Are You GDPR Compliant? (Law Went Into Effect May 25)

I’ll admit, I didn’t pay too much attention to GDPR when I first heard about it. I didn’t know what it was and I was busy with other deadlines, so I put off investigating it further. Then I received an email from my email marketing platform stating that it goes into effect on May 25, 2018. I figured I should read up on it to figure out what this is all about, and I incorrectly thought it wouldn’t be a big deal and wouldn’t be much different from what many of us are already doing with CASL and CANSPAM.

Wrong.

I’ve spent at least a week studying up on it as much as I can and trying to come up with a game plan. As you read this, my website may not yet be 100% compliant, although I’m hoping to have it fully compliant by the deadline if I can.

The new website for one of my side businesses is compliant (that was my guinea pig), but my The Virtual Solution website needs an overhaul with theme change because a conflict is preventing me from changing/editing the opt-ins in the sidebar. I have disabled other things, like Google Analytics, in the meantime.

But back to GDPR. What is it?

It’s the General Data Protection Regulation coming into effect in the European Union. This pertains to any and all personal data collected, whether online or in person, and there’s a lot of confusion around it, especially since it leaves room for interpretation.

Don’t think you’re safe and you can avoid it just because you live in Canada or the USA, and don’t think it doesn’t affect you if you don’t market to anyone in the EU or you’re sure you don’t currently have anyone from the EU on your email list.

Nope.

It affects you because you could possibly attract someone from the EU, even if you’re not trying to.

Do you have opt-ins and landing pages? Do you sell products or services? Do you have an email marketing list? Do you run Facebook ads for your business? Do you have cookies or tracking codes on your website (Google Analytics, Facebook tracking pixel, popup cookies, Infusionsoft or ActiveCampaign tracking code, etc.)?

If you collect people’s information and/or you monitor their activities in any way, you must be compliant. The fines are HUGE – in the millions, in some cases.

DISCLAIMER: I am not a lawyer, so DO NOT take anything I say as legal advice. To make sure you and your business are protected, I advise you to consult with a business lawyer who specializes in GDPR.

I take no responsibility for your actions or your in-action on this matter, or the consequences resulting from your decision to not consult with a qualified lawyer prior to making changes yourself or enlisting my help in making changes.

What I will share with you is research I have done and my current understanding of some of the main aspects that stood out to me so that I can help you gain an overall understanding of the requirements and how this will affect you. Then hopefully you’ll feel more comfortable discussing the topic with your lawyer.

EMAIL MARKETING

First of all, let’s look at your email marketing. You can’t do things the way you used to.

You may no longer add people to your email list just because they downloaded a free gift from your website or purchased a product or service. I know, that sucks. There’s nothing you can do about it.

For our Canadian CASL legislation, you may already be used to having to have a double opt-in to confirm and have proof that people really do want to receive marketing emails from you and you know that you can’t have pre-checked boxes. GDPR is a whole different ball of wax.

Now, if you’re offering a free opt-in gift, you may ONLY send them that free gift. You do not have authorization to send them ANY other type of email or marketing message beyond that gift that they agreed to receive, and you must NOT require them to join your email list in order to receive the free gift. That means if you’re offering a free gift and you include a checkbox on the opt-in form or landing page to invite them to join your newsletter, BUT then you don’t send them the free gift if they don’t check the box to consent to the newsletter – that’s not allowed!

If they do not consent, you must tag them as GDPR Declined in your email marketing system and you may not add them to any of your email lists or tags that you will send emails to.

If you want to send them other marketing emails or use their information for different purposes, you must identify everything you want to use their email for with a separate, unchecked box on the opt-in form and gain consent for each of those intents or business activities that process their private data. You must tell them how often emails will be sent to them.

What about those already on your email list?

You’re going to need to get new consent from those in the EU. You’ll need to segment your email list by country right away, if you don’t have that done already, and request updated consent. If you don’t receive consent by May 24th, you should delete them from your database.

No way to identify where they’re from? You’ll have to ask for new consent from everyone on your list.

YOUR WEBSITE

Privacy Policy

Your opt-in box, landing page, and sales page must link to a clear privacy policy page that outlines how you will use and store their information. In fact, you should link to your privacy policy on every page of your website.

Your privacy policy must clearly tell the visitor what data is collected and how it will be used.

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

You can’t collect more information than what you actually need to perform the task. Do you need their phone number to send them a free gift? Do you actually need their last name?

I have added affiliate links to some GDPR privacy policy templates below. I have not personally used them and I have added the links only as a possible resource. The best and safest thing you could do is have your lawyer write one up, but you can also Google to find some on the web that are free or that you can buy, and then have your lawyer review it/them.

Cookies and Tracking

Think Google Analytics code. Think Facebook tracking pixel. Think Infusionsoft and ActiveCampaign tracking codes.

If you have cookies and tracking on your website, you must offer the options to accept AND deny cookies. You can have someone code this into your website using Javascript (that I’m not familiar with), or there are a few WordPress plugins out there that offer this. A couple of them I know about are CookieBot and Google Analytics Germanized. These are not affiliate links.

CookieBot offers a free version and paid options, and the paid options allow you to target only the EU with the offer to accept or deny cookies! If you’re interested in the paid option, do the website scan/evaluation that they offer. If you have a lot of website pages on your site, you might end up with a better offer than is on their website.

The Google Analytics Germanized is free and I like it. If you have a cache plugin installed, you’ll want to be sure to clear your cache and test it out to make sure it tracks after cookies are accepted. It also allows you to add other tracking codes, such as Facebook pixel or CRM tracking code. It allows you to add a link to your Privacy Policy page. It’s fairly quick and easy to set up, the cookie notification boxes/banners are customizable, and I think it looks nice. This one is my pick! I won’t be able to activate it on this website until I deal with the theme/plugin conflicts, but you can see it in action on my other website here.

If you use a plugin, you should have your lawyer check to see if it will cover your butt, as I can’t promise these will. However, I saw a lot of other GDPR plugins in the WordPress repository that seemed rather useless in function.

With Google Analytics, you’ll want to be sure you have IP Anonymization turned on so the full IP address of visitors is never written to the disk. Google Analytics Germanized plugin includes this handy feature in one of their settings as well.

What Else?

I don’t know if you are as exhausted as I am right now. This was a heck of an article to research and write. I’m sure I’ve left out a lot of detail, so I’ll leave you some links below that I used in my research, as well as some other resources, and you can do your own research, if you have not already done so.

EDIT: I’m now offering a GDPR Technological Audit & Assessment.

 

Active Campaign: https://www.activecampaign.com/learn/guides/preparing-for-the-gdpr-collecting-consent

MailChimp: https://kb.mailchimp.com/accounts/management/gdpr-faq

Infusionsoft: https://www.infusionsoft.com/legal/gdpr-readiness-guide

https://blog.varonis.com/gdpr-requirements-list-in-plain-english

https://gdprchecklist.io

http://www.blastam.com/blog/5-actionable-steps-gdpr-compliance-google-analytics

https://www.pibworthps.com/marketing/what-professional-speakers-need-to-know-about-the-gdpr

https://www.digitalmarketer.com/gdpr-summary

Canadian Lawyer: http://www.canadianlawyermag.com/article/getting-ready-for-gdpr-3607

European Union Countries: https://europa.eu/european-union/about-eu/countries_en

>> Were you aware of GDPR prior to this and are you prepared for the May 24th deadline (it goes into effect on May 25th)?

>> What struggles have you had in becoming GDPR compliant with your data processing via your website, email marketing, and other activities?

 

 

[activecampaign form=40]
Your Privacy is safe!