Confused by the avalanche of privacy-related emails you’ve received over the last few days? That’s because the European Union’s new General Data Protection Regulation (GDPR) came into effect on May 25. If you think this only affects companies in Europe, you’re wrong.
Previously, every country in the EU had different locally applied data protection regulations. These have all been replaced by the single GDPR standard – a series of laws spelling out the digital rights for people of any nationality who are located in the European Union. If your company is based outside Europe, but you market and/or sell your products and services to people in Europe, you are required to adhere to GDPR.
At its heart, GDPR requires companies and organisations to obtain the active consent of individuals before collecting and using their personal data. It is no longer acceptable to passively collect data without consent, or to offer individuals an opt-out. Instead, companies must explicitly ask individuals to opt-in to provide consent for their data to be collected and stored, as well as clearly explain how their data will be used. All “personal data” falls within the remit of GDPR, including name, contact details, location, IP address, and cookie identifiers, plus any other pseudonymized information that could be traced back to an individual. If it is possible to identify an individual directly from the information you are processing, then that information is likely to be “personal data” as defined under GDPR. Fully anonymized data is excluded.
Data collection and processing that is required for “legitimate business reasons” to provide a requested service to a consumer is acceptable without an opt-in. But organisations cannot then use the processed data for other non-core services, such as advertising, without consent. In particular, “consent” must be “freely given, specific, and informed by a clear affirmative action.” Within hours of GDPR coming into force, complaints were filed against Facebook, Google, Instagram, and WhatsApp by privacy group noyb.eu because of their “forced consent” for targeted advertising in return for free use of their services. If these complaints are upheld then these tech giants could be fined up to 4% of their global turnover.
Despite having over two years to prepare for GDPR, some companies based outside the EU have temporarily blocked their services across Europe to avoid falling foul of the new legislation. These include the Chicago Tribune and the LA Times.
What digital marketers need to know:
- Organisations with an existing marketing database must re-solicit every person’s consent (via an explicit opt-in) since individuals may have been added to the database without their consent.
- All opt-out consent boxes must be replaced by opt-in (without the box being pre-checked).
- Collection and processing of data to deliver your core service (e.g. fulfil orders) can continue unchanged, but if you wish to use historical data for marketing purposes, you need consent.
- Personalised ad targeting based on an individual’s specific behaviours, such as that offered by many programmatic media companies, is illegal without active content. However, targeting based on broad interest-based audience segments is permissible so long as individuals cannot be identified.
- The purchasing or sharing of personal data (such as email lists) is prohibited unless each person in the list has expressly permitted their details to be passed on to third parties. Event organisers, for example, can no longer share lists of attendees with sponsors.
- Where data must be passed to another organisation for legitimate business reasons, you should ensure they are also compliant with GDPR. This is particularly important if data is passed to organisations outside the EU who may be less familiar with its data protection obligations.
- Your customers now have the right to ask what data you hold and to have their data deleted permanently.
- Any breach of personal data integrity (e.g. through theft, hacking, or incompetence) must be notified to the authorities within 72 hours. Organisations should audit who has access to personal data and ensure they are aware of their GDPR security obligations.