult your attorney for legal advice.
Expanded territorial scope
The GDPR represents a significantly increased territorial reach over its Data Protection Directive predecessor. Article 3 of the GDPR outlines that (all emphasis added unless otherwise stated):
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Two primary groups of entities must, therefore, comply with the GDPR.
- Firms located in the EU
- Firms not located in the EU, if they offer free or paid goods or services to EU residents or monitor the behavior of EU residents
The one thing we have going for us is that we do business with businesses…..except for our new project to promote our programs and put some coaches to work. So, we were working only with businesses and now, as we expand to helping private consumers, we are lucky to be doing at a time that we can set it up right and stay out of trouble. In the meantime, a lot of the practices that GDPR are demanding are good ones, so we’ll implement them even if they aren’t required.
Founder, The Health Coach Group
Everything we collect is included. We collect:
- a first name, last name and email on all optins
- IP address on all site visits
- Credit card, name, address, phone number, and IP address on all sales
- TONS of information on any forms
- Passwords on all memberships
We have a lot of information. We don’t purchase information; it’s all gathered voluntarily. We don’t share information; we’re very careful not to give any information away.
In Infusionsoft, we have a million campaigns. With the new rules, each campaign must have its own optout option. That means, if someone opts in for our Ultimate Business Checklist, and are added to our promotions sequence, newsletter sequence, and information sequence, then they must have the ability to optout for whichever they choose (easily). Not only that, you have to be VERY clear about which lists they’ve been added to. I don’t know about you, but that means I’ve had some major cleaning up to do.
Make sure you can prove people have given you permission to market to them.
The current prevailing practice for collecting email addresses for marketing mailing lists is to bury a pre-ticked “subscribe” checkbox somewhere on an order or registration form. Such practices will not be compliance under the GDPR. As stated in Recital 32 :
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her . . . Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Not only do email marketers need to obtain opt-in consent from email recipients, they also need proof of the opt-in consent. As written in Article 7:
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
Implications for Data Controllers
As for the collection of new email addresses, most companies at a minimum will have to change their “subscribe” buttons from checked by default to unchecked by default. As for existing mailing lists, there are three options:
(1) delete the whole mailing list and start over;
(2) attempt to segregate EU addresses from non-EU addresses; and
(3) contact the addresses asking them to opt-in to continue receiving emails after the GDPR goes live.
- Make sure your terms and conditions are linked to forms.
- Make sure optin forms make it clear that they are getting added to mailing lists and give them the opportunity to say no.
- Use software that is compliant to process sales. PayPal, CRM, Hosting Company, Plugins for your Website and others.
GDPR Recommendations to become compliant with data tracking:
- Audit existing service provider contracts to see if there are agreements in place with any email tracking providers;
- Conduct an I.T. audit to discover whether any individual employees are using email tracking software on their desktop or mobile devices;
- If email tracking is being used, assess the current procedures for collecting and documenting recipients’ clear, affirmative consent to email tracking;
- Set a plan to terminate all tracking for recipients whereby no qualifying consent can be proven;
- If email tracking is being used, perform a cost-benefit analysis as to whether its potential benefits outweigh its potential costs;
- Assess the need for software solutions that monitor outbound emails to ensure non-compliant tracking attempts are blocked.
Infusionsoft, Helpscout, and other software we use, offers this as a significant benefit to us. We know when and if our emails have been read. It is a strong customer service tool because it tells us that our customers are, or are not receiving things they’ve been looking for. 95% of the time, they’ve actually opened communication they say they haven’t received. We just have so much email that we don’t remember.
Countries Protected by GDPR
- Republic of Cyprus
- Czech Republic
Consult an Expert
Consult an attorney who specializes in International Law for the best solution. Privacy of individuals is important. Taking necessary steps to be compliant with the laws are important. If you should happen to have a person from Europe optin, even if you’ve not advertised or invited them, there would be the same laws applied as if not. Doing business online is requiring more responsibility starting May 25, 2018.
Did you enjoy this blog?
Sign up to receive a weekly notice.