These emails are businesses attempting to become compliant with the updated General Data Protection Regulation (GDPR) which went into effect across the European Union on May 25, 2018.
Due to an overwhelming amount of massive data breaches and the misuse of collected data (thanks, Cambridge Analytica), the European Union has created a legal framework that sets guidelines for collecting and processing personal information of individuals within the EU.
If this regulation only impacts individuals living within the EU, Arizona-based businesses with no direct operation in the EU have nothing to worry about, right?
Well, not exactly.
There are a few parts of the updated regulations that could land U.S. businesses in hot water and has EU lawyers salivating at the potential lawsuits.
For example, Article 3 of the GDPR says that if a business collects personal data or behavioral information from someone in an EU country, the business is subject to the requirements of the GDPR.
The second piece that has U.S. businesses on their toes is that a financial transaction does not need to take place for the GDPR regulation to kick in. If a business simply collects data on a user for any type of marketing or survey data, then the data is protected under GDPR regulations.
For example, if a person in the EU performs a Google search and hits the website of a U.S. business—even if that business has no operations in the EU—then any information the business captures such as a name, email address, delivery address or credit card information is now protected under the new GDPR regulations. The business will be culpable if that person’s data is breached or misused.
And the fine if a business is found misusing their data? Up to $12,000,000 or 2% of your annual revenue of the prior financial year, whichever is higher.
How to protect your Arizona business
Complying with the updated GDPR regulation isn’t as hard as it might sound.
First off, consent is the main consideration. In the language of the GDPR, consent must be “freely given, specific, informed, and unambiguous.”
Meaning, unless someone has given a business explicit consent (note: not implied consent) to email them directly, the business cannot send that person emails. How many businesses take email addresses from contact form submissions or their point of sale and automatically drop them into their email marketing newsletters? That is against GDPR.
The first step for businesses is to review all of their online data capture points to figure out if they’re being explicit with the website visitor about how that information will be used, shared and potentially marketed to. Review what systems these capture points are feeding into and align those with what the business is telling visitors.
The next step is allowing customers to see and delete any data a business has for them. This should include name, address, phone number, email address—anything. The easiest approach is to make all of this information available in a “Your Profile” section.
Lastly, in the event that the data a business is holding about website visitors or customers is accessed by an unauthorized entity (i.e., a data breach), businesses have only 72-hours to notify their users that their data was compromised.
What data shouldn’t businesses worry about?
It’s also important to understand what data your business can collect without fear of GDPR compliance.
Any data necessary for your service to be rendered can be requested without an explicit explanation of how you’ll use it. Implied consent passes here.
A basic example would be if you sell personalized birthday cakes. If the purchaser were to request, “Happy 6th birthday, David.” Well, the purchaser of that cake would need to provide David’s name and birthdate to get the cake. This is considered implied consent to use that data.
Now if you, a custom-cake baker, asks for David’s social media accounts or email address, you would need to provide a “specific, informed, and unambiguous” explanation about what you’re going to do with those two pieces of data. You must allow that person to say no to providing that information.
Another example: if you’re a home security company, it’s implied that the customer will need to provide their name, home address, contact and billing information for your services to work.
If you want to send them follow up direct mailers, marketing emails to upgrade their services or pull usage data from their devices to better inform your marketing, the customer must provide explicit consent before you can do any of these things.
Simple enough, right?
While it’s true this is an EU regulation, if your U.S. business has a strong web presence or you engage in any kind of marketing, you should be paying attention to and changing your data collection practices right now. There is no shortcut to get past GDPR compliance. It’s not a check-the-box, 5-minute compliance routine. It will require time, effort and education to become compliant and stay compliant.
But with common sense and being diligent with where your data is coming from, how it’s being captured, stored and utilized, through compliance and good faith your business is likely to avoid any major fines from greedy EU lawyers.