First: None of this is legal advice. I’m 24 years out of law school, and my eyes cross when I read any form of legislation. For the legalities, visit the GDPR site and/or hire a lawyer.
I wrote this list while ranting about the various awful blog posts I’ve read by “experts,” and marketers’ tendency to try to game their way out of everything. You can’t game your way out of GDPR. It’s not like link schemes or content spinning. It’s a real regulation with real, ulcer-generating consequences if you violate it.
Here are my random thoughts, in a somewhat-orderly list:
I’m a marketer. What is the GDPR, in non-politician speak?
It’s a pile of rules that politicians and lawyers call a “regulation.”
That means it’s not a “recommendation” or a “suggestion.” It’s more of a “follow this, or you’ll get beaten to a pulp” kind of thing.
- The EU wrote the GDPR to protect their citizens’ data. It regulates how businesses can collect, use, and distribute your information
- The GDPR is not another please-don’t-dump-records-off-the-back-of-a-truck-thanks law. Someone in the EU got one too many “greetings of the day” emails and decided to kick some marketer ass. It’s thorough and complicated
- It’s official May 25th, 2018
Does it apply to me?
- If you’re outside the European Union and EU citizens visit your site, the GDPR probably applies
- An easy test: Would you be OK blocking all traffic from the EU? No? Then you had better comply with the GDPR
What’s all this “consent” talk?
- In the GPDR, Personally identifiable information (PII) is anything that can be used with any other information to identify someone. If a CSI character could use it to track you down, it’s PII
- You need to collect some form of consent for any PII
- You need to collect explicit consent any time you collect sensitive personal data.
- Explicit consent doesn’t mean someone stares at the screen and says “Yes, f–k you!” It means they opt-in to share information, allow you to use it as stated, and know what information they’re sharing. It also means dual opt-in or even an electronic signature
- Sensitive personal data includes things like race, politics, religion, union membership, medical information, criminal proceedings no matter how they concluded, ongoing proceedings regarding alleged crimes, or anything around lifestyle, health, or sex life
- Non-sensitive data includes things like cookies
- Non-sensitive data does not require explicit consent
- Want to be smart about it? Get consent any time you collect personal data. That’s name, address, phone number and such. When in doubt, get explicit consent
The following are not consent:
- A pre-ticked box. Well, it might be, but it’s a serious schmuck move, so avoid it
- Failure to opt out
- Asking for consent later
- Linking to a 900-word pile of verbal cud called “Terms and Conditions”
- Any cute tactic you used to use to pad your contacts lists and get subscribers isn’t consent
And here’s what most folks can comfortably say is consent:
- Ticking a checkbox
- Configuring privacy settings
- Providing opt-out ability on a case-by-case basis
- However, GDPR compliance doesn’t require a crappy user experience. Read this Econsultancy article for some tips
- One tip: Make it easy for people to delete their accounts/records from your databases. A nice form where they can say “please forget about me. It’s not me, it’s you” will go a long way
Corrections
I’ve heard some awful advice. So read these and hang them on your monitor:
- No matter what folks tell you, IP addresses are personally identifiable information!!! GDPR specifically states this
- Facebook, Google, et al. will not protect you. They consider GDPR compliance our responsibility. Don’t rely on them. Facebook is especially sensitive right now and has every incentive to distance themselves from the way we use their data
This is an outrage!!!!
You’re right! In the good old days, we could collect user data like candy and trade it at the corner store. I could stalk consumers around the internet in ways that make Hannibal Lecter look cuddly.
GDPR infringes on my rights.
I’m furious.
- Yes, compliance will cost you money. It costs me money. And time. It’s a pain in the tuchus. It will cost a lot more if you don’t comply.
- Yes, the EU might miss you. You’re thinking, “Oh, no one’s going to check my compliance with GDPR. I’m little.”
- Yes, if they catch you, they can pound you out of existence. Penalties are absurd
- Sure, you can fight it in court for years and years, bleeding money while lawyers argue. Let me know how that goes
The smaller you are, the easier it is. The bigger you are, the greater your risk. Just read up and comply, people.
PS: If you’re a masochist, you can read the whole GDPR here.
Thanks for sharing, Ian! Nice to have it broken down in this form.
Hi Ian, I’m not sure about these points:
11. Non-sensitive data includes things like cookies
12. Non-sensitive data does not require explicit opt-in
My understanding is that if cookies are used to personalise advertising, you most definitely do need opt-in consent. So if you drop remarketing cookies for AdWords, you have to have opt-in to use it (and Google’s https://cookiechoices.org site backs this up).
Plain Analytics cookies are more debatable – people seem split on whether you need opt-in consent. Certainly the ePrivacy Directive (in draft so not yet law, but likely to be passed similar to its current form) explicitly excludes analytics cookies from requiring opt-in consent, but GDPR itself is less clear. Certainly some people seem to think you still need consent, my personal opinion is not (unless you use Google Analytics Advertising Features, inc. Demographic/Interest reports).
You also need to ensure there is no PII in your Analytics data (e.g. email addresses in URL query parameters) and that you have chosen your data retention period in Analytics (with a good reason as to why you’ve chosen that length of time).
And as you point out, IP addresses are PII, so whilst you may not see the actual IP of your users in Analytics, Google is gathering it, so you need to enable IP anonymization for Analytics to be compliant.
My understanding is that under the GDPR, “explicit consent” means some kind of dual-opt-in, up to and including an e-signature. So if a medical clinic asks me for health info, they need to ask me for an e-signature.
Non-sensitive information, like name/email requires consent and an easy way to be “forgotten,” but not explicit consent. So a standard opt-in does the trick.
It gets even murkier when you get to cookies and IP addresses. Yes, you can anonymize in Google Analytics, but what about your log file?
The GDPR is very slippery on all this, probably deliberately. Which doesn’t make our lives any easier.
Hey Ian – great article, excellent writing style.
Couldn’t you feign ignorance on the part of everything GDPR stands for?
For example – let’s say I’m a business in the US and I target just the US but organically people from Europe come in and slip into the customer mix. So when we create re-marketing lists from Analytics and import them to Adwords, wouldn’t this be in the realm of Google as no PII can be seen?
So I could in theory capture users in Europe through Analytics and re-market to them without presenting them an opt-in?
Thanks,
WC
I wouldn’t risk it. The potential penalties are severe. And we’re held accountable for PII stored by Google.
Don’t count on ignorance as a defense. Marketers rarely, if ever, get the benefit of the doubt, and we all spend a lot of time talking about remarketing and cookies and how it all works.