Have you received a bunch of emails about updated Privacy Policies recently?

Facebook, Microsoft, AdWeek, Pinterest, Slack. It seems everyone is making updates to comply with new European Union policy: General Data Protection Regulation (GDPR).

Should you care? Should you stop deleting those emails? What updates should you make to your website?

Well, keep reading.

I’m not an expert in EU law. But I am a former EU intern (yes, really) who works in tech. That must mean I’m qualified to break this down…or something.

So, don’t panic. I’ve laid out what all this means and what you should be doing. Whether you think it applies to you or not, here’s how you can protect yourself and be a better marketer at the same time

What is GDPR?

Let’s start with the basics.

GDPR – General Data Protection Regulation – are new rules the EU passed back in 2016. They will go into effect in about a month: on May 25th 2018.

The general idea here is to protect the personal data of EU citizens by updating the laws on data collection and privacy. Basically, EU citizens have a right to know when their information is being collected.


Should you Care?

Are you running ads on Facebook? Are you collecting emails on your website? Are you using user data in any way? Then GDPR is for you. It was created with the big tech companies – the Googles and Facebooks of the world – in mind, but it can affect small businesses too.

“But Katie, I’m an American company and these are European laws. They aren’t for me.” Sorry, but if you collect data from any European Union citizen, the rules apply.

And if you don’t follow the rules, you could get hit with a hefty fine: up to 4 percent of your revenue or €20 million.


What should you do about it?

People need to opt in

Be careful with your email list. People need to know that they’re on it before you ever send them an email. This means no buying lists, signing people up randomly, or sharing contacts.

People also need to know what you intend to do with their data. You can’t automatically dump contact info from donation forms, contact forms, and event registrations into your general email lists. Make sure you have an obvious opt in or out box on all forms that collect emails.


Let people opt out

Under the new rules, your users have a right to be forgotten. If someone asks you to delete all their information from their system, you have to do it. So it’s probably best to clean up your database now.

Most email platforms allow you to quickly filter your users to see who is active and who is not. Invite anyone who hasn’t opened an email in the past few months to re-engage or unsubscribe.

Also, make sure your email unsubscribe process is quick and easy. The ideal unsubscribe is a link in the footer of all emails that, when clicked, immediately removes the user from your list. No hoops, no hurdles, no extra steps.


Tell people when you’re using cookies

Cookies are a great way to deliver a personalized user experience. We use them on several of my clients’ sites to see if you’ve already signed up for the email list and, if you have, we don’t show you the sign up pop up anymore.

But cookies count as personal data. Which means, if you’re going to use them, your users need to know about it and tell you they’re okay with it.

You’re probably familiar with pop ups on sites saying, “This website uses cookies.” Some are arguing that this message isn’t enough under the new rules. The Cookie Collective (side note: great name) has a suggestion: edit your message to make it clear that if a user continues onto a second page, it’s considered consent.


Update your terms of service and privacy policy

The often forgotten privacy policy page. Chances are, you haven’t looked at it since your site was built. It’s time for an update.

One of the goals of GDPR is transparency. So make sure your privacy policy clearly outlines what information you’re collecting, what you’re going to do with it, and how long you plan to hang onto it.

Some companies are going out of their way to make sure users are actively aware of any changes to their privacy policies with emails and notifications.


Advertisers: expect some changes

Any advertiser worth their salt knows the value of personal data: it’s how you get your ads to the right people. But we can expect to see some changes.

You know when you look at a pair of shoes on Amazon, and suddenly you start seeing ads for those shoes all over the internet? These are retargeting ads. They use cookies to operate, so I’d expect some limits on them.

Keep an eye on Facebook ads in particular, where targeting can be surprisingly specific. Personally, I’ve run ads that target users with particular political opinions. But Facebook won’t be able to collect this information about it’s users anymore.


What’s next?

Honestly, we don’t know how the GDPR is going to be interpreted or enforced. And we won’t know until the end of May.

Maybe it’s been hyped up. Maybe people only care what Facebook and Amazon are doing. Maybe you wasted 5 minutes reading this blog post.

But it’s better to be safe than sorry: €20 million is no joke.

So if you’ve ever had someone in Europe visit your website – and I bet you have – invest a little time into protecting your organization. Make a few critical updates to how you collect user data, maintain user data, and your privacy policy. Then keep an eye out for what changes will be rolled out web-wide.

Good luck.

About the Author
Katie Fulton
Katie Fulton is Director of Account Management and Marketing at Brick Factory. She works with a diverse roster of nonprofits and has extensive experience in content creation, email marketing, and digital advertising. She also won an episode of Jeopardy!