Why, GDPR? Why?
No four letter acronym has caused more sleepless nights, heartache, and, frankly, confusion to the digital universe since a little three letter acronym some 20 years ago (looking at you, Y2K). That’s right, we’re talking GDPR, which stands for the General Data Protection Regulation. It’s singlehandedly causing the internet to lose its collective mind.
You might wonder, “Hey, didn’t we just have to deal with the EU Cookie Law? Didn’t the EU Cookie Law get folks shakin’ in their shoes?” Three guesses why we needed a new law, and the first two don’t count… money.
That’s right folks: failure to comply with the GDPR regulation could cost you €20 million, or 4% of worldwide annual revenue of the prior financial year, whichever is higher. At the current exchange rate that is up to $24,634,340. Do we have your attention yet? Good.
Now here’s the good news - you, the small business owner, are not the intended target of this legislation. Do you have to make a few small changes to how you do business to CYA (cover your assets)? Yes, of course.
But it’s companies like Google, Facebook, Unbounce, Mailchimp, Slack, Spotify etc., those major players, who had to hire data compliance officers and make MAJOR changes to their products and policies… and how exactly they intend to stay compliant is really the big question on the table.
News Flash GDPR In The USA: The CONSENT Act Is Coming
From an April 17th article on marketingland.com:
"Senators introduce privacy ‘bill of rights’ to protect consumer data The CONSENT Act would require edge providers to comply with FTC-regulated data protection rules."
GDPR has had its effect on the US, and Facebook and Cambridge Analytica may have poured fuel on the proverbial fire, but here it is… users will need to provide websites and apps express consent before they can collect data on them.This proposed CONSENT Act draws from GDPR, particularly in how it seeks to protect customer data. The act mandates that the FTC require edge providers to:
- Obtain opt-in consent from users to use, share or sell users’ personal information.
- Develop reasonable data security practices.
- Notify users about all collection, use and sharing of users’ personal information.
- Notify users in the event of a breach
If passed, this Acts could mean serious changes here in the US - and that could bring us a lot closer into line with the GDPR of the EU than we have ever been before.
Big Picture, Break It Down For Me
Simply put, what the EU is trying to do is protect the rights of its citizens online. When you go online, websites and devices collect and spread your information literally everywhere. Who has what? How is it being protected? And can I take it back? These are all questions that were frankly unanswerable - until May 25th, that is.
Companies need to provide clear policies to users. No more legalese or confusing language. Instead, sites need to be as straightforward as possible - here is what data we collect, here is how we store it, and here is how you can access it… oh yeah, and here is how you can tell us to remove it. You now have the right to be forgotten online.
Why the need for clear language and transparency? Well, basically, because studies dating back to 2014 have shown that nobody actually reads the lengthy terms of service agreements or privacy policies that companies put out. In fact, a security firm in London actually got people to pay for WiFi in exchange for the users first born child. Something had to be done. The cookie law was good but it had no teeth… enter GDPR.
But I’m An American Company. Why Should I Care?
The GDPR law protects anyone in the EU - not just citizens of the EU, but anyone physically in the EU when they access the internet. So, if you have customers that travel and they access your site while in Europe say on vacation… they are protected by the GDPR regulation.|
You may also be thinking, “Well I don’t sell anything online so this doesn’t affect me.” Wrong again. If you collect data on your users (think: cookies, or using local storage), you are subject to the GDPR regulation.
Ok, Ok… So What Do I Need To Do?
Surprisingly, here is where things get a lot simpler and easier for most of the readers of this article. If you have a basic marketing site, or even an eCommerce site you can be GDPR compliant in just a few simple steps.
This law is designed to create transparency and clarity around how data and information is collected and stored. So let’s start with the easy things to do:
- Don’t try to trick users. Consent must be expressly given to opt into any communication. Do you have a newsletter signup form? Using double opt-in isn’t enough. You need to modify the form to say something along the lines of “by signing up for this newsletter I agree to receive digital communication from XYZ.com”. And if you want to use different forms of communication i.e. snail-mail or SMS you need to allow people to opt-in individually to those forms of communication. No more ‘bundled permissions’. While you may be thinking that this will hurt conversion rates… we would agree but compliance in this case trumps conversions.
- Don’t ‘automatically’ do anything for a user. If you automatically opt-in a user to an email list because they requested a quote… you are violating GDPR. Expressly given consent is a major focal point of this law and auto-anything on your site is bad. So just don’t do it anymore.
- Do you store users data? Keep it safe. Make sure your site is secure (think SSL) and updated (think CMS). If you are an Altos customer we handle that for you. If however, the unthinkable happens and you are hacked you must have a plan to notify users within 72h.
- Do you use a 3rd party service like Mailchimp or Unbounce? Make sure to check with all 3rd party vendors to be sure they are GDPR compliant. Spoiler alert: both Mailchimp and Unbounce are. In fact, most major marketing SaaS companies are. Everyone took this very seriously.
- Update your privacy policy. First, make sure you have one. If you don’t, get one. Then update it. Make it clear that you use cookies (everyone does). Tell people what you use them for. Tell people what information you collect and if appropriate tell them why. The more proactive you can be the fewer problems you are going to face in the long run.
Five steps. Simple right? For most small businesses in the USA these will be enough to protect you and, moreover, show you are making an effort to comply with the law.
One More Thing...
Not all laws are created equal, and not all websites are created the same. This is not a time to copy/paste someone else privacy policy or to just do the five steps you read on some awesome marketing blog. This is a time where one size fits none.
If you are concerned that you may need more than just an update to your privacy policy because your site now has some functionality that is non-GDPR compliant (think automatically signing people up for a newsletter when they request a quote; that is a big no-no).
Then you need to call us - we’ve been following GDPR for over a year, and we have a pretty solid handle on how to get you compliant.