Should I be GDPR Compliant?
What is GDPR?
GDPR stands for “General Data Protection Regulation.” It is legislation that went into effect in May 2018 across the European Union to protect the rights and privacy of citizens’ personal information in the digital age. It is designed to afford individuals greater control over who has access to their data — and how and where that data is stored and used. GDPR applies to any organization operating within the EU, as well as any organization or business that offers goods and services to people within the EU.
What does it have to do with the US?
Legally, nothing … yet!
Yes, it’s true: if you are a business or organization that only offers goods and services to people in the US, and you never market to or do business with any European Union organizations, you are not legally required to comply with GDPR.
However, if you engage in digital marketing in any form — email, social media, paid search, display (especially including remarketing), or even a simple form on your website — you probably collect, store and/or use some form of personally identifiable information (PII). PII is defined as any data or information that can be used to “distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” It can be highly sensitive, like a social security number or a bank account, or non-sensitive publicly available information, like an email address or phone number.
Protecting and securing PII is a universal concern and is the goal at the heart of the GDPR. Google Trends data shows a steady uptick in searches within the US for terms like “data privacy” and “how to protect my data” in the past two years, with a heavy increase in searches in May 2018 when GDPR went into effect in Europe. Additionally, recent high profile data and breaches at companies like Target, Equifax and Facebook have further raised concerns among individuals in the US around controlling their information online and protecting themselves against malicious content that seeks to scam, profit off of or otherwise influence them. (Think back to Cambridge Analytica and the 2016 Elections.)
All of this is to say: Data privacy is not a uniquely European concern, so neither is data protection. Privacy advocates and tech publications like The Cyber Research Databank and Information Age seem to agree that some form of similar legislation or regulatory standards in the US is not only needed, but inevitable. Plus, with news from the Identity Theft Resource Center that the number of data breaches in the US reached record highs in 2017 and is continuing to climb, it’s no wonder that individual consumers are taking a more skeptical look at the ads and marketing messages they’re served, the way they share their information online, and the companies with which they do business.
What should I do?
Baby steps! There are some relatively simple things you can do to ensure your online presence and digital marketing efforts are more privacy-conscious.
1. Put a Privacy Policy on your Website: Establish total transparency with visitors to your website. Tell them about all the features and functionality they’re experiencing when they land on your site. Maybe you’re using Google Analytics to track their behavior, or maybe you’re using a web form that sends information like their email address or name and phone number to a 3rd party CRM or Lead Management software. This is not at all uncommon, of course, and it may seem obvious, but you’ve got nothing to hide, right? Take advantage of online tools like Iubenda to help you craft and publish a privacy policy for your site.
2. Opt-In Has to be Optional: Gone are the days where a simple “opt-in” box could be added to the end of a contact form and be checked by default (sneaky!) If you want to use someone’s email address or phone number to send them marketing materials, you have to ask for it. Be clear, be honest, and don’t make the decision for them. If you have “opt-in” boxes checked by default on your website, uncheck those bad boys! Tell your users exactly how you’d like to use their email address or contact information, and ask them if it’s okay.
3. Don’t Buy (or Sell) Email Lists: While most of these services are slowly going away, you can still find organizations that will sell or rent you a contact list that you can use to blast marketing emails or direct mailers out to a large number of potential customers. While some of these services are offered by legitimate, reputable companies that likely put processes in place to ensure their lists are permission based and privacy conscious, most commonly used marketing email platforms like MailChimp and Constant Contact actually forbid the use of purchased or rented contact lists in their Terms & Conditions.
4. Build your Own Contact List: Instead of relying on 3rd parties to supply you with contact lists, start building your own permission based, opt-in email list now. Put a sign-up field and opt-in checkbox on your site and be clear about what it’s for. Even if you’re not actively using email marketing right now, owning your own contact list can be an extremely valuable resource for when you are ready to branch out into more robust digital marketing tactics. *And PS: In case it wasn’t a no brainer, don’t ever ever sell your customer’s information to a third party.
Why Should I Care?
In a word … it’s about Trust, with a capital T. It’s about establishing credibility and letting your customers know you’re legit. You’re not trying to scam them or use unsavory tactics to target them with misleading or irritating ads.
Trust is the cornerstone of successful, lucrative and mutually beneficial business relationships. Showing your customers you care about their privacy and the security of their personal information — and that you’re actively taking steps to be more conscious of these standards in an ever changing digital landscape — will build trust between your business and the customers you serve.
We don’t know if the US will adapt GDPR or something similar. Many signs point to yes. But isn’t it better to do something, not because you’re legally required, but just because it’s the right thing to do?