I have had clients message me, asking for guidance on the whole GDPR situation – so, let’s address it! Have you heard of it yet? If not, well you’re about to! If you have an online business or do any online marketing, you are going to want to pay attention because this is going to matter. I want to stress that, although GDPR is a European thing, it can still affect you and your business on this side of the pond. Especially, if you are using social media to market. Social media reaches people globally, including Europe! So, if you happen to have just ONE European resident on your email list then GDPR matters!
If you don’t comply and update your biz practices to make them GDPR compliant, the consequences won’t be pretty! It all goes into effect May 25 – which gives you less than a month to get it all in order.
As a caveat, I am not an expert on all things GDPR – I am bringing you what I understand from my own research. I am not an attorney, and cannot offer legal advice. If you have questions, then I am going to suggest you seek out legal counsel who is well versed in this particular subject matter, but hopefully what I outline here will give you a good starting point.
Let’s start with the obvious question. What the heck is GDPR?
“The General Data Protection Regulation” is a privacy law enacted by the European Union (EU). As I said earlier, it all goes down May 25 of this year. It was created to in response to the need for greater privacy and protection for individuals’ personal info. Specifically, it addresses protection regarding
How does it affect your business stateside?
First, let me address that a person does not have to be a paying client or customer for this to apply. Any business, whether headquartered in the EU or not, is under the obligation to adhere to the GDPR when it collects personal data/information from one of it’s residents (notice it’s a resident, not citizen). The how this person’s information is collected, stored, and used by businesses. Data in question can be considered:
- Email addresses
- Physical address
- Bank information
- Social media posts
- Medical information
- Computer IP addresses
- Even pictures!
This means that if you are collecting any of this information on a landing page or with a Facebook/Google pixel per se - then you must be GDPR compliant. Its also worthy of mentioning that GDPR applies to you no matter what size business you have – as long as you are conducting business that could potentially lead to transactions with a European resident, have a website that targets EU residents, or offer goods/services (even freebies) to EU residents, it counts.
Also, please note that while May 25th is when all of this goes into effect, it is retroactive. Meaning, if you have people on your email list who joined a year go – you will need to be compliant with past subscribers and clients.
What happens if you don’t comply?
Well, businesses who are not compliant can get hit with some pretty hefty fines up to €20 million or 4% of annual global revenue –I am sure this will depend on a lot of factors, but that’s steep!
So what do you need to do to be compliant?
As I analyze this whole GDPR thing, I see that it will affect your social media marketing and your email marketing the most – especially if you are using Google Ads and Facebook Ads to retarget with pixels.
So, here is the low down on the low down regarding what you should do to be compliant with these regulations.
Email list audit. First, look at your email list and figure out which ones are EU residents. You will then need to get their explicit consent to stay on your list. If you don’t get this permission, then remove them from your list by May 25.
If you aren’t already, begin using the double opt in process (your email manager should have this available). It will allow you to keep record of all those who have offered consent to be on your list.
As good business practice, don’t collect more data than you need. If all you really need is a first name and email address – ask for that.
As you continue to do business online, you need to make sure you let people know what it is they are signing up for. Note, you will need to get permission EVERY SINGLE TIME someone signs up for something on your email list. For example, if someone signs up for a webinar, you cannot automatically add him or her to your master list. You would need to get permission for that.
If you have a physical product, and someone buys something, having that “add to email list” checkbox is no longer acceptable. You will need to get expressed permission from the person that clearly states they are requesting to join your email list.
Always, give email subscribers the option to change info and/or unsubscribe from your list. Having this option at the bottom of your email should be sufficient. Just make sure its legible – nothing in like a 4 pt font.
When someone unsubscribes, do not email him or her again.
Get a security certificate for your website. That means when you visit it, you will see https. Don’t worry, people wont have to type that in to get there, but having the security certificate makes you GDPR compliant. You can purchase a security certificate from your webhosting platform.
Lastly, as a resource I wanted to give you a list of popular email managers and their GDPR tools. It will help you determine how the different providers are handling the situation for their patrons.
- Active Campaign – GDPR Compliance Updates
- MailChimp – New MailChimp Tools to Help with the GDPR
- Constant Contact - What You Need to Know and How Constant Contact is Helping
- Ontraport – GDPR, Privacy Shield and Ontraport
- Get Response - Everything You Need to Know
- ConvertKit – Features + Support for the General Data Protection Regulation (GDPR)
- InfusionSoft – You Need to Know This: An Overview to the New GDPR
I know it’s a lot of information, and it can be quite overwhelming – but that’s why I wrote this blog post. Hopefully it gives you some insight into what you need to do to get GDPR compliant in the coming weeks.