Attention all business owners: you have officially been put on notice.
As of May 25, 2018,
anyone with a mailing list that sends information to one of the 28 countries that make up the Europea Union (EU) must have express consent to do so, otherwise, they could find themselves in the crosshairs of the General Data Protection Regulation (GDPR).
Consent is the key word here: if you have it, you’re fine; if not, you need to get it and fast.
What lawmakers are hoping to accomplish with this new law is to eliminate the sale of individual data to companies that have no right to it. You shouldn’t be forced to receive electronic communication from businesses that you never interacted with, and this law hopes to eliminate it.
What Exactly is the GDPR?
If you’ve been around the tech or online space at all in the last few years, you’ve most likely heard of this new law. The regulation effectively replaces the last privacy protection directive, enacted in 1995, by giving the EU the ability to operate in every country under their jurisdiction, instead of having to prosecute businesses individually in every country.
What it also does is give the consumer more power over their information. Companies who buy lists and spam thousand or even millions of people all at once will now be held accountable. If the customer says they want off your list, it’s on you to remove them immediately and discontinue any further contact with them, at the risk of an extreme penalty.
As a business entity, you are now held to a much higher standard for what’s on your website and how you process consumer data. As an individual, you now have the tools to be able to fight back against companies who continually spam your email address, as a single complaint could be enough to alert the EU to nefarious business practices.
What’s the Penalty for Non-Compliance?
For the first time, an electronic privacy protection law has actual teeth in it, and the fines show it. The law states that any company that is found to be in non-compliance with the General Protection Data Regulation faces a fine of up to 20 million euros ($23.5 million) or 4% of the company’s global turnover – whichever number is higher.
Admittedly, it’s unlikely that the EU will seek to impose so strict a fine on first-time offenders, as the precedent set in previous laws shows that they’re reluctant to do so. One of the biggest data breaches in recent memory was a telecom company called TalkTalk, which allowed the personal information (names, e-mail addresses, phone numbers, bank account info, etc) for nearly 150,000 customers to be exposed. Technically, the Information Commissioner’s Office in the U.K. could have imposed a fine of up to 500,000 GBP, but they only saddled them with a penalty of 400,000. That mark still stands as the highest sanction ever imposed by that office.
Still, it is worth noting that since the law is brand-new, the EU will most likely seek to make an example of the first few companies that are charged with a crime, so expect to see the full force of the law brought to bear shortly after the law takes effect. They want to set a precedent that shows the world exactly how seriously they take consumer data, and exacting a heavy penalty at the outset is a great way to do just that.
Another huge consideration is what a fine will cost you in terms of your reputation. While most companies will most likely be able to pay the fine that is set against them, the real hit will be in customer perception. If your company’s name appears on a headline next to the words “HUGE DATA BREACH!”, expect to see your customer relationships take a nose dive. TalkTalk, the company mentioned earlier, lost 100,000 customers virtually overnight for their breach – a cost they’re still trying to recover from.
Who is Affected?
The simple answer is anyone with a mailing list. Since this law only applies to electronic communications, phone calls and even direct mail are not necessarily worthy of being prosecuted (although that may change with future laws). This is also an EU law, so it only affects customers in that area (sorry U.S.). It’s worth mentioning, however, that you don’t have to be an EU citizen to be prosecuted. Indeed, if you have a mailing list that has one name on it that is a member of the EU, and you obtained that name without their express consent, if they complain, expect to be charged, even if you’re operating halfway around the world.
This even goes for people with a website, whether you’re running WordPress, Wix, or any another type of platform. Any member of the EU that has the ability to interact with your business and give you their information must give express consent, or else you could be liable.
The types of companies that the EU will most likely target out of the gate are the ones that collect and use copious amounts of customer data, such as tech firms, marketing agencies, and third-party companies that collect that information for them. The businesses that rely the heaviest on using customer data for promotions, offers, or just general correspondence will be the hardest hit. Any data that you would otherwise obtain through consent now means that data has to be much more explicit.
How are Companies Responding?
For companies that have been collecting user data for years without any form of consent, they are currently scrambling to obtain express consent in some ways, and in the process, are losing a ton of customers. Even those who have data collection standards that they thought were strenuous enough are taking a second look at their policies to ensure they’re in compliance.
The response from bigger tech giants is most interesting. Facebook seized the opportunity to encourage users to sign up for facial recognition technology at the same time they informed users that they could download and delete any information they didn’t want on the site. Claiming they wanted to “put people in more control over their privacy,” they unlocked an “access your information” feature that makes this process easier. They also unveiled new terms of service and forced any user that wanted to keep using Facebook to agree to it. Those who didn’t opted out.
Google took a much more nuanced approach. Any chances that needed to be made were done so subtly, updating a few of its products and services that they felt weren’t in compliance. Apple, on the other hand, claimed loud and proud that since they don’t collect as much information as other companies do, they didn’t need to update much of their framework. They made a few changes, but nothing more.
The truth is, no one really knows how the law is going to take shape, and until there are a few cases to set precedent, it could go various ways. Some companies are being proactive with their policy changes by emailing everyone on their list and asking them to reconfirm consent – a risky tactic since many users may simply not reply or not open the email in the first place. Others believe that they already have that consent and either will send an email alerting you to a few minor changes or ignore it altogether. Each company handles it their own way and are hoping that they stay in compliance.
Those that choose to email their lists and ask for a reconfirmation need to be aware of the fact that simply asking for reconfirmation could insinuate that you didn’t have that consent in the first place, regardless of whether you did or not. While that may not necessarily be enough to convict someone, it’s worth consideration.
Regardless, expect a lot of court cases immediately after May 25, as the EU comes down on companies that they feel are in violation and those companies respond by arguing the exact interpretation of the law. Until that is all settled, businesses will most likely continue to operate under a shroud of mild uncertainty.
What Can I Do to Get Ready?
If you’ve been operating a site on WordPress, Squarespace, Wix, or any other different platform, now is the time to review your privacy policy and update them accordingly. Check your data collection methods and make sure that users have the ability to give their express consent regarding future mailings. Any ambiguity on your part could translate to a lack of formal consent for the end user.
Here are a few simple ways you can make sure your site is in compliance.
1. Make Sure Your Opt-In Methods are Legitimate.
Many companies have operated for years under the practice of simply subscribing people to their mailing list whenever they’ve interacted with their company in any way, such as requesting a consultation, buying goods or services, or even asking a question. That type of practice is the exact setup that the new law seeks to eliminate. Users must give their express consent before a company can email them.
Does that mean you have to email everyone on your list and ask them to reconfirm? Maybe, maybe not. Done correctly, it can ensure you stay compliant with the new law, but it could also backfire, as asking people to proactively reconfirm their subscription could cause you to lose a lot of customers.
Best practice, at the very least, is to put a slot on your subscribe option that makes it very clear what users are signing up for, notifying them that by clicking that box, they are giving their consent to receive future mailings. If you already have that, great. If not, now’s the time to change.
2. Beef Up Your Security
With this new law, the threat of data breach poses a whole other issue for companies. If your mailing list is hacked and consumer information is let out into the open, you could be held liable if it was found that the security on your site is lacking.
One thing that you can do (and probably should), if you haven’t already, is to purchase an SSL certificate for your site. They cost about £100 and provide another layer of encryption for a hacker to go through before they’re able to infiltrate your site. In addition to that, consider giving your customers specific user IDs instead of names, so that type of personal information doesn’t exist in the first place. The bigger your list, the more important your security will be.
And, as mentioned above, have a clearly stated privacy policy describing exactly how your data is stored and how it will be used. Also, provide a contact number for people to call if they have any questions.
3. Allow Customers to Delete Their Data
Instead of just giving consumers a way to opt out of your mailing list, give them a way to erase their data completely from your system. In the event of a data breach, the names and information can still be stored on the list and exposed to the world. If a person wants off your list, create a way in which all of their information is completely wiped.
The bottom line with the GDPR is that companies have to be better stewards of customer data. Anyone that is trying to game the system, buy lists or spam users can and should find their way into the lens of the EU. By bringing your system up to code today, you can set the groundwork for laws that may alter this regulation in the future.
