Avoiding all the legal jargon the Data Regulation law comes down to two key concepts.

1. Companies need your consent to collect your data.
2. Companies should only require data that is needed for their services to function.

In addition to the overarching concepts, there are additional implications. European consumers will be able to request all their data from any business and even request that it is permanently deleted. Companies also have to report within 72 hours that there was a data breach and release the information associated with it. Although these changes largely affect European firms and consumers, proactive companies around the world should get ahead of these laws before they reach other markets.

Companies that don’t comply risk being fined up to 4% of their global revenue. However, just like many laws, companies will find ways around it. They will try their best to convince you that giving your information is in your best interest. They will make this process as simple as possible and make opting out a difficult nightmare. Unfortunately, you may have already consented to the updated policies. Whether it was simply clicking “accept” on the updated privacy policies or ignoring the message on websites explaining the use of cookies. Many of these updates or pop-ups have verbiage along the lines of “your continued use of the service will be considered acceptance of our updated terms.” The sad truth is companies know we hardly read the privacy terms and often ignore notifications.

First, it is important that companies should explicitly ask for consent from their consumers to collect data. This can include GDPR forms like the one from email services like Constant Contact or you can create your own that details what data you need and why. The data you collect must be necessary for your services to function. Companies can no longer ask for additional information unless they explicitly disclose that it is not necessary, but can help better the service. Additional information will need explicit consent in addition to the mandatory data. These forms are specific for new users joining your service. However, to be compliant your current users should receive updated policies and have the ability to update their data consent. They should have the ability to understand the data you already have on them and how it has been used. They can then opt-in or opt-out of further data collection and request the removal of any stored information previously collected. All forms require a “double opt-in” feature. Consumers will get a second notification before submitting their consent form that clearly asks if they are sure about their decision. It is important to note that these email services also claim that the forms may not ensure that you are GDPR compliant and it is important to check the GDPR checklist or consult a legal service.

Although consent was gained the battle doesn’t stop there. To be fully transparent businesses should create “Privacy Portals” or “Privacy Tools” within users accounts that specifically outline what information is being collected, where it is going, and how it is being used. This portal or tool should also allow customers to opt-out or specify what information they want to be used and what information they want removed. The GDPR gives the consumers the “right to be forgotten.” In other words they can ask companies to delete data or even download their data to move to a new service.This allows the consumer to control their data and even revoke previously given consent at any given time. Transparency is the key to consumer trust and a huge component to the GDPR laws.

Internal Auditing: Companies who use mailing lists should remove anyone from the list that they don’t have consent from. This means companies should formulate an email detailing their services and request that users opt-in. The email should contain what content they will receive, how frequently they will receive it, and what data is collected. It should give an opt-out option as well. Whether it is a button they click to opt-out or assuming no response means they opt-out and you will no longer send emails to them/delete them from the mailing list. They should also ensure any new sign-ups have filled out a GDPR form or given consent on your sign-up form with the rules stated above. These steps ensure that your mailing list is GDPR compliant and you are not sending emails to anyone who didn’t consent to your services.

Targeting Ads: Finally, how does this impact marketers and brands ability to reach their target market? Marketers will have to find ways to target ads more efficiently and without the dependency on behavioral data. This means a decline in targeting based on interest groups and instead a rise in contextual advertising. For example, if a NY Times reader is reading an article about Microsoft’s Xbox, they might see ads for games on the platform or competitor ads. Similar ads can be placed throughout various newsfeeds. Posts about laptops can have ads for Dell or Lenovo under them. The truth is many advertisers are already doing this, but expect this to become the norm. It’s also important to note that behavioral data won’t be going away completely and that this regulation is only for European users. These practices can continue everywhere else unless similar regulation is passed throughout the world.

Now that we’ve established what a few of the best practices look like, I think it's important to show a few examples of companies that are actually practicing them.



1. ASOS, a fashion company, sent out a repermissing email blast to all their current subscribers detailing the changes and had clear call-to-actions. Within the email they stated “You’re in control” and clearly listed what email services the user is signed up for. They provided opportunities for their users to opt-in, opt-out, and update their preferences. In addition, ASOS updated their privacy policy and made a landing page on their website for consumers to learn more with a video explaining their promise to make your privacy a priority.
2. PwC, one of the big four auditors, also sent out an repermissing email. The email was thorough and to the point, exactly what you would expect from an auditing giant. The email listed what their emails include, a link to their privacy statement, a notice that failing to reply automatically opts the user out, and two equally sized buttons for Opting-in and Opting-out. They clearly stated their intentions and that users can change their consent/preferences at any time.
3. HubSpot, a developer and marketing of software products for inbound marketing, sent out a simple repermissing email. Their email states that they hope you want to continue receiving their content and then simply states if the user wants to keep receiving their email they should click the opt-in button. Underneath they explain what opting-in entails and that you can change your preferences at any time. Ignoring the email will automatically opt-out the recipient.

Never miss an update from “The Shoppe,” sign up for our email list today!

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.