GDPR: What You Need to Know

Over the past few weeks you may have noticed an increase in privacy policy updates from your favorite apps, companies, and email blasts. Like most people you probably just clicked “accept” and continued like nothing has changed. Luckily for you, we will help you understand what changes have been made and how they can impact you or your company.

The privacy updates are in response to the General Data Protection Regulation (GDPR) law that will go into place across the European Union on Friday, May 25th. Despite the law being geared towards Europeans, the internet is border-less and many companies are making sure they comply regardless. Avoiding all the legal jargon the Data Regulation law comes down to two key concepts.

  1. Companies need your consent to collect your data.

  2. Companies should only require data that is needed for their services to function.

In addition to the overarching concepts, there are additional implications. European consumers will be able to request all their data from any business and even request that it is permanently deleted. Companies also have to report within 72 hours that there was a data breach and release the information associated with it. Although these changes largely affect European firms and consumers, proactive companies around the world should get ahead of these laws before they reach other markets.

Companies that don’t comply risk being fined up to 4% of their global revenue. However, just like many laws, companies will find ways around it. They will try their best to convince you that giving your information is in your best interest. They will make this process as simple as possible and make opting out a difficult nightmare. Unfortunately, you may have already consented to the updated policies. Whether it was simply clicking “accept” on the updated privacy policies or ignoring the message on websites explaining the use of cookies. Many of these updates or pop-ups have verbiage along the lines of “your continued use of the service will be considered acceptance of our updated terms.” The sad truth is companies know we hardly read the privacy terms and often ignore notifications.

Cartoon of businessman juggling digital security shields with a computer and lock symbol as part of recent GDPR regulations implemented

As marketers, we believe it is important that companies comply and have their consumers best interest in mind. We believe companies should not confuse their consumers. This includes data collected on employees, clients, consumers, and other businesses. Below we outline best practices that marketers should follow:

Transparency: This should come to no surprise when we are talking data and today’s hyper intuitive consumers. Consumers want to know where their information is going and how it is being used. In addition and maybe most important, they want to make sure their data is safe. The increase of data breaches and the fallout of Cambridge Analytica has led to increased pressure on businesses like Facebook, Twitter, and Google that rely on data and advertising for their revenue to let consumers know what they are doing with their collected information.

First, it is important that companies should explicitly ask for consent from their consumers to collect data. This can include GDPR forms like the one from email services like Constant Contact or you can create your own that details what data you need and why. The data you collect must be necessary for your services to function. Companies can no longer ask for additional information unless they explicitly disclose that it is not necessary, but can help better the service. Additional information will need explicit consent in addition to the mandatory data. These forms are specific for new users joining your service. However, to be compliant your current users should receive updated policies and have the ability to update their data consent. They should have the ability to understand the data you already have on them and how it has been used. They can then opt-in or opt-out of further data collection and request the removal of any stored information previously collected. All forms require a “double opt-in” feature. Consumers will get a second notification before submitting their consent form that clearly asks if they are sure about their decision. It is important to note that these email services also claim that the forms may not ensure that you are GDPR compliant and it is important to check the GDPR checklist or consult a legal service.

Although consent was gained the battle doesn’t stop there. To be fully transparent businesses should create “Privacy Portals” or “Privacy Tools” within users accounts that specifically outline what information is being collected, where it is going, and how it is being used. This portal or tool should also allow customers to opt-out or specify what information they want to be used and what information they want removed. The GDPR gives the consumers the “right to be forgotten.” In other words they can ask companies to delete data or even download their data to move to a new service.This allows the consumer to control their data and even revoke previously given consent at any given time. Transparency is the key to consumer trust and a huge component to the GDPR laws.

Internal Auditing: Companies who use mailing lists should remove anyone from the list that they don’t have consent from. This means companies should formulate an email detailing their services and request that users opt-in. The email should contain what content they will receive, how frequently they will receive it, and what data is collected. It should give an opt-out option as well. Whether it is a button they click to opt-out or assuming no response means they opt-out and you will no longer send emails to them/delete them from the mailing list. They should also ensure any new sign-ups have filled out a GDPR form or given consent on your sign-up form with the rules stated above. These steps ensure that your mailing list is GDPR compliant and you are not sending emails to anyone who didn’t consent to your services.

Targeting Ads: Finally, how does this impact marketers and brands ability to reach their target market? Marketers will have to find ways to target ads more efficiently and without the dependency on behavioral data. This means a decline in targeting based on interest groups and instead a rise in contextual advertising. For example, if a NY Times reader is reading an article about Microsoft’s Xbox, they might see ads for games on the platform or competitor ads. Similar ads can be placed throughout various newsfeeds. Posts about laptops can have ads for Dell or Lenovo under them. The truth is many advertisers are already doing this, but expect this to become the norm. It’s also important to note that behavioral data won’t be going away completely and that this regulation is only for European users. These practices can continue everywhere else unless similar regulation is passed throughout the world.

Now that we’ve established what a few of the best practices look like, I think it's important to show a few examples of companies that are actually practicing them.

  1. ASOS, a fashion company, sent out a repermissing email blast to all their current subscribers detailing the changes and had clear call-to-actions. Within the email they stated “You’re in control” and clearly listed what email services the user is signed up for. They provided opportunities for their users to opt-in, opt-out, and update their preferences. In addition, ASOS updated their privacy policy and made a landing page on their website for consumers to learn more with a video explaining their promise to make your privacy a priority.

  2. PwC, one of the big four auditors, also sent out an repermissing email. The email was thorough and to the point, exactly what you would expect from an auditing giant. The email listed what their emails include, a link to their privacy statement, a notice that failing to reply automatically opts the user out, and two equally sized buttons for Opting-in and Opting-out. They clearly stated their intentions and that users can change their consent/preferences at any time.

  3. HubSpot, a developer and marketing of software products for inbound marketing, sent out a simple repermissing email. Their email states that they hope you want to continue receiving their content and then simply states if the user wants to keep receiving their email they should click the opt-in button. Underneath they explain what opting-in entails and that you can change your preferences at any time. Ignoring the email will automatically opt-out the recipient.

All 3 of these examples display the need to let consumers know about the changes, provide ample resources, and allow users the right to choose how their data is used. Companies should initiate similar practices with their own mailing lists to avoid potential fines or lawsuits.

Companies like Facebook and Google are already facing lawsuits despite updating their privacy policies and creating privacy tools for their users. The lawsuit claims that both Google and Facebook ask users to check a box to access services, however, that doesn’t comply to GDPR regulations as it forces users into an all-or-nothing choice. Especially when they know users “need” their services in today's digital world. As more users check these "all or nothing" boxes Google and Facebook can continue to have high consent rates. This helps Google and Facebook appear more trustworthy to place targeted ads than other ad exchanges. Although Google places ads through many ad networks, their DoubleClick Bid Manager (DBM) has been pushing advertisers money to their own marketplace and away from smaller exchanges where Google can't verify user consent was given. Similarly to Google, Facebook doesn't have to worry about other ad networks as they use their own audience network and owned properties to place ads. This not only puts them a step ahead of the competition but is leading advertisers to shift funding from small companies to these ad giants. What does that mean for small business with less resources? It means they need to start preparing now.

It’s not a matter of if, but when data regulation gets passed throughout the rest of the world. Be proactive and get ahead of the change. Being a leader in your market will help you stand out from your competition and build trust with your consumers. It’s up to your company to self-regulate and be transparent about your data practices.