I‘m upset.
I rarely get upset so the fact that I‘m upset, is upsetting.
But the amount of lies and fake news around GDPR is upsetting.
I am here to correct these lies and assure you that there is no need to panic.
By now you should now what GDPR is. But, just to refresh your memory, the General Data Protection Regulation is a EU data privacy regulation that goes into affect on May 25, 2018. It aims to protect private persons in the EU. It has worldwide impact in the sense that if you have subscribers or clients from the EU then this law applies to you too.
Legal disclaimer: I‘m not a lawyer and this episode does not replace legal advice. I‘ve been running businesses successfully since 2004 and know how to read the law, dissect information, and make an informed opinion so that it benefits my clients, my business and is in accordance with the law.
10 Common Lies About GDPR
Lie nr.1
GDPR only applies to EU citizens so you just need to segment your list.
>> No! This regulations applies to anyone who finds themselves in the EU, also travellers. Therefore the advice of some lawyers that you segment your list based on where people live doesn‘t really work. My company is not based in the EU as Switzerland is not in the EU but I spend a lot of time in the European Economic Area as Iceland is a part of EEA and this law also covers those who find themselves in the EEA. This means that my data should be protected by GDPR, plus Switzerland is coming out with a law very similar to GDPR. The effort of segmenting your list and only protecting the data of some people and not others therefore doesn‘t make any sense as you‘ll always have exceptions. And it is actually the exceptions that make the segmentation a risky practice.
Lie nr.2
You‘ll be fined 20M€ or 4% of your worldwide turnover.
>> No! It is very, very unlikely that you’ll be fined at all – ever. If somebody complains about you then it doesn’t mean that the data privacy authorities will immediately start an investigation. They will prioritize cases that are high profile and impact more people and are more likely to result in high fines and media coverage. And if they decide to investigate you and find something wrong, then you’ll first receive a warning without any fine and have the opportunity to correct whatever you did wrong.
If you fail to correct what you are doing wrong or if there is another incident soon thereafter then the likelihood of a fine goes up. And still the data privacy authorities will look at the size and impact of your business and issue a fine that is in proportion to your revenue. If your business is based outside the EU it is also questionable how this is going to work but threatening those big fines is surely making businesses pay attention to data privacy and that’s the whole purpose of the regulation!
Lie nr.3
You have to ask everybody on your list to opt in again.
>> No! You do not need to ask previous and current clients to opt in again as you can use the lawful basis of a contract and legitimate interest to keep your clients up to date and send marketing emails until they decide to opt out. Regarding subscribers who are not yet clients it is debatable whether you need to ask them to opt in again or not. If you have record of when, where and how they opted in, you do not need to the ask them to opt in again.
If you have been moving between email systems and/or do not have any records of when, where and how they opted in then it is safer to ask them to opt in again. But be careful. The very act of asking for a reconsent means that you don’t have the legal grounds to email them in the first place. So, asking for reconsent when you don’t have to, is not wise.
Actually I just heard a great analogy about this today from a client of mine. Asking for reconsent from your subscribers when the data privacy law changes is like asking someone you are already married to, to marry you again when the marriage law changes.
Yes that does sound ridiculous… and so does reconsent and that’s my opinion.
Lie nr.4
You cannot offer freebies any longer to build your email list.
>> No! The regulations says that you cannot bundle offers. That doesn’t mean that you cannot offer freebies anymore. The idea behind the no-more-bundling is to stop the common practice of big companies to share your data with their subsidiaries and affiliated companies. So, if you have been sharing email addresses with affiliates or sending emails about completely unrelated offers, you need to stop right now. When people sign up for the freebie, you need to clearly explain what will happen, so your subscribers won't be surprised by marketing emails from you.
Lie nr.5
You have to use a double opt in.
>> No! There is no mention of double opt in the regulation. Therefore, there is no need to start to use a double opt in if you weren’t using it before. Some countries demand double opt in so look up the law in the country where your business is registered if you aren’t sure. Even if GDPR doesn’t demand it, it may be wise to use double opt-in to have a cleaner list at the risk of a percentage of your list never confirming their email address and still wanting to receive emails.
Lie nr.6
You need to use tick boxes.
>> No! There is no mention of tick boxes in the regulation. The number of lawyers and software companies discussing tick boxes surprises me. Tests have shown that there is already tick box fatigue among subscribers. Either people tick yes to every box, or they tick none. The intent of the regulation is already lost. If you really want to use tick boxes, for reasons beyond me, they cannot be pre-ticked and if no box is ticked, you still need to deliver on your promise. Instead of tick boxes, I suggest you have a very clear wording at the point of signup. Also provide the option in your emails to sign up for other interesting offers you might have.
Lie nr.7
You need a cookie bar.
>> No! There is no mention of a cookie bar in the regulation. Another law, PECR, which will take effect in 2019, covers the entire discussion around cookies. Even if you don’t need to have a cookie bar you may want to have one, especially if it is already a common practice in the country where your business is registered. Currently, most cookie bar plugins do not stop the loading of cookies. They are just informative. This renders cookie bars useless, as you don’t have a choice over whether the cookies are loaded. It is likely that next year cookie bar plugins will be completely unnecessary when the function of turning cookies on and off will be a part of the browser and not down to the implementation of each business. In any case, what you need now is a cookie policy as a part of your privacy policy.
Lie nr.8
You cannot use Facebook retargeting ads.
>> No! There are many ways to use Facebook retargeting ads. You need to mention all the methods you want to use in your privacy and cookie policy. Some require an email address, some a cookie and some an interaction with your Facebook page. Using Facebook ads is based on legitimate interest which means that your subscriber has shown interest in a product or a service. You are now reminding them with your retargeting ads.
When someone opts out of your list, you need to update your custom audience retargeting list in Facebook. They have retracted their consent for you to market to them. At this point there is no way to opt out of retargeting for website visits. Not unless you have a cookie bar plugin that gives that option. But then you are basing the retargeting on consent and not legitimate interest. Lastly, any kind of retargeting after an interaction on Facebook is based on consent the subscriber has given Facebook, not you. Overall this area is grey and will become a lot clearer in the coming months and years. People want to continue seeing relevant ads and targeting. We know it won't go away now, but people will learn more about it. That is also the goal of the regulation.
Lie nr.9
You cannot use Google Analytics any more.
>> No! GDPR categorizes IP addresses as personal data. Therefore, some are suggesting that you cannot use Google Analytics anymore to track the use of your website. This is not true as you can easily tell Google Analytics to anonymize IP addresses of website visitors. At the same time you should use the opportunity to digitally accept the contract with Google Analytics. You’ll find this in the admin area of your dashboard. When subscribers sign up for your email list, their IP address will be logged as before. There is no need to log individual IP addresses of people who just visit your website and don’t sign up.
Lie nr.10
If a client asks you to delete their data you need to comply.
>> No! Accounting law supersedes data privacy laws. You need to keep record of accounting data for a certain number of years. Most often this is six years, but in Switzerland it is even 10 years. Aside from accounting law you also cannot delete data if it abuses the rights and freedoms of a third party. If the request for deletion comes from a subscriber who is not a client, and deleting the data doesn’t hurt anyone else, then you need to comply. But also remember to keep a record of minimal data about the deletion request itself.
GDPR is about a lot more than just marketing. It is important that you inform yourself and take the necessary steps to become GDPR compliant. Compliance is not about doing everything perfectly. It is about showing – if and when the data privacy authority check on you – that you’ve done your best to comply.