By now, chances are you’ve heard that the GDPR will be taking effect on May 25th. And if you hadn’t heard that yet, consider this your official heads up—if you have a business that “services” any citizen of the EU, this law applies to you. Unless you can absolutely guarantee that no users from the EU will ever find their way to your website, you’ll need to set up a GDPR notice and compliant consent measures.
What is the GDPR?
The GDPR is a sweeping new security measure that is designed to protect the privacy of citizens in the EU. It gives them control over exactly how their personal data is processed, including how data is collected, stored, and used.
It’s admittedly a pain to acquaint ourselves with such a dense new law, but it’s important to understand why this legislation was passed: for the enhanced security of personal information online. With the constant stream of news about hacked websites and shady companies selling data, I wouldn’t be surprised if this is just the first step of many that the world will take to protect online personal data.
Why Should I Care if I’m Not an EU Citizen?
The GDPR protects EU users, but applies to any business that collects personal data of EU users. You may be thinking to yourself, “well that’s fine, but I don’t have any EU clients, so I’m in the clear!” Not quite. Do you have an email list with any EU members on it? Do you know if EU citizens have ever left a comment on your site, or if you have processed their information via Google Analytics? You probably can’t say for certain, so just be cautious and assume that the GDPR applies to you. Better safe than sorry.
A more practical reason why you should care? Noncompliance will mean you are liable for very, very hefty fines. The maximum penalty for noncompliance with the GDPR is 4% of the annual global revenue generated by the company.
What’s Covered by the GDPR?
Simply put, the GDPR will govern how you may process the data of EU members. “Processing”, in this sense, can be defined as “doing anything with that data”. For you, this means that the GDPR will govern anything you do with the personal data you collect from EU users (by “users”, I mean users of your website).
What counts as “personal data”?
Basically, “personal data” is anything that can identify the user or monitor what they are doing. It commonly includes:
- Names
- Contact information
- Medical information
- Credit card or bank account details
- Geolocation data
- IP Address
- Google Analytics info
Another important note for online business owners: this definition of personal data will most likely include any type of processing information that you add to a database—for example, all of your online quizzes, email opt-ins or incentive downloads, surveys, tagging, or segmenting in your email list. In addition, websites commonly collect “personal data” through comments on blogs, contact form entries, analytics, logging tools and plugins, security tools and plugins, and user registrations.
The Most Important Part: Consent Under the GDPR
To use personal data, you must gain express consent from the user.
What is “express consent”?
The GDPR says that to be valid, consent must be “freely given, specific, informed, and unambiguous.” For your purposes, this means that the user must click something indicating their consent, rather than you assuming that they’ve read your terms and privacy policy. Your privacy policy must be “concise, transparent, accessible, and written in clear and plain language”. Additionally, consent must be separate from your general terms and conditions.
Under the GDPR, valid consent requires notice, express consent and compliance. Pre-checked boxes, or mere terms and conditions, are no longer sufficient. Consent must be clear, direct, and purposeful, and put in a clickwrap box. In other words, you still need Terms and Conditions on your site, but if you collect any data from users, you need a separate pop-up box that requires them to click “I agree with the terms of use” and explains exactly what information you will be using and why you’ll be using it.
One specific note that I want to point out for creatives: I know it is standard procedure in webinars (for example) for the host to give the interviewee the email list of signups from the webinar. I believe this will no longer be permissible under the GDPR, because the user did not specifically consent to interviewee having that personal data. This also means that you may never automatically add people to your list or sell lists, but that was never legal anyway.
Examples of improper consent:
- Any consent that is merely contained within your terms and conditions and implied (otherwise known as “browsewrap”).
- Language saying “by clicking or navigating the site, you agree to our collection of information” or “by using this site you agree to the placement of cookies on your computer in accordance with the terms of this policy.” This is not considered valid, because they have not expressly asked for consent for the use of personal data for a specific purpose.
Let’s Review: How Will The GDPR Affect My Business?
The GDPR will primarily affect four main areas:
- How you collect email opt-ins
- How you conduct your email marketing
- How you word your privacy policy
- How you obtain consent on your website
I know the GDPR seems overwhelming at first, but when you take it step by step, it’s something that every business owner can handle.