Raise your hand if you felt personally victimized by the GDPR in May of 2018 🙋🏼
Mean Girls jokes aside, if you’re a small business owner, chances are the GDPR stole a little too much of your time and your sanity last month. At least, I know it did for me… I’m writing this post one month to the day after the new law went into effect, and I’m still fielding questions in my inbox on a daily basis. Daily.
And to make matters worse, there is still a lot of misinformation floating around the internet right now, and it’s not the best use of anyone’s time to try to do interpret a law, implement it incorrectly, and either have to start over from scratch or deal with the consequences. Not at all.
That being said, my small but mighty team is proud to roll out a service today that’s been heavily requested: the GDPR Implementation Service. This is a three-tiered service with three different options to choose from: auditing, website implementation, and back-end business implementation. This will be limited to a first-come, first-serve business, and the waitlist is already filling up. Sign up at gdpr.paigehulse.com, or by signing up for the newsletter here.
Today, I want to answer some of the FAQs I have been receiving. Without further ado:
- Will the U.S. adopt the GDPR, or something like it?
- Maybe my #1 question, and all we can do is speculate. But, for what it’s worth, I predict the EU is just the first of many international governing bodies who will enact such strict privacy laws- more conservative countries (legally speaking), such as the US and Canada, have historically followed in the footsteps of more liberal bodies, such as European countries. My point being, it’s good to start to educate yourself now.
- Does the GDPR apply worldwide, or just to EU clients?
- The GDPR applies to anyone in the world if they “process the personal data” of anyone in the EU. I say “in” specifically, because many lawyers think this includes anyone passing through the EU as well. Here’s a personal example: my intern studied abroad in Prague this summer. She’s Nebraskan. The GDPR applies to me.
- Find more info here: http://paigehulse.com/gdpr-creative-business/
- Can I actually get in trouble for not complying?
- This is where I have to balance being a risk-adverse attorney with being risk-loving entrepreneur. In short, yes. Comply as if you could. But also…the US has not specified as to how they will help the EU uphold these laws. I can get into the weeds really easily here, so I’ll try to keep it short. The US has said that they will uphold the GDPR laws… but if you violate the GDPR mandates and they try to enforce fines against you, can they? Theoretically, yes, but we don’t know where or how. Ie, would you be taken in front of EU courts? The US has been intentionally vague on this point. Suffice it to say, companies like Facebook and Amazon will be the first to (painfully) answer these questions for us. As a lawyer, I am NOT telling you to blow off these laws. I’m telling you the opposite. I’m just saying that you don’t need to have a panic attack on May 26th about whether or not you’ve complied fully.
- What is “consent”?
- How does this change my opt in’s?
- This is key for many of my clients. Rather than our standard “offer an incentive download and auto add them to our email lists”, as we’ve all been taught, you now have to change how you do things. Because “express consent” is such a tightly-defined term, the consent that is valid to send them the download is insufficient to ALSO add them to your list.
- You must tell them what they’re getting in the download, and why. If you’re asking for permission to send them a download, in order to get sufficient consent, you must tell them exactly what they’re getting. Aside from this, you can’t “force” or “pressure” someone to add their list. They may simply want your download but never want to hear from you again. You can’t force them to join your list to get it. Which means, yes, you may at times be providing incentive downloads and not receive the benefit of the bargain of adding them to your list.
- So what is the step after giving them the download to add them to my list? I’m not very “techy” so I haven’t really researched this much yet. For now, instead of sending them to a welcome sequence, I’m going to send them to an email that says I hope they enjoy the information, and they can find similar material if they join the newsletter.
- That’s not fair- it’s my choice as to how I add people to my list. I create downloads for the sole purpose of building my list.
- I’m not going to say you’re wrong- I’d even say you have a valid point. However, you need to know that the EU disagrees with you and I on this point. You need separate consent to give out a download and add someone to your list.
- I thought I owned my email list.
- This is a marketing tool/ phrase I’ve disagreed with since Day 1. Sure you “own” your list. Just like you “own” your house.
- But does that mean the laws don’t apply to your list? Never. Ever ever ever. Just like you can’t start selling drugs out of your house and call it good because you own your house. Technically you don’t own anything– the Grand Caymans are actually the only place in the world where you actually own your property. Isn’t that weird to think about?
- What are you doing to prepare?
- Great question! Like I said, the GDPR is as new for me as it is for you.
- Before May 25th, I will have to:
- Collect new consent from all EU subscribers on my list (click the link above if you want to stay on my list!). For educational purposes, I sent this list to ALL of my subscribers…but I just need new consent from my EU people. I don’t know about you, but I can’t rely on 100% open rates from my readers, which means some EU users may not even open this email to click for consent, which means that I’ll have to send them more emails asking for consent this week.
- Add a new, simple email opt-in to my website
- Check to make sure all of my WordPress plugins are GDPR compliant
- Look into cookie notifications, and possibly implement them on my own sites.
- After May 25, use my own Guide to start tracking how/where/ why I collect data, so I have it in my records.
- Luckily, I just had to add a new paragraph to my policy- my original already had all required California and federal law requirements, which already aligned with much of the GDPR. You can find an updated version here.
- A few things people don’t even know to ask:
- You cannot share webinar signups under the GDPR. Ie, if you host a webinar with someone else and share the list with someone, you can’t do that.
- You can’t automatically add people to your list. I’ve seen so many people advocate this for “list building”, including lawyers, but this has never been legal. If an inquiry contacts you, please do not add them to your list.
- Many times, I simply post on IG and ask people if they want to be added to my list. If they send me their email, this is fine- I don’t need any further consent from them. They’ve given it by sending me their address.
12. What do I need to do to when it comes to “cookies”?
a. This is a great, great question. If you are collecting “cookie” information from your users, you must gain express consent from your users. Based upon this, if you are collecting cookies from EU users, I want to be conservative and recommend that you create what I’m calling a “cookie pop up”. According to Article 30 of the GDPR, Cookies are considered “personal data”, which means you must have a sufficient cookie notice under the GDPR
According to the ICO, that notice must:
- Let people know the cookies exist
- Why you are using/ collecting cookies
- What cookies are and what they do
- And finally, you must obtain that user’s express consent to use the cookies
Important caveat: if your cookies collect analytics or sharing information with 3rd party partners, you must:
- Disclose this fact to the user in your notice, and
- Obtain active consent for those 3rd-party cookies
Therefore, it may be wise to put an opt-out option in place on your site, or allow the User to choose what type of cookies they will use.
14. Before May 25th, please check with YOUR specific email provider.
I’m not able to give a synopsis of each. I use Convertkit and know that it is not only GDPR compliant, but that they have also rolled out helpful tools for us. Please refer to the FAQ section of their site.
Mailchimp users have been throwing a lot of questions my way, such as this:
“I use Mailchimp and it looks like on the new GDPR opt in form you can select options for them to choose what they want to opt in to. So if I have option one as customized email updates and option two as free downloads and they choose one or both would that cover me? I send out product update emails and free downloads. According to Mailchimp it looks like it does but who really knows”
Luckily, my sweet friend Christine of southoflibbie.com researched this just this morning, and provided the following snapshot of what Mailchimp has set up for GDPR compliance. This looks like a great built-in option.