Are You GDPR Compliant? (Law Went Into Effect May 25)

I originally posted this blog post on my main The Virtual Solution website. After realizing that so many STILL aren’t aware of the impacts of the new General Data Protection Regulation, I thought I would also share it here with you. I’ve modified it and updated it slightly for this site.

Not only is it important for you to have your own website, email marketing, and opt-in forms in compliance, but if you’re working with client websites and email marketing systems, you NEED to be up to speed because if your practices aren’t compliant, that automatically makes your client non-compliant at puts them at risk!

I’ll admit, I didn’t pay too much attention to GDPR when I first heard about it. I didn’t know what it was and I was busy with other deadlines, so I put off investigating it further. Then I received an email from my email marketing platform stating that it was going into effect on May 25, 2018. I figured I should read up on it to figure out what this is all about, and I incorrectly thought it wouldn’t be a big deal and wouldn’t be much different from what many of us are already doing with CASL and CANSPAM anti-spam laws in Canada and the USA.

Wrong.

I had spent at least a week studying up on it as much as I could and trying to come up with a game plan, struggling to get client websites and email marketing practices updated, and then my own (only meeting the deadline with one of my own websites).

But back to GDPR. What is it?

It’s the General Data Protection Regulation coming into effect in the European Union. This pertains to any and all personal data collected, whether online or in person, and there’s a lot of confusion around it, especially since it leaves room for interpretation.

Don’t think you’re safe and you can avoid it just because you live in Canada or the USA, and don’t think it doesn’t affect you if you don’t market to anyone in the EU or you’re sure you don’t currently have anyone from the EU on your email list.

Nope.

It affects you and your clients because you (and your clients) could possibly attract someone from the EU, even if you’re not trying to.

Do you have a contact form on your website? Do you have opt-ins and landing pages? Do you sell products or services? Do you have an email marketing list? Do you run Facebook ads for your business? Do you have cookies or tracking codes on your website (Google Analytics, Facebook tracking pixel, popup cookies, Infusionsoft or ActiveCampaign tracking code, etc.)? Of course, this applies to all of your clients too.

If you collect people’s information and/or you monitor their activities in any way, you must be compliant. The fines are HUGE – in the millions, in some cases.

DISCLAIMER: I am not a lawyer, so DO NOT take anything I say as legal advice. To make sure you and your business are protected, and to protect myself, I advise you to consult with a business lawyer who specializes in GDPR.

I take no responsibility for your actions or your in-action on this matter, or the consequences resulting from your decision to not consult with a qualified lawyer prior to making changes yourself or enlisting my help in making changes.

What I will share with you is research I have done and my current understanding of some of the main aspects that stood out to me so that I can help you gain an overall understanding of the requirements and how this will affect you. Then hopefully you’ll feel more comfortable discussing the topic with your lawyer or making whatever changes you choose to make.

EMAIL MARKETING

First of all, let’s look at your email marketing. You can’t do things the way you used to.

You may no longer add people to your email list just because they downloaded a free gift from your website or purchased a product or service. I know, that sucks. There’s nothing you can do about it.

For our Canadian CASL legislation, you may already be used to having to have a double opt-in to confirm and have proof that people really do want to receive marketing emails from you and you know that you can’t have pre-checked boxes. GDPR is a whole different ball of wax.

Now, if you’re offering a free opt-in gift, you may ONLY send them that free gift. You do not have authorization to send them ANY other type of email or marketing message beyond that gift that they agreed to receive, and you must NOT require them to join your email list in order to receive the free gift. That means if you’re offering a free gift and you include a checkbox on the opt-in form or landing page to invite them to join your newsletter, BUT then you don’t send them the free gift if they don’t check the box to consent to the newsletter – that’s not allowed!

If they do not consent, you must tag them as GDPR Declined in your email marketing system and you may not add them to any of your email lists or tags that you will send emails to.

If you want to send them other marketing emails or use their information for different purposes, you must identify everything you want to use their email for with a separate, unchecked box on the opt-in form and gain consent for each of those intents or business activities that process their private data. You must tell them how often emails will be sent to them.

What about those already on your email list?

You’re going to need to get new consent from those in the EU. You’ll need to segment your email list by country right away, if you don’t have that done already, and request updated consent. If you didn’t receive consent by May 24^th, you’re supposed delete them from your database.

No way to identify where they’re from in your email marketing system? You’ll have to ask for new consent from everyone on your list. 🙁

YOUR WEBSITE

Privacy Policy

Your opt-in box, landing page, and sales page must link to a clear privacy policy page that outlines how you will use and store their information. In fact, you should link to your privacy policy on every page of your website.

Your privacy policy must clearly tell the visitor what data is collected and how it will be used.

What information is being collected?
Who is collecting it?
How is it collected?
Why is it being collected?
How will it be used?
Who will it be shared with?
What will be the effect of this on the individuals concerned?
Is the intended use likely to cause individuals to object or complain?

You can’t collect more information than what you actually need to perform the task. Do you need their phone number to send them a free gift? Do you actually need their last name?

I have added affiliate links to some GDPR privacy policy templates below. I have not personally used them and I have added the links only as a possible resource. The best and safest thing you could do is have your lawyer write one up, but you can also Google to find some on the web that are free or that you can buy, and then have your lawyer review it/them.

Cookies and Tracking

Think Google Analytics code. Think Facebook tracking pixel. Think Infusionsoft and ActiveCampaign tracking codes.

If you have cookies and tracking on your website, you must offer the options to accept AND deny cookies. You can have someone code this into your website using Javascript (that I’m not familiar with), or there are a few WordPress plugins out there that offer this. A couple of them I know about are CookieBot and Google Analytics Germanized. These are not affiliate links.

CookieBot offers a free version and paid options, and the paid options allow you to target only the EU with the offer to accept or deny cookies! If you’re interested in the paid option, do the website scan/evaluation that they offer. If you have a lot of website pages on your site, you might end up with a better offer than is on their website.

The Google Analytics Germanized is free and I like it. If you have a cache plugin installed, you’ll want to be sure to clear your cache and test it out to make sure it tracks after cookies are accepted. It also allows you to add other tracking codes, such as Facebook pixel or CRM tracking code. It allows you to add a link to your Privacy Policy page. It’s fairly quick and easy to set up, the cookie notification boxes/banners are customizable, and I think it looks nice. This one is my pick!

If you use a plugin, you should have your lawyer check to see if it will cover your butt, as I can’t promise these will. However, I saw a lot of other GDPR plugins in the WordPress repository that seemed rather useless in function.

With Google Analytics, you’ll want to be sure you have IP Anonymization turned on so the full IP address of visitors is never written to the disk. Google Analytics Germanized plugin includes this handy feature in one of their settings as well.

What Else?

I don’t know if you are as exhausted as I am right now. This was a heck of an article to research and write. I’m sure I’ve left out a lot of detail, so I’ll leave you some links below that I used in my research, as well as some other resources, and you can do your own research, if you have not already done so.

EDIT: I’m now offering a GDPR Technological Audit & Assessment through my other website. I can do this for your VA business, and also, if all of this is just not in your wheelhouse, I can also do the Audit/Assessment for your clients if they need it (whether through you or directly with them). Learn more at the link above.

Here are some resources and links to learn more about GDPR: