In May of 2018, the GDPR, or General Data Protection Regulation was put into action in the European Union.
This regulation has tightened Europe’s already strict laws about what businesses can and can’t do with people’s data. In return, it gives people more control over how their information is collected and used as companies have to make sure that all of their actions with it are justified.
Although this controversial topic has sparked outrage from some and praise from others, now that it has been legalized, the best response is to become educated on the subject and act accordingly. Therefore, let’s discuss how it impacts companies, specifically marketers and how to deal with the regulations.
The Three Things This European Regulation Regulates
This regulation was enforced because the previous rules were created prior to when smartphones began to collect large amounts of sensitive information making it available for businesses like Facebook and Google. This infringed people’s privacy and resulted in a huge outcry from the general public.
Hundreds of lawsuits and thousands of complaints (righteously so) later and today our data as customers is much more protected (especially if we live in the European Union). Plus, even though it’s an EU legislation, it also immensely impacts companies outside of the union as well. Particularly those that are providing products or services to EU customers.
What exactly it regulates:
- How companies get user’s permission to use their email and personal data.
Now, instead of using soft opt-in forms, companies now have to get much stronger user consent via hard opt-in forms. Since neither live chats or chatbots require hard opt-ins, they may become significantly more important.
- How customers access their data.
Now, customers must be able to easily access their personal data so that they can see what data companies possess and have the ability to delete anything if necessary. Therefore, it’s important to have an unsubscribe button for email marketing efforts, for instance.
- The necessity of information.
Lastly, companies should only ask for what they need. In other words, they only need to be asking for permission to use data that is necessary for a certain function or process to work.
Basically, nothing new as all of the things listed above should have been complied with before. GDPR just really made it a law leaving no choice but to make things right.
Actions to take
There is a list of actions you need to do to stay compliant with GDPR law. Even though we are way over all possible due dates to adjusting your policy to stay abreast the regulation, here are a few checkpoints to mark off.
- Audit how you are storing your customers’ data, where it came from, and who you are sharing it with.
- Follow through the action plan you’ve developed to make your operations GDPR-compliant. If you found any gaps and errors – fix them as soon as possible.
- Obtain all necessary consents and post the information that clearly states how you are collecting, processing and storing the information – including the cookies, behavioral profiling, pixels, and other users’ ID-related information.
Let’s talk more about user IDs and cookies. As digital marketers, we all collect, analyze and use Google Analytics data which has to be anonymized and fully consented to under the GDPR law.
The GDPR and Google Analytics in details
Google first outlined the impact of the GDPR on Google Analytics users in an email. This email started off by reinforcing the fact that the GDPR was on its way. After, Google introduced their granular retention controls which allow businesses to control how long data is stored on servers as well as when it’s deleted. Although the default time period is 26 months, companies are able to control the amount of time within their Google Analytics account. The email also introduced their user deletion tool so that users could delete information such as client, user, and app instance ID.
If companies want to continue to use Google Analytics, they have to obtain the consent for processing Google Analytics data. Although Google does provide businesses with the tools to collect the data, companies are the ones that are responsible for GDPR compliance. It may be an unwelcome change, but ignorance of the law is not an excuse, therefore, it’s important that companies understand how the law impacts their daily processes.
Summary of Google Analytics GDPR updates
- Google Analytics will let businesses become compliant with the GDPR with the help of their tools that came out right before the May 25th release date.
- Google offers many resources to learn from as well as stay up-to-date with the regulation.
- Despite a few nuances in the data collection process, such as things that people can opt out of, overall, those who don’t opt out will find the process unchanged.
- That being said, should someone opt out of being tracked, it’s important to understand how to process that request.
How to get things right
If a firm chooses not to comply, they could get fined up to 20 million euros or 4% of their global annual turnover, depending on which is greater. Therefore, do make sure that you are auditing your data collection, the IP Anonymization is active and you’ve also evaluated your collection of pseudonymous identifiers such as user IDs, hashed emails, as well as transaction IDs.
Privacy policies must also be updated. The company must make them very clear and be sure that they adhere to them.
Last but not least, companies need to add an opt-in and out capability for users as consent must be gained from users when collecting information such as user IDs or pseudonymous identifiers. This means that having a cookie notice that claims that users that continue onto the site will automatically have consented is no longer applicable.
GDPR pop-ups on sites
Companies now have to ask for clear permission prior to when Google Analytics starts working.
The GDPR pop-ups are one of the most common forms of asking users to opt-in or out. Therefore, first and foremost, in addition to changing the amount of information that companies have to give their visitors, the GDPR also alters the conditions on which they can gather data via consent, such as the authorization to use email as a form of contact. Based on the law, consent must be “clear, free, specific, and unambiguous.”
The GDPR was created to protect the users. Therefore, if companies want to continue to do business with them, it’s important that they learn how to be compliant. It may be a hassle right now, but it’ll be worth the configurations in the long run.
Of course, if your target audience is way outside of the European reach, you might try to block your content from showing it to people from the European Union. However, it’s bad for user experience – which Google already voiced out through their authorized representatives and might be somehow punished in the future.
It’s not clear yet whether it will and how, but the general recommendation is to invest time and money into making your website GDPR-compliant. After all, the world becomes a smaller place and isolating your business from the larger audience might prove to be the biggest mistake you are making today.
Great, the previous fines were ridiculous. 20 million sounds like a good start. But why not just pass laws that forbid companies to sell any personal info? They shouldn’t be allowed to make money by spamming people or causing credit card info or identities to be stolen.
Thank you for the information on how to be in pretty good shape for being GDPR compliant. It was interesting to read through your blog post.