On Friday, May 25, 2018, a new law governing the collection and protection of personal data went into effect in the European Union. The General Data Protection Regulation (GDPR) created a uniform set of laws regulating the protection of personal data by companies doing business in the EU. It replaced the 1995 EU Data Protection Directive with enhanced requirements on those companies that collect personal data and stiffer penalties for those companies that fail to comply.
The GDPR basically defines four characteristics of consent for those collecting personal data. Consent must be:
- Freely given. The decision to allow you to collect personal information must be a genuine choice. You can’t mislead anyone with negative facts. You can’t force a person to accept your marketing.
- Specific. You have to tell people exactly what they are consenting to. You can’t assume consent to receive one thing (a newsletter) also means they consent to receive your email.
- Informed. Visitors must be aware of who you are, and why you are engaging with them. They have to know that they have a right to withdraw their consent and to be “forgotten” by your database.
- Clear Affirmative Action. People have to know that you have their data and what you intend to do with it. You can’t assume consent based on an action someone has taken, or prefill consent boxes.
How will this new law affect your business?
In short, if you sell or market products and services to the European Union, this new law applies to you. The GDPR affects your website, your content and the back-end structure of your site used to convert prospects/leads — think CMS and marketing automation software.
Under the GDPR, you will only be allowed to collect data and send emails to people who’ve given you their explicit consent, and opted-in to receive messages. If someone fills in a form, for instance, you can’t assume consent or use a pre-checked checkbox granting consent is not in compliance. At the same time, if someone has given consent to receive information on a particular topic, it’s illegal to send unrelated marketing email to those people. In essence, prospects must specifically opt-in to every form of marketing email you might send.
The forms on your site must tell subscribers about your company and what you intend to do with any data you collect. The GDPR requires you to keep records of everyone who has agreed to allow you to collect and use their data. Some changes you should consider to your site:
- Include a required field in every form granting permission to collect and store personal data. A pre-checked box is not legal, so don’t use those with visitors outside of the US. This field should link to your privacy notice. The new regulations require that the visitor open the privacy policy before they can give their consent.
- Your privacy notice must tell people why you are collecting their data and how you will use it. Including IP addresses and cookie data. Your notice will have to be granular, meaning it needs to cover the various ways we process and use a contact's personal data (e.g. marketing email or sales calls). You must log auditable evidence of what they consented to, what they were told (notice), and when they consented.
- Include a clear and accessible way for people to see what data you have collected, and a way to be forgotten by your system.
- Include a Country field on all forms that are not subscription forms. The form should update with conditional formatting based on specific countries. i.e. if a prospect selects "Italy" then before they hit submit on a form, you’ll need to create a rule where you show Italy's Privacy Policy.
- Explain exactly what your visitor is opting in to. Tell them exactly what they can expect to receive from you.
- Store your completed consent forms in your CMS and marketing automation system as a record of when and how you received consent from the individual.
- Have a way to retrieve and purge data from all the systems you store data. This is important for compliance if an individual were to ask for their data or exercise their right to be forgotten.
If you are using marketing automation, there are some immediate changes you’ll need to make before continuing your marketing and sales strategy in the EU. If you are using a content-marketing strategy to sell in the EU, you’ll need to:
- Update your alerts when a prospect visits your website
- Create a Public Privacy Notice, explaining what data is being used for your database, what you do with the data and ensuring the prospect that you will not sell or manipulate their data.
- Notify visitors that your website uses cookies
- Update your forms:
- Create Email Subscriptions
- Create consent checkboxes for communicating and processing data
- Update your email templates:
- Create an unsubscribe page
- Create a Subscription Confirmation Custom Field
- Assign all contacts a “lawful basis to communicate”
- If you don’t have a lawful basis, use consent with a permission pass campaign
- Develop an internal process that allows visitors to access, modify or delete their data
- Right to Data Portability
- Modification
- Right to be Forgotten
In your notice, you’ll need to have a legal reason to use a contact's data. That reason could be consent (they opted in) with notice (we told them what they were opting into), performance of a contract (e.g. they are our customer and we want to send them a bill), or what the GDPR calls “legitimate interest,” e.g. they're a customer, and we want to send products related to what they currently have.
You’ll also need the ability to track that reason (also known as “lawful basis”) for a given contact.
One type of lawful basis of processing is consent with proper notice. In order for a prospect to grant consent under the GDPR, a few things need to happen:
- They need to be told what they are opting into. That’s called “notice.”
- They need to affirmatively opt-in (pre-checked checkboxes aren’t valid). The contact filling out a form alone cannot implicitly opt them into everything our company sends.
- The consent needs to be granular, meaning it needs to cover the various ways we process and use a contact's personal data (e.g. marketing email or sales calls). We must log auditable evidence of what they consented to, what they were told (notice), and when they consented.
Before a contact submits a form, they must agree with your privacy notice and must opt-in to email marketing.
The way we see this issue, it only affects companies in or doing business in the EU. But that will most likely change in the coming months/years as both the industry and the law deal with the fallout from the misuse of personal data on a grand scale. You may have noticed Mark Zuckerberg speaking to the European Union Parliament this week about steps Facebook is taking to protect user data.
That trend, in our view, is only going to continue. Just as website compliance with the Americans With Disabilities Act is a growing issue for most companies, so too is GDPR likely to be high on your radar in time. Now might be a good time to talk to your legal counsel, just to get a feel for what the future might hold. As always, we’re happy to talk to you about what you might need to do and how to get it done, should you choose to push toward compliance with this new law.
HubSpot user? See what HubSpot has to say about GDPR.