By now you’ve surely heard about the scary and ominous GDPR. But how it will impact entrepreneurs within and outside of the European Union?
The GDPR stands for “The General Data Protection Regulation”. It’s a privacy law from the European Union that goes into effect May 25, 2018. And even though it’s a European Union law, all online entrepreneurs need to be paying attention because the GDPR will mean major changes for the way we operate our businesses online.
I’m both an online business owner and a digital marketing freelancer, so this law is really messing up my game but I’m hoping to make this as easy as possible to understand. Because if you’ve ever tried to read privacy policies before, you’ll know that it’s just so much legal jargon that no one enjoys and it can be difficult to grasp the actual impact.
But before I get into it, I would like to point out that the information within this video is based on my own research and what I am doing within my own business to ensure me and my clients are GDPR compliant. I am not a legal representative nor am I one of the chosen ones that live and breathe this stuff so you should consider doing your own additional research into this topic and seek professional advice to make sure you’re covered. Alright? So with that in mind, let’s get into it.
No time to read? Watch the video below:
What do the GDPR laws involve?
So this new privacy law is replacing an old, old… old law from the 90s (AKA the days of dial-up Internet) so we’re definitely in for some drastic changes.
To simplify the 80-page plus document, this law essentially applies to anything you do with personal data. Collecting names, email addresses, phone numbers but also tracking any behaviour or preferences. So for example, if you’ve surveyed your email list and based on their answers they’ve ended up in a segmented part of your email list then this also counts as you collecting their personal data.
It also applies to the data that a script like the Facebook pixel collects from people while they’re browsing your website. So basically any information that someone outwardly provides you with, or any behaviour of theirs that you’re tracking through other means is covered within the scope of the GDPR.
This is restricted to any relationship where one or more parties are based in the EU. So that’s not necessarily citizens of the EU but anyone within the geographical location of the EU at the time of the data collection. I know that some of you might be thinking: “I’m a U.S. based business and I only advertise and offer my services here so it doesn’t apply to me.” That’s great, but unless you’re able to put restrictions in place that will delete any person from the EU from your email list as soon as they sign up – then the GDPR applies to you.
To put this into perspective, if anyone from within the EU simply visits your website, this would result in their information typically being collected by the Facebook pixel. As you can imagine, it’s not as simple as saying that you don’t serve European customers.
Even if you’re not offering paid products or services yet and you’re just collecting data for now, you still have to be GDPR compliant as it does cover all data collection (both free and paid).
Yes, it’s a pain. So let’s get into the details of what you can and can’t do under the new law (spoiler alert, there are lot more of the things you CAN’T do):
You can’t collect data that you do not need for the intended purpose
For example, if you have an eBook that someone is opting in for, you do not need to collect their phone number, home address and mother’s maiden name in order to send the eBook to their inbox. Only collect the data necessary for the purpose of sending the opt-in.
You can’t hold onto data unnecessarily
Previously, when people would unsubscribe, a lot of entrepreneurs would still keep this data to use for Facebook ads to try and get people back onto their email list by marketing to them on social media. This will no longer be possible as you’re not able to keep someone’s data after they’ve unsubscribed ‘just in case’ you want it for something else. You have to delete it and any associated information.
Information has to be stored safely and securely
This is a no-brainer but we have to be a lot more careful about how we’re storing our customer’s data and ensuring that we are using appropriate SSL certificates. In addition, using password protection tools like LastPass to keep information as safe as possible will help with security.
- What information is being collected and by whom
- Why it is being collected
- How it is being collected
- How it will be used
- Who it will be shared with
- Any steps you’re taking to ensure people’s information is being kept protected
- Letting visitors know they can request to access, amend or request to have their information deleted from your database at anytime
How list building efforts will be affected under the new GDPR
You’ve probably signed up for webinars, downloaded eBooks or checklists in the past. And you’ve received your freebie, then noticed some additional emails from the same brand or website show up in your inbox over the following few weeks. This was likely an automated ‘nurture sequence’ that the business had set up; a series of emails that follows after the delivery of an opt-in freebie.
Nurture sequences are designed to tell you a bit about the business, offer more value and create a connection. Many automated nurture sequences are followed by automatically signing up that person to a weekly newsletter and maybe sending them some sales emails for paid products or services down the track too. So many online businesses use this exact process to built their email lists. With the GDPR, this process gets a little more complicated.
When offering lead magnets like eBooks to your audience, you will now have to get them to positively opt into being a part of your general email list as well. What this means is that just because they’ve said: “Yes, I want your eBook,” doesn’t mean they’ve said yes to being sent your weekly newsletter or your sales emails. And it also means that in order to get their permission to put them on your email list, you have to get them to actively subscribe to it.
Meaning the landing page can’t say something like: “by clicking the ‘Download’ button you’re agreeing to be sent our weekly emails as well as any promotional materials about our product or service.”
Users will have to actively tick or click something that says: “Yes, I want to also be on your email list,” or “No, I only want the eBook”. You also can’t have the ‘yes’ box pre checked for them. If they say they want the eBook but they do not want to be on your email list, you can then send them your eBook and you technically then have to delete them from the email list as the purpose for which you have collected their data has been served.
One additional thing you CAN do is to add an extra opt-in within the freebie itself to give you one extra chance at getting them to subscribe to your general email list.
Now unfortunately, you do have to take some retrospective action for people who are currently on your email list. The reason for this is that unless they subscribed for any other reason other than to specifically receive your weekly newsletter and any sales emails or promotions, they are not GDPR compliant. So if they are a subscriber because they downloaded an eBook, attended a webinar, received a free training or any other freebie-related reason, then they have two options. Option one is for you to send existing subscribers within the EU an email asking them to positively opt-in to your future emails. Option two is to remove their data before the 25th of May.
Ruthless, but unfortunately that’s life under the new GDPR.
Finally, this is not new, but you definitely have to make it very easy for people to unsubscribe from your email list should they want to do that.
Some additional tricky aspects of the GDPR:
Your customer’s data has to be kept up to date
To use a Facebook ads example, if your email subscribers have consented to be marketed to through Facebook, you can then upload your email list to the social media network in order to do so. Facebook then matches your email contacts up with their respective Facebook profiles so you can show your ads to them.
The problem is that technically as soon as someone unsubscribes from your email list, then their contact details can’t be used on Facebook for your marketing efforts.
Now this is virtually impossible to manage, as Facebook doesn’t currently have an integration for this. So technically every time anyone unsubscribes from your email list, you should manually be updating your custom audience list of active subscribers on Facebook as well.
This seems tricky and time-consuming but it’s best practice to get into the habit of updating your email subscriber custom audience in your Facebook Ads manager as much as possible for this reason.
The positive opt-in with respect to the Facebook pixel
The other thing that’s a bit tricky is that, as we talked about earlier, technically under the GDPR people have to positively opt-in to have their data used by your business.
However, if they land anywhere on your website, and you have the Facebook pixel installed then the pixel will ‘fire’ regardless of whether or not they give their permission to have their data used.
This is a super grey area because essentially to be 100% GDPR compliant, all websites would have to have a buffer page that would say something along the lines of: “By continuing through to this site, you are agreeing to have your information collected by the Facebook pixel.” It would be similar in practice to alcohol brands needing to ensure that visitors are declaring themselves to be over 18 or 21-years-old before entering their websites.
They would then have to say: “Yes I agree, continue through to site” or “No I do not agree, exit the site”. This obviously would make for an extremely poor user experience. This part of GDPR compliance is definitely still up for debate. However, you should have a prominent disclaimer on your website and any landing pages which lets people know you’re collecting their information and allow them to positively opt-in and say: ‘Yes I understand, continue browsing” or something along those lines.
Want to learn more? Here’s some further reading:
To sum it up, the GDPR is definitely complicating the lives of online businesses all over the world. The good news is that everyone is essentially in the same boat so we’re all inconvenienced equally and that will even out the playing field. The benefit of complying is that Facebook and Google will definitely be taking notice of websites that are being transparent with their visitors and likely reward them for their efforts with a lower cost per click costs and possibly a greater share of organic traffic. The reason for that is that they’ll likely be punishing non-compliant websites by increasing the cost of their ads and thus any compliant businesses will automatically be performing better as a result.