You’ve likely received more emails regarding privacy policy changes in the past few days. These emails result from a European Union regulation called GDPR, which took effect on May 25, 2018. The GDPR law has created a massive problem for marketers, particularly those in the EU. In the United States, businesses are contemplating whether and how to make the necessary changes.
Before proceeding, Please note that this article’s information is not meant to be taken as legal advice. It is best to consult with your lawyer if you require legal advice. Implementation of GDPR in US companies is a work still in progress. Like other laws, the wording in GDPR is subject to interpretation. Implementation will become more apparent as the litigation precedents are established. The process is already in progress. Within hours of the time that the deadline for implementation had passed, complaints were already made in opposition to Google, Facebook, Instagram, and other big internet companies.
What is the GDPR’s meaning for US businesses?
What we know to date: GDPR will impact US companies. For any business that markets its products on the internet, GDPR is an issue, and you’ll need to conduct your research. This applies to companies of all sizes, not just big businesses.
The regulation is applicable geographically, which is logical; EU laws apply in the EU. Therefore, collecting personal information from a person while they are within the EU is a legal requirement. The law applies to EU residents who are not in the country. Has any effect on EU residents who are in the United States? The regulation covers any data collection deemed to contain personally identifiable data. A financial transaction isn’t necessary.
As we worked with our clients on the implementation of GDPR, we compiled the following points to consider. This isn’t a definitive list but a work in progress. Determining what you want to do and the best way would be best. Also, you should consult your lawyer if you need to.
Things to think about to ensure compliance with GDPR for your US company
Update the Privacy Policy with specifics
Implement SSL across the entire site
Create an explicit opt-in form on forms to be notified by email and notifications, with defaults not unchecked.
Use double opt-ins for marketing emails
Set up acceptance of cookie usage prompt
Verify that all Marketing technologies are GDPR-compliant
Verify that any personally identifiable data that is used to remarket audiences is GDPR-compliant (e.g., ensure that anyone is removed from marketing campaigns who requests to be erased)
The ability for a person to request removal of information (right not to be remembered)
Make sure that every database user has signed up explicitly to receive email. Alternatively, identify a legitimate reason to send emails by GDPR.
As you can imagine, this last point can significantly influence marketing by drastically shrinking how extensive your database of contacts is. But there are some exceptions to the mandatory opt-in. For example, if the connection is a customer who has already been contacted or a sales contact, you may have an actual business interest. This and other vague definitions in the regulation language are where you’d probably benefit from legal counsel.
For more in-depth background information and a review of GDPR’s specifics, read on…
What is GDPR?
While we try to determine the right way to protect our data in the United States, on American shores, Europeans are rushing forward with new regulations that modernize the privacy laws to align with the latest data collection methods on the internet and marketing methods. The new rule, dubbed”the General Data Protection Regulation (now more commonly referred to as GDPR due to obvious reasons), is likely to be more timely.
The GDPR codifies data protection and digital privacy regulations that apply to EU citizens and replaces the previous set of rules, including that of the Data Protection Directive, vintage from 1995. After determining that the Data Protection Directive was woefully ineffective in protecting Europeans from modern-day internet practices, The EU approved its GDPR law in 2016 with a transitional period completed on May 25, 2018.
The most important reason for the GDPR is to give internet users greater control over how their information is utilized (sound familiar with the 87 million Facebook members?). The law regulates how businesses gather, store, and process data and ties together a patchwork of privacy laws across EU members.
Look at the new rights granted to European web users as part of GDPR. This applies to all internet users, not just those who reside within our home in the United States where we do business. Businesses must adopt a single compliance strategy regarding traffic, regardless of the location of the source. Be aware that these rights may apply to information believed to be public domain, like address and name, as well as more private, highly-regulated information, like medical information.
New Individual Rights of Users under the GDPR
The main point here is that when a business can collect and process a person’s data of a p, it is legally bound to safeguard the information and offer many services to the person to whom the data relates. According to the regulations of the GDPR, companies must inform users of the data being taken, how it’s utilized, and for how long it will be kept.
It’s already clear that many privacy policies need to be updated and include more details about the use and storage of data. However, GDPR doesn’t end there.
In a step that could change the nature of internet-based marketing as it is currently practiced, consumers might now be able to object to using profiling which is when websites and services build profiles that are based on the user’s personal information, for different reasons, like selling advertising on its platform to companies outside of its. Therefore, users are entitled to demand that websites stop engaging in such activities with them. This could have significant implications for companies like Facebook and Google, as their entire revenue models are built on these methods.
The Costs of Not Complying with GDPR
The penalties for non-compliance with the GDPR are harsh. According to the GDPR, businesses could be fined up to 20 million euros or 4 percent of their revenue. The GDPR means the EU is taking a severe stance on data privacy and security. While written warnings may be issued for non-intentional violations in compliance, failure to do so could result in subsequent audits and penalties.
Although it’s unclear if compliance with GDPR will govern corporate legal expenditures in the US for the next few years like it was in Europe to prepare for the conclusion of the two-year transitional period, It’s likely due to the international nature of the vast majority of online businesses and their customers; many will opt to comply with GDPR for every user, not just users with IP addresses originating from Europe. It may be that much of the non-EU-based internet commerce community takes a wait-and-see approach, calculating the potential business risks of non-compliance as added possible expense.