Before we get started: this will be a monster blog post. The GDPR is a sweeping new legislation that will affect most creative business owners and will have a direct impact on how many business owners can (legally) operate their businesses online. Please remember that this information is provided for informational purposes, and is not intended to be legal advice. If you have questions about how this law will affect your individual business, I encourage you to reach out to an attorney in your state.
You know a blog post is going to be jam-packed with information when it begins with a table of contents….and that is exactly what is about to happen. After reading through the entire regulation, I can tell you one thing: this law is dense. It’s wordy, and it’s easy to confuse. For that reason, when deciding how to organize this material, I opted to include all material that I think you need to know as a business owner. The material as a whole will be broken into two parts: Part I (this post) will cover topics 1-8 below, and Part II, which will be a separate post, will cover section 9. Here’s a snapshot of what to expect:
- What is the GDPR, and why do I care if I’m not an EU citizen? (Find the actual regulation here)
- What is covered by the GDPR
- To whom does the GDPR apply?
- Personal Data.
- How to legally use personal data
- Scope of the GDPR
- Privacy Policies and the GDPR
- Consent under the GDPR. ****This is the most important part of this entire article
Cookie Notice Requirements
Email List Legality Under The GDPR
- Data processes and controllers, and third-party platforms
One thing I want to note: This post is an overview of the GDPR, so you generally understand what the regulation is. However, I have created a complete guide to GDPR compliance that will map out the literal steps you must take before May 25th and after, in order to comply. Download the guide here:
So without further ado, let’s get started!
1. What is the GDPR, and why do I care if I’m not an EU citizen?
By now, chances are you’ve heard that the GDPR will be taking effect this month- and if you hadn’t heard that yet, consider this your official head’s up– if you have a business that “services” any citizen of the EU, then this law applies to you. The GDPR will have global influence. Unless you can absolutely guarantee that no users from the EU will ever find their way to your website, you’ll need a GDPR notice and compliant consent measures.
The GDPR is a sweeping new security measure that is designed to protect the privacy of citizens in the EU, empowering them with control over exactly how their personal data is processed. This includes: how it’s collected, stored, and then used. You may be thinking to yourself “well that’s fine, but I don’t have any EU clients, I’m in the clear!” Not quite so. Do you have an email list with any EU members on it? Do you know if EU citizens have ever left a comment on your site, or if you have processed their information via Google Analytics? You probably can’t say for certain, so better safe than sorry. And while it’s admittedly a pain to acquaint ourselves with such a dense new law… it’s important to understand why this legislation is taking place: for the enhanced security of personal information online. Even though as it currently stands, the GDPR is an EU-specific law (and already adopted by the UK), I wouldn’t be surprised if this is just the first step of many that the rest of the world will take in processing online personal data. In a time when we hear about hackers creating serious data breaches or shady companies selling email lists, the GDPR is simply putting the power of protection of personal data security back in the hands of users.
A more practical reason why you should care? Noncompliance will mean you are liable for very, very hefty fines. The maximum assessable penalty for noncompliance with the GDPR is 4% of the annual global revenue generated by the company. Avoiding liability for these fines will primarily arise out of failing to obtain sufficient consent, or failing to abide by the procedures set forth below.
2. What is covered by the GDPR:
Simply put, the GDPR will govern how you may process the data of EU members. “Processing”, in this sense, can be defined as “doing anything with that data”. For you, this means that the GDPR will govern anything you do with the personal data you collect from EU users (by “users”, I mean users of your website). The period of governance applies to everything you do with that data from collection point to deletion point.
3. To whom does the GDPR apply?
This is a trick question with an important distinction: the GDPR protects EU users, but applies to any business that collects personal data of EU users (more on that below). It doesn’t matter if you’re in the US, Canada, etc. it applies to any relationship, transactional or otherwise, where one party is geographically located in the EU. This could be either the website owner or the user- the only time the GDPR will not apply is when both parties are not located in the EU. For your purposes, just play it safe and assume that the GDPR applies to you. According to Article 2 of the GDPR, the only time it will not apply is when:
in the course of an activity which falls outside the scope of Union law;
by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
by a natural person in the course of a purely personal or household activity;
by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Basically, if you use personal data for any business-based reason, the GDPR applies. You will only be able to keep that data if you have a “legal reason”, or for something like tax purposes.
4. In order to know what the GDPR applies to, you must know what “personal data” is.
So, what is “personal data”? “Personal data” is anything that can identify the user or monitor what they are doing. It commonly includes:
- contact information
- medical information
- credit card or bank account details
- geolocation data
- IP Address or Google Analytics info
Important for online business owners: this definition of personal data will most likely include any type of processing information that you add to a database. For example, all of your online quizzes, email opt-ins or incentive downloads, surveys, tagging, or segmenting in your email list.
However, keep in mind my original definition- if you aren’t sure if the info you have is “personal data”, ask yourself if your info on the user can identify them or monitor their use on your site. Websites commonly collect “personal data” through comments on blogs, contact form entries, analytics, logging tools and plugins, security tools and plugins, and user registrations.
5. There will be certain types of personal data that you must use in your business. How can you do so, legally?
The GDPR enumerates 11 Key rights of subjects in relation to their personal data:
- The right to access their personal data that you’ve collected.
- This has actually always been a law, but now, companies must respond to requests within one month, cost-free (they used to be able to charge)
- All personal data must be easily accessible to the consumer and provided in writing upon request, free of charge.
- The right to be informed- the user must be informed as to how you intend to or have used their personal information. They must freely, expressly consent to allow you to use their information.
- The right to ask how you use their personal information. If they believe you have no good right to use their information, the following rights kick in:
- The right to be forgotten- the right to ask you to remove their personal data.
- The right to ratify their personal data if their personal data is incorrect in your system. *if the user enacts this right and you have used a third party to process their information (such as an email hosting system), this includes your duty to:
- Notify the user of the third party’s use of their information
- Notify the 3rd party of said ratification
- The right to erasure- to erase their personal data from your system or that third-party system
- The right to object to your use of their personal information, if the objection is based upon“grounds relating to his or her particular situation”.
- “The right to automated decision making and profiling”- now, users have the right to protect themselves from automated decision making by non-human intervention.
- Data portability- users now have the right to request a digital copy of their personal data to use the data however they’d like
- Data breach- the right to protection from data breaches- you now have the obligation to report breaches.
6. Scope of the GDPR
If “personal data” is defined so broadly, how can you actually use information such as someone’s name or IP address? To use personal data, you must comply with ALL 6 PILLARS, and obtain express consent (more on this below). According to the GDPR, there are 6 main pillars that define the scope of GDPR compliance:
1. “Data shall be processed “lawfully, fairly, and in a transparent manner.” Aka, You can only collect personal data if you have a legal reason to do so.
2. “Data processing shall be “limited to what is necessary” for the purpose. Some personal data may be essential for your business. For example, if you have an online shop, you will need your customers’ names, credit card information, and possibly their address. However, you may ONLY collect what is necessary for that purpose. Which leads us to:
3. Data shall be “collected for specified, explicit and legitimate purposes.” Not only must your purposes be necessary, but you must be able to explain why.
4. Data shall be “processed in a manner that ensures appropriate security.” You must (already) be putting protections in place to protect data you use, such as SSL certificates. In other words, behind a password-protected wall.
Numbers 5 & 6 dictates your duty of care regarding your use of the personal data. These 3 apply mostly to larger scale businesses, such as Facebook.
5. Data may only be kept so it identifies a person “no longer than is necessary.”
6. Data shall be accurate, kept up to date, and corrected.
Don’t forget, you can find a step-by-step guide for how to prepare your business here.
8. Consent under the GDPR.
To use personal data, you must gain express consent.
If you are going to read ANY of this article, it needs to be this paragraph.
- What is consent?
- Art. 7 GDPR Conditions for consent
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
1If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. 2Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
1The data subject shall have the right to withdraw his or her consent at any time. 2The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 3Prior to giving consent, the data subject shall be informed thereof. 4It shall be as easy to withdraw as to give consent.
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.u
- What is consent?
This is a specific note that I want to point out for creatives: I know it is standard procedure, for example, in webinars, for the host of the webinar to give the interviewee the email list of signups from the webinar. I believe this will no longer be permissible under the GDPR, because the user did not specifically consent to interviewee having that personal data.
This also means that you may never automatically add people to your list or of course sell lists, but this was never legal anyways.
Examples of improper consent:
- Any consent that is merely contained within your terms and conditions (called “browsewrap”, where consent is just implied and does require “clicking”)
- Language saying ““By clicking or navigating the site, you agree to our collection of information”, or “By using this site you agree to the placement of cookies on your computer in accordance with the terms of this policy.” is not considered valid consent, because they have not expressly asked for consent for the use of personal data for a specific purpose.
A. Cookie Notice Requirement
If you are collecting “cookie” information from your users, you must gain express consent from your users.
A “cookie” is a small file stored on your computer or on your server, holding specific data to the user. Cookies allow the website owner to deliver a page tailored to the user. According to Article 30 of the GDPR, Cookies are considered “personal data”, which means you must have a sufficient cookie notice under the GDPR
According to the ICO, that notice must:
- Let people know the cookies exist
- Why you are using/ collecting cookies
- What cookies are and what they do
- And finally, you must obtain that user’s express consent to use the cookies
Important caveat: if your cookies collect analytics or sharing information with 3rd party partners, you must:
- Disclose this fact to the user in your notice, and
- Obtain active consent for those 3rd-party cookies
It may be wise to put an opt-out option in place on your site, or allow the User to choose what type of cookies they will use.
B. Email List Legality Under The GDPR
And finally, you are responsible for ensuring that your 3rd party platforms (website hosting service, email marketing system, client management system, etc) are compliant. I will be breaking this down in considerably more detail in Part II of this post, and I have created a complete guide to keeping your email list system GDPR compliant here.
Arguably, the biggest impact the GDPR will have on your business will be how you run your email list, so make sure you take the time to ensure that you’ve taken the right steps to “legalize” your list!