It’s been five months now since the European Union rolled out the General Data Protection Regulation, or GDPR. And before you know it, the California Consumer Privacy Act will take effect. Both laws aim to provide a set of standardized data protection laws for their citizens. In a nutshell, if you are a marketer or business owner, it’s long past time for you to take action toward protecting your customers’ data privacy. And yet, many American businesses are still not prepared.
Why should U.S. companies care about a European data privacy law anyway?
But if you’re doing any digital marketing (this includes your website), it’s way past time to pay attention — and it’s about far more than simply notifying a visitor that you’re using cookies.
“Wait,” I hear you thinking, “it’s an EU law. Why does it apply to us here in the U.S.?”
Consider this: Can anyone in Europe buy goods or services from you? Remember, it’s called the worldwide web for a reason. Do you in any way monitor the digital behavior of EU residents, even those who might stumble upon your website? If this describes any portion of your business, you’re vulnerable.
What are the specific data privacy rules companies must follow?
Of course, as you’d expect with any legislation, the GDPR requirements are long and complex. In plain English, what businesses should aim for is informed consent. Here are the key requirements:
- Right to access — An individual has the right to know if a business is processing any of their personal data and receive a copy of the data.
- Right to rectification — An individual can request the business correct inaccurate personal data about them.
- Right to erasure — An individual has the right to have their personal data erased and deleted by a business.
- Right to restriction of processing — If an individual’s personal data is contested, but some time is needed to verify an inaccuracy, they can request the business suspend the processing of the data.
- Right to data portability—Individuals have the right to a structured, easily readable report of all of their personal data, as well as the right to request that the business transmits that data directly to another controller.
- Right to object—Individuals have the right to object to processing of their personal data. This also includes the right to withdraw consent at any time.
What, if any, are the consequences of non-compliance?
The next logical question is what can happen to you if you are found in violation of GDPR. The short answer: ask your lawyer.
In terms of possible fines and consequences for businesses that don’t comply, here are a few resources that may be helpful:
Consumers are passionate about data privacy
And really, don’t your users and customers deserve to know if you guard their digital data privacy? If they can’t trust that, your bottom line can and will be affected. Many consumers, 55 percent to be precise, say they have decided against purchasing something because of privacy concerns, according to KPMG.
All the digital big dogs have invested a ton of cash and time into making changes to ensure their compliance with increased data privacy requirements. You might find it enlightening to take a peek at how marketing industry leaders like HubSpot, Google, WordPress, and others you use have updated their practices and policies.
Steps your company should take right now
Your small business can also take wise steps to protect itself and your users’ data privacy.
Here are some changes our team at Lumen Marketing advises our clients make. Again, we do not provide legal advice, and it’s always best to consult your lawyer.
- Create an auto-response that visitors to your website get after they submit a form reassuring them that you respect their data privacy and rights.
- Put procedures in place to respond when someone requests to know what personal data you collect or to remove theirs. Under GDPR, consumers now have the right to request a copy of all data your possess about them, as well as the “right to be forgotten” (whereby you must completely remove their information from all of your databases and systems.
- Make it obvious on all of your website and data collection forms that by clicking ‘submit’ the individual consents to handing over their personal data. Again, this goes back to the informed consent mentioned earlier.
- Implement website plugins to help you comply. Reach out to us and we’ll recommend some.
Five myths about GDPR
Arndt Groth, a digital marketing thought leader, has identified five myths that marketers commonly believe about GDPR. Let’s take a look at them so we can act on facts.
Myth 1: If we comply with the GDPR, we’re good, because it’s the only such regulation.
Truth: It has what Groth calls its “forgotten sibling,” the EU ePrivacy Regulation. Here in the States, California has passed its own Consumer Privacy Act, which is similar to the GDPR and will take effect in January 2020.
Myth 2: You don’t need to worry if your company is in the U.S.
Truth: If users in Europe can buy goods or services from you, or if they subscribe to your blog, your business is vulnerable.
Myth 3: If your business is small it doesn’t apply to you.
Truth: GDPR has no exemption based on size.
Myth 4: GDPR is only about digital data.
Truth: According to Groth, ”GDPR affects every business that holds personal information on anyone in the EU, be they employees, customers or suppliers.” That means hard copies too!
Myth 5: An IP address is not “personal data.”
Truth: Yes, it is. It is an identifier, and therefore included in what’s covered by the GDPR.
These actions are just the beginning of data privacy
Yes, data privacy is complicated. But you’re not in it alone. Like we said, it’s really a good thing for all of us to increase our transparency and compliance around data privacy practices. It makes businesses more trustworthy, and that can only benefit everyone.
[…] follow data privacy requirements for both GDPR and the California Consumer Privacy Act. You can read more about GDPR, CCPA, and data privacy here. Trust us, it’s well worth your […]