GDPR and Your Small Business

You may have noticed an influx of “privacy policy updates” in your inbox, on your apps, and on websites you visit in the past several weeks (but especially in the past several days).

Why is everyone suddenly so concerned about explaining your privacy options? Four little letters - GDPR - that are causing big changes in the ways companies collect and store your data. GDPR stands for General Data Protection Regulation and is enforceable only in the European Union – so everything I’m talking about applies to European Union residents, but since the internet is generally accessible to everyone no matter where they are, even companies outside the European Union need to comply or face big penalties. The maximum fine is 20 million Euros or 4% of a company’s annual global revenue – whichever is greater.

Or you can take the workaround several US news sites did today (May 25th, 2018 the first day the GDPR is in full effect) and entirely shut off access to the European Union.

Why does everyone care about the GDPR now? Although it was created in 2016, companies have had until May 25, 2018 to come into compliance.  If you want to go deep into what the GDPR covers here is the link to the full text.

What GDPR Does

Ultimately, the GDPR was created to deal with larger companies who don’t have a great track record of behaving like good internet citizens and take too much data, do shady things with the data they have, don’t tell you what data they have, and if they happen to lose any of it…they don’t tell you about that either (I’m looking at you Facebook and Equifax and lots of other companies also).

This is where I remind you that I’m a marketing strategist, not a lawyer, so this is my best interpretation based on what I know about very small businesses – if you have questions, talk to a lawyer who is familiar with compliance issues and the GDPR. I’m also only focusing on a small part of the GDPR, there is lots of information I’m not covering, so to be truly informed and prepared, read more than just this (but I have tried to make it a good primer with resources for small businesses as it applies to email marketing and your website).

Ready to continue? Ok…here we go…

Companies must now clearly state why they are collecting a user’s information, how they plan to use it, and when it will be deleted. They also must give European Union residents the right to have their information completely deleted, corrected, or even moved to another business (even if that business is a competitor).

If there is a data breech, companies have 72 hours to inform those who have been compromised. This is a big change and, again, aimed at those bigger companies who may have been more interested in keeping data breeches quiet than keeping their customers informed.

European Union residents can even determine where & how their information is used – so someone may be ok with a company having their email addresses, but they aren’t ok with the company using that email address to retarget them online later. As you can probably tell, this is a huge change over what is happening now. And, again, these benefits only apply to European Union residents, so if you aren’t in the EU don’t get too excited about having more control over your privacy just yet

How GDPR Affects Small Businesses

But what if you’re a really little guy or gal – do you still need to comply with GDPR? Yes! But, unlike a giant company, you should be able to become GDPR compliant without a lot of work. Why? Because you don’t have much data on people or you are using third parties like MailChimp or Stripe to manage data – you still have to do your part to be compliant where you can, but some things will be out of your hands.

What if you have never sold anything to anyone in the European Union? You still need to comply. Why? Even if someone never buys something from you, they may visit your site (where you, your website builder, or Google analytics collect information via cookies) or sign up for your email list (where your email list provider collects information like their email, name, IP address, and other data). Under GDPR, any data collected that identifies someone counts. Again, this is largely targeted at banks and corporations that have WAY more data on us than just our email address.

It is all about Consent

Going forward, think of GDPR as something that is focused on consent, consent, consent. Any business that in any way collects, stores, processes, or manages someone’s data must comply with GDPR – that’s where all of those privacy policy updates and cookie notices are coming from because when we’re online data is being collected on what we look at, where we go, what we click on, where we are, and so much more!

In fact, one of the big changes GDPR will bring is that information can’t be passively collected anymore. You must actively opt-in (consent) to a site using cookies or signing up for an email list. A website can no longer say “this site uses cookies, if you use this site you are consenting” because not having a choice, isn’t really consent, right? And those pre-checked boxes when you sign up for something that automatically sign you up for other things if you don’t uncheck them? Not ok anymore (thank goodness!)

Let’s Get Specific – Email Marketing

The CAN-SPAM Act from 2003 already covers a lot of email rules that you are (hopefully) already following – like not adding people to your mailing list because you go their business card or found their email online, clearly telling people how to unsubscribe from your email in EVERY email you send, and having their consent before you add them to your email list. If you’ve been following those practices already, then you probably don’t need to send your email list a reconfirmation email.

This is covered in Recital 171:

“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.”

If you haven’t always followed best practices and you maybe aren’t sure where some of the people on your email list came from AND you think some of them might be in the European Union? Go ahead and send that reconfirmation email.

What is new? You need a verifiable proof that someone signed up for your email list – which is one of the many reasons using a service like Mailchimp, Constant Contact, Aweber, Emma, or any of the others is a good idea because they display that information within your account.

When someone signs up for your email list, it now needs to clear how, why, and when you will use their information. Mailchimp has already updated its forms to help you stay GDPR compliant. It is an easy guess to say other email services have done the same. BUT – here’s the thing – you now need to check and make sure because you need to use business partners who are GDPR compliant.

Use a double opt-in - where the person signing up for your email list gets a link in their email they must click to be added to your email – it isn’t required, but it is a second step that helps clarify their intention to join your email list. Just be sure to explain that your list uses a double opt-in so they know to look for it – otherwise, they may think they’ve signed up for your email list, but they’ve only done the first part.

What about freebies? There is some uncertainty and I’ve read different options. Everything from never using freebies again to keeping everything as it is now. My interpretation (again, not a lawyer here) is that you need to obtain a second consent to add them to your general email list. Amy Porterfield breaks it down nicely. And, again, you only need to do this is only for European Union residents.

This next piece should be obvious – if someone wants to be removed from your email list remove them completely ASAP. If you use a service like MailChimp and have users on different lists, make sure you remove that user from ALL lists.

Finally, Facebook has some neat advertising tools that allow you to upload your email list to Facebook for more marketing options. Under GDPR, you can no longer do that without explicit consent – again, just when you are working with European Union residents.

MailChimp Tools related to GDPR

Constant Contact information about GDPR

Emma information about GDP

Let’s Get Specific – Your Website

Whether you know it or not, your website is chock full of delicious data cookies…but do you know which ones they are and what they do? Probably not. And that’s one of the issues GDPR addresses. Who is tracking your data, where does it go, is it safe, and what do they do with it?

Your website builder, and nearly any website you visit, uses cookies remember login info, your preferences, and other details – which can also be used to figure out your preferences and ensure you see things you are more likely to buy. The positive? You can get a better browsing experience. The negative? That website now knows your shopping preferences and can do all sorts of neat tricks with it (that you may or may not want or understand).

So, what do you do?

Create a privacy policy. Your website builder may already have templates for you to use, but just in case they don’t, here are some links that will help you do that:

Privacy policy examples
More examples

 Get consent to use cookies. Your website builder may already have templates in place for you to use, but just in case they don’t here are some links that will help you do that:

Cookie Consent

Cookie templates

And speaking of website builders, what are they doing to be compliant with GDPR?

What Weebly is doing
Tips from Weebly

What Squarespace is doing

What Wix is doing

What WordPress is doing (note – WordPress is enormous and there are likely all sorts of plugins and options to be aware of. If you need help navigating the best ones for you, I highly recommend Nedra at Blue Deer Forest).

What’s Next?
That is a great question, and I’m not sure anyone knows. The GDPR is brand new, far reaching, and complicated.

Should you panic about being compliant? Probably not. You shouldn’t ignore this, but if you are a very small business you also shouldn’t be up all night trying to fix it.

Your next steps:

1) Create a clear privacy policy.

2) Create a clear cookies policy.

3) Make sure your email signups clearly state why you are collecting the information and what you will do with it.

Will there eventually be a US-version of GDPR? It is entirely possible, so getting things right now may save you time and stress in the future!