Meeting The General Data Protection Regulation (GDPR) Requirements

By now you’ve probably heard of GDPR and the staggering penalties you could face if you don’t meet the crazy requirements.  It’s being talked about everywhere from major news outlets to solo bloggers.  So you might ask yourself, “What does all the hype mean to me and what can I do about it?”

Disclaimer: This article is not intended to provide legal advice and Ad-Spark is not a law firm. Consult with legal counsel if you are seeking legal advice.

Consumer Protection

The regulations are intended to protect consumers from predatory bad practices.  You’ve seen it before – fill out a form to inquire about a product or download a whitepaper, and suddenly your inbox is getting bombed with unwanted newsletters and spam.  Try to unsubscribe and the problem just gets worse.  It seems like you’re suddenly on every spammer’s hit list with no hope in sight.  Going forward, deceptive practices like these can land you in much deeper hot water.

What Do I Need To Do?

If you collect personal information from website visitors, encourage visitors to sign up for your newsletter, or use visitor tracking software or analytics, you’ll need to be transparent about why you’re collecting data, what you’ll do with it, and provide a way for visitors to view, download and remove their data.  At first this may seem like an impossible task, but don’t panic!  Check with your data service providers (CRM, email marketing service) – chances are, they may already have tools in place to help you meet GDPR requirements.

Here’s what we did to prepare for GDPR:

• If you don’t already have a Privacy Policy page, make one.  Ensure it states in plain language what data is collected, why it’s collected, how you’ll use it, and how a visitor can view, download and delete their data.  And be sure to add a link to your Privacy Policy from the bottom (footer) of each page on your website, and on form/signup pages.  Where applicable, include links from your Privacy Policy page to:
  • Subscription/Membership:  If you offer subscriptions or members-only areas, provide links for visitors to view, modify, download and remove their data.  (Scroll down this page learn about WordPress GDPR tools.)
  • Email Newsletter: Provide a link to your email marketing software GDPR tools.
  • CRM Software: Provide a link to your CRM’s GDPR tools.
  • Tracking Cookies: State how to control and remove browser cookies.
  • Website Analytics: Provide a link to your analytics software opt-out tools.
  • Contact Details:  List your legal entity name and contact information, Data Protection Officer (if applicable), EEA Representative.  See the links at the bottom of this article for more in-depth resources.
• Data security and encryption – Your website software needs to be kept updated and secure, and pages need to be SSL encrypted (HTTPS).  Data storage needs to be secure and encrypted, both online and offline.
  • If you back up customer data to an external hard drive or USB thumb drive, make sure the drive is encrypted.  Imagine the fallout if your data storage gets lost or stolen!
• Report Data Breaches.  If your neglected, out-of-date website got hacked, or your business computer was hijacked by ransomware, or you lost your backup drive in a taxi cab, you need to promptly report a possible data loss to the appropriate authorities.  And you’ll need to prepare and send a statement to your members, subscribers and clients.
  • This is an embarrassing and difficult situation best avoided by keeping your data systems maintained, up-to-date and secured.
• Get your visitor’s consent. If you have a contact form or newsletter signup, add a (mandatory) check box verifying the visitor’s “express consent” to share their data with you.  In some cases (like an email newsletter) you may wish to set up a double-opt in, requiring visitors to click an email link to verify their email address and their consent to sign up.
  • Important – the check box must be blank, and not checked by default.  Your visitor must check the box to prove consent was given.

• Keep a record of their consent.  When consent is given, store the interaction data (date, time, “consent is given”, etc.) for later reference.
  • Email and CRM services may have express consent tools and record keeping features available, check with your service provider.

 

If your website runs on WordPress, GDPR just got easier for you!  Read this article to learn about privacy features and tools now included in WordPress.

 

Ask For Consent, Respect Their Decision

Add an “express consent” check box to your forms and make it clear what the visitor is signing up for.  Don’t be deceptive – be honest and do what you say you’ll do.  Remember, you can’t use a visitor’s information without their express consent.  For example, if you collect a visitor’s email address in your Contact Us form, you can’t add their email address to your newsletter list without first receiving clear “express consent” to receive your newsletter.  And keep a record showing consent was given.

Email Newsletters

Your signup form needs to have an “express consent” check box.  You also need to provide a way for visitors to view, change and download their data, and remove themselves from your list.  Popular email services like Mailchimp and Constant Contact have these tools in place.  Be sure to add a link to your service provider’s GDPR tools on your Privacy Policy page.  Adding a link to GDPR tools in the bottom (footer) of your email newsletter is also a good idea.  The tools are an important part of your GDPR compliance.

If you already have an email marketing list and you never really asked for consent (you didn’t buy an email list, did you?), you should send a separate, clear message asking for permission to continue receiving newsletters.  You are asking for their express, affirmative consent to continue receiving your newsletter – and keep their consent on record.  No response or negative response means you remove them from your list and stop marketing to them.  This might mean your email list just got a whole lot shorter, but it’ll be legal and legit.

Website Membership Areas

If you have a membership signup form to provide a subscription service or a members-only area, make sure you provide a way for visitors to view, change, download and remove themselves.  Make sure your signup form has an “express consent” check box to verify their consent to share their data, and include a link to your Privacy Policy page.

Buying An Email List Is Out

And good riddance!  In my opinion, renting or buying an email list has always been a poor marketing practice that delivers crappy results.  And now, marketing to people without their consent can land you in legal hot water.  Just don’t do it.

Marketing Your Address Book Is Out

Corresponding with someone in the past doesn’t give you permission to market them.  Not only is it a really bad and distasteful marketing practice, spamming your friends can strain and break your relationships.  And now they can file a complaint and fight back.  Again, just don’t do it.

 

WordPress now includes GDPR-compliant tools for your website members to interact with their data directly.  If your website runs on a different content management system, inquire with your software vendor about similar tools they may offer.

References:

• https://www.eugdpr.org/
• https://blog.mailchimp.com/gdpr-tools-from-mailchimp/
• https://blogs.constantcontact.com/gdpr-how-to-comply/
• https://support.google.com/analytics/answer/7667196
• https://developers.google.com/actions/policies/privacy-policy-guide
• https://wordpress.org/news/2018/05/wordpress-4-9-6-privacy-and-maintenance-release/
• http://optout.aboutads.info/?c=2#!/
• http://www.youronlinechoices.com/
• https://tools.google.com/dlpage/gaoptout