It’s been five months now since the European Union rolled out the General Data Protection Regulation, or GDPR. And before you know it, the California Consumer Privacy Act will take effect. Both laws aim to provide a set of standardized data protection laws for their citizens. In a nutshell, if you are a marketer or business owner, it’s long past time for you to take action toward protecting your customers’ data privacy. And yet, many American businesses are still not prepared.

Why should U.S. companies care about a European data privacy law anyway?

In response to GDPR, many American businesses now have added a blurb or popup at the bottom of their web pages alerting users to the fact that the site uses cookies. Lots of us probably respond pretty much the same way we do to reading the terms of use and privacy policies, with a “yeah, yeah, now just let me do what I came here to do.”

But if you’re doing any digital marketing (this includes your website), it’s way past time to pay attention — and it’s about far more than simply notifying a visitor that you’re using cookies.

“Wait,” I hear you thinking, “it’s an EU law. Why does it apply to us here in the U.S.?”

Consider this: Can anyone in Europe buy goods or services from you? Remember, it’s called the worldwide web for a reason. Do you in any way monitor the digital behavior of EU residents, even those who might stumble upon your website? If this describes any portion of your business, you’re vulnerable.

What are the specific data privacy rules companies must follow?

Of course, as you’d expect with any legislation, the GDPR requirements are long and complex. In plain English, what businesses should aim for is informed consent. Here are the key requirements:

  • Right to access — An individual has the right to know if a business is processing any of their personal data and receive a copy of the data.
  • Right to rectification — An individual can request the business correct inaccurate personal data about them.
  • Right to erasure — An individual has the right to have their personal data erased and deleted by a business.
  • Right to restriction of processing — If an individual’s personal data is contested, but some time is needed to verify an inaccuracy, they can request the business suspend the processing of the data.
  • Right to data portability—Individuals have the right to a structured, easily readable report of all of their personal data, as well as the right to request that the business transmits that data directly to another controller.
  • Right to object—Individuals have the right to object to processing of their personal data. This also includes the right to withdraw consent at any time.

What, if any, are the consequences of non-compliance?

The next logical question is what can happen to you if you are found in violation of GDPR. The short answer: ask your lawyer.

In terms of possible fines and consequences for businesses that don’t comply, here are a few resources that may be helpful:

Consumers are passionate about data privacy

And really, don’t your users and customers deserve to know if you guard their digital data privacy? If they can’t trust that, your bottom line can and will be affected. Many consumers, 55 percent to be precise, say they have decided against purchasing something because of privacy concerns, according to KPMG.

All the digital big dogs have invested a ton of cash and time into making changes to ensure their compliance with increased data privacy requirements. You might find it enlightening to take a peek at how marketing industry leaders like HubSpot, Google, WordPress, and others you use have updated their practices and policies.

Steps your company should take right now

Your small business can also take wise steps to protect itself and your users’ data privacy.

Here are some changes our team at Lumen Marketing advises our clients make. Again, we do not provide legal advice, and it’s always best to consult your lawyer.

  • Review and update your privacy policy. You do have one, right? Is it crystal clear to the reader how you collect data, as well as how you’re using it?
  • Create an auto-response that visitors to your website get after they submit a form reassuring them that you respect their data privacy and rights.
  • Put procedures in place to respond when someone requests to know what personal data you collect or to remove theirs. Under GDPR, consumers now have the right to request a copy of all data your possess about them, as well as the “right to be forgotten” (whereby you must completely remove their information from all of your databases and systems.
  • Make it obvious on all of your website and data collection forms that by clicking ‘submit’ the individual consents to handing over their personal data. Again, this goes back to the informed consent mentioned earlier in this blog post.
  • Implement website plugins to help you comply. Reach out to us and we’ll recommend some.

Five myths about GDPR

Arndt Groth, a digital marketing thought leader, has identified five myths that marketers commonly believe about GDPR. Let’s take a look at them so we can act on facts.

Myth 1: If we comply with the GDPR, we’re good, because it’s the only such regulation.
Truth:  It has what Groth calls its “forgotten sibling,” the EU ePrivacy Regulation. Here in the States, California has passed its own Consumer Privacy Act, which is similar to the GDPR and will take effect in January 2020.

Myth 2: You don’t need to worry if your company is in the U.S.
Truth: If users in Europe can buy goods or services from you, or if they subscribe to your blog, your business is vulnerable.

Myth 3: If your business is small it doesn’t apply to you.
Truth: GDPR has no exemption based on size.

Myth 4: GDPR is only about digital data.
Truth: According to Groth, ”GDPR affects every business that holds personal information on anyone in the EU, be they employees, customers or suppliers.” That means hard copies too!

Myth 5: An IP address is not “personal data.”
Truth: Yes, it is. It is an identifier, and therefore included in what’s covered by the GDPR.

These actions are just the beginning of data privacy

Yes, data privacy is complicated. But you’re not in it alone. Like we said, it’s really a good thing for all of us to increase our transparency and compliance around data privacy practices. It makes businesses more trustworthy, and that can only benefit  everyone.