The GDPR: 29 Things ALL Marketers Must Know
Ian Lurie May 10 2018
First: None of this is legal advice. I’m 24 years out of law school, and my eyes cross when I read any form of legislation. For the legalities, visit the GDPR site and/or hire a lawyer.
I wrote this list while ranting about the various awful blog posts I’ve read by “experts,” and marketers’ tendency to try to game their way out of everything. You can’t game your way out of GDPR. It’s not like link schemes or content spinning. It’s a real regulation with real, ulcer-generating consequences if you violate it.
Here are my random thoughts, in a somewhat-orderly list:
I’m a marketer. What is the GDPR, in non-politician speak?
It’s a pile of rules that politicians and lawyers call a “regulation.”
That means it’s not a “recommendation” or a “suggestion.” It’s more of a “follow this, or you’ll get beaten to a pulp” kind of thing.
- The EU wrote the GDPR to protect their citizens’ data. It regulates how businesses can collect, use, and distribute your information
- The GDPR is not another please-don’t-dump-records-off-the-back-of-a-truck-thanks law. Someone in the EU got one too many “greetings of the day” emails and decided to kick some marketer ass. It’s thorough and complicated
- It’s official May 25th, 2018
Does it apply to me?
- If you’re outside the European Union and EU citizens visit your site, the GDPR probably applies
- An easy test: Would you be OK blocking all traffic from the EU? No? Then you had better comply with the GDPR
What’s all this “consent” talk?
- In the GPDR, Personally identifiable information (PII) is anything that can be used with any other information to identify someone. If a CSI character could use it to track you down, it’s PII
- You need to collect some form of consent for any PII
- You need to collect explicit consent any time you collect sensitive personal data.
- Explicit consent doesn’t mean someone stares at the screen and says “Yes, f–k you!” It means they opt-in to share information, allow you to use it as stated, and know what information they’re sharing. It also means dual opt-in or even an electronic signature
- Sensitive personal data includes things like race, politics, religion, union membership, medical information, criminal proceedings no matter how they concluded, ongoing proceedings regarding alleged crimes, or anything around lifestyle, health, or sex life
- Non-sensitive data includes things like cookies
- Non-sensitive data does not require explicit consent
- Want to be smart about it? Get consent any time you collect personal data. That’s name, address, phone number and such. When in doubt, get explicit consent
The following are not consent:
- A pre-ticked box. Well, it might be, but it’s a serious schmuck move, so avoid it
- Failure to opt out
- Asking for consent later
- Linking to a 900-word pile of verbal cud called “Terms and Conditions”
- Any cute tactic you used to use to pad your contacts lists and get subscribers isn’t consent
And here’s what most folks can comfortably say is consent:
- Ticking a checkbox
- Configuring privacy settings
- Providing opt-out ability on a case-by-case basis
- However, GDPR compliance doesn’t require a crappy user experience. Read this Econsultancy article for some tips
- One tip: Make it easy for people to delete their accounts/records from your databases. A nice form where they can say “please forget about me. It’s not me, it’s you” will go a long way
I’ve heard some awful advice. So read these and hang them on your monitor:
- No matter what folks tell you, IP addresses are personally identifiable information!!! GDPR specifically states this
- Facebook, Google, et al. will not protect you. They consider GDPR compliance our responsibility. Don’t rely on them. Facebook is especially sensitive right now and has every incentive to distance themselves from the way we use their data
This is an outrage!!!!
You’re right! In the good old days, we could collect user data like candy and trade it at the corner store. I could stalk consumers around the internet in ways that make Hannibal Lecter look cuddly.
GDPR infringes on my rights.
- Yes, compliance will cost you money. It costs me money. And time. It’s a pain in the tuchus. It will cost a lot more if you don’t comply.
- Yes, the EU might miss you. You’re thinking, “Oh, no one’s going to check my compliance with GDPR. I’m little.”
- Yes, if they catch you, they can pound you out of existence. Penalties are absurd
- Sure, you can fight it in court for years and years, bleeding money while lawyers argue. Let me know how that goes
The smaller you are, the easier it is. The bigger you are, the greater your risk. Just read up and comply, people.
PS: If you’re a masochist, you can read the whole GDPR here.
CEO & Founder
Ian Lurie is CEO and founder of Portent Inc. He's recorded training for Lynda.com, writes regularly for the Portent Blog and has been published on AllThingsD, Forbes.com and TechCrunch. Ian speaks at conferences around the world, including SearchLove, MozCon, SIC and ad:Tech. Follow him on Twitter at portentint. He also just published a book about strategy for services businesses: One Trick Ponies Get Shot, available on Kindle. Read More