Why You Can’t Ignore the GDPR Privacy Law, Even if You’re Not in the EU

Watch my video tutorial first for an overview of the four steps.

If you collect email addresses or sell a product, service, or program, you’ll most likely need to make significant changes to the way you collect and process people’s personal data.

That’s because of a law that goes into force May 25, 2018, called the General Data Protection Regulation (GDPR). This European Union (EU) law relates to anything you do with the personal data (such as names, email addresses, phone numbers, mailing addresses, IP addresses) that you collect from people.

It applies to information you collect through pretty much any method, such as email opt-ins, quizzes or surveys, and phone calls.

But I’m not in the EU. Why should I care?

Even if you are in the US or other non-EU country, the GDPR is probably going to impact you, particularly since the law applies to existing email lists as well as to information you collect after May 25.

If you have even one EU customer or current subscriber to your list, you won’t be allowed to use any data you have that is subject to the GDPR as of May 25, 2018, unless you can prove a lawful basis to use that data.

In this article, I’m summarizing key points of the 261-page law that pertain specifically to email marketing, gleaned primarily from two sources:

Bobby Klinck’s free 3-part video training. I highly recommend that you sign up for Klinck’s training: How to comply with the GDPR before the deadline and without the hysterics. Klinck, an intellectual property attorney, thoroughly overviews the GDPR’s requirements, explains how to build your email list in a GDPR world, and reveals what to include in your Privacy Policy. His information is detailed, clear, and he speaks in plain English.
Suzanne Dibble’s Facebook Group, GDPR For Online Entrepreneurs (UK, US, CA, AU). Suzanne is a business lawyer and data protection expert in the UK. You can also sign up for her free 6-page GDPR checklist.

Disclaimer: This article is for informational purposes only, and you should not consider it legal advice. Nor is this information a comprehensive, definitive overview of the GDPR. Please seek legal and other professional counsel to determine exactly how the GDPR might apply to you.

Why You Can’t Ignore the GDPR Privacy Law, Even if You’re Not in the EU | BloggingBistro.com

Who does the GDPR apply to?

If one or more parties is in one of the 28 EU Member States when you’re interacting with them, the law applies.

For example, if you are in the US and you have an email subscriber who lives in the EU or you offer a product or service to them (even a free one), the GDPR applies to you.

I know that 75% of my subscribers are in the US, and I know that less than 1% of them are in the EU, but I’m not sure about the other 24%. I’m taking the necessary steps to get GDPR-compliant consents from my EU and “unknown location” subscribers, and to update my email opt-in forms and privacy policies before May 25.

How to collect, store, and secure data under GDPR

Transparency. The focus of the GDPR is to collect data in a transparent manner… to be up-front about why you’re collecting the data and the specific purpose for which you’re using it.

Necessary. According to the law, you must limit the data you collect to only “what is necessary” for your purpose. When you ask someone to sign up for your email list, for example, all you really need is their email address and maybe their name. So don’t require them to enter their phone number, mailing address, birthdate, pet’s name, etc., unless you absolutely need it.

Sensitive Data. There are even higher standards for collecting and using sensitive information you gather from surveys and quizzes, such as racial or ethnic data, religious or philosophical beliefs, political opinions, trade-union membership, and genetic or biometric data.

Erasure. If you’re not using a person’s data anymore or someone requests to be deleted, you must completely delete their data from everywhere you store that person’s info. That includes spreadsheets onto which you may have transferred their data, custom audiences you may have uploaded to Facebook’s Ads Manager, etc.

Security. You also have to take reasonable steps to keep the info you collect secure (such as password-protecting the data you store).

Action steps for non-EU people

Segment your mailing list by location, into people in the EU (including those whose location is unknown) and outside the EU. For assistance segmenting your list, contact your email marketing provider’s Help Desk.
Before May 25, send an email sequence (also called a re-engagement campaign) to list members in the EU and in unknown locations and ask them to consent to continue receiving your emails. In your campaign, including enticing reasons for why they should want to stay on your list.
Before May 25, remove anyone in the EU/Unknown segment of your list who has not given consent.

Get explicit, affirmative consent from subscribers

This is the part of the law that’s going to change the way most of us collect email addresses for our lists. Typically, we offer a lead magnet (some sort of free resource) in exchange for an email address. When someone signs up for our freebie, we automatically add them to our email list and they begin to receive our welcome campaign, e-newsletters, blog posts, podcast episodes, and other stuff we send them.

Under GDPR, we can no longer add people to our general email list when they sign up for our freebie, because the ONLY thing they’ve consented to is getting our lead magnet.

As Pooh would say, “Oh, bother!”

Here’s another catch:

We can’t require them to join our general list as a condition for getting our freebie. We have to be willing to give them our freebie without them agreeing to subscribe to our email list.

If we want them to get the freebie and subscribe to our general email list, we need to provide them with a stand-alone means of freely giving consent.

How to get affirmative consent

On your opt-in form(s), explain exactly how you’ll use a person’s data. If you plan to use their data for multiple reasons, you must disclose all those purposes.

For example, if you send out a weekly e-newsletter, 3x weekly blog posts, and occasional promotional messages, you must explain on your signup form that subscribers will receive all of those things.

The subscriber has to take an affirmative action such as clicking a tick box or dropdown menu on your opt-in form where they can say “yes” to joining your general email list in addition to getting your freebie.

A word of caution about tick boxes

If your signup forms include tick boxes, the boxes can no longer be pre-checked. Subscribers must indicate “affirmative consent” by checking the box(es) themselves.

On your opt-in form, make it clear that the subscriber will get your freebie whether or not they sign up for your general list.

Take Action

Think about the specific value you offer to your list subscribers, separate from the freebie you give them. Draft promotional text that sells people on the value of being on your list.

Review your signup forms. Add language that clearly explains:

How you will use a subscriber’s data
What kind of content you will send them
How often you will send it

Add a way for the subscriber to affirm their consent to subscribe to your general email list.

Example:

Would you also like to receive weekly emails that contain latest blog post, marketing tips and tutorials, information about free trainings and other free resources, and promotions for my online courses?

An example opt-in form that Bobby Klinck uses:

Note the unchecked tick box next to Bobby’s hyperlinked affirmative consent statement:

I agree that you may handle my information as set out in your Privacy Policy.

In the text of the email in which you deliver your freebie, explain the benefits of joining your general list and invite them to opt in.

On your lead magnet itself, promote your general list and include a clickable link that allows people to opt in.

Update your privacy policy

The purpose of your Privacy Policy is to inform people in the EU of certain information at the time you collect it.

California law also requires you to disclose a lot of the same info, so trust me on this and create a Privacy Policy if you don’t already have one!

Items to include in your privacy policy:

The identity and contact information of your company (aka, you!).
The type of information you collect from subscribers, customers, and/or clients
The reason you collect this information and the legal basis for collecting or processing it
- Disclose that you collect the information so you/your company can perform the services subscribers ask you to perform.
How you store and use the data, including third parties that might get access to the data
- List categories of the types of people who might get access to the data, such as sub-contractors, vendors, or affiliates.
The period of time for which the data will be stored
Notification of the person’s right to request access, rectification, and erasure of their data
Notification of the person’s right to withdraw consent at any time
Notification of their right to lodge a complaint with a GDPR supervisory authority
Whether there are statutory or contractual requirements for providing personal data.
- Your Privacy Policy can state something like, “We will not require you to provide any data beyond what is required for the purposes of completing a contract.”

Sample privacy policies

If you need to craft a privacy policy, don’t attempt to cobble one together based on someone else’s policy. You might not cover everything, or you might create a policy that’s not GDPR-compliant.

Still, I know you’re going to want to see examples of privacy policies to get ideas for what you might include in yours. Here are three I found:

Take Action

Create or update your privacy policy and publish it on a stand-alone page of your website.
In your website’s footer, link to your privacy policy.
Link to your policy in any other places where you collect data, such as:

landing pages
sales pages
webinar registration pages
event registration pages
thank-you pages
pop-up forms
opt-in forms
in the email where you deliver your freebie

Here’s an example of a Privacy Policy link on Suzanne Dibble’s opt-in form. (Note her tick boxes, too.)

Need some hand-holding?

If you need guidance working through how GDPR applies to your email list and opt-in forms, schedule a one-hour pre-paid coaching session with me. (Keep in mind that I am not a lawyer; I will share practical advice that I’ve gleaned from my research.)

If you need more extensive help with the tech updates, contact me and I’ll work up a custom estimate for you.

Resources

Countries in the European Union (EU):

Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and *the UK.

*The UK is leaving the EU as of March 29, 2019.

Podcasts

Amy Porterfield: GDPR for entrepreneurs: What you need to know

Amy’s guest, Bobby Klinck, an intellectual property attorney, succinctly walks you through the most important points of GDPR, and the show notes give an excellent overview, as well. Transcript available for download.

Rick Mulready (The Art of Paid Traffic): Episode #188: GDPR: Everything you need to know and how to ensure you’re compliant

Rick’s guest, Suzanne Dibble, a business lawyer and data protection expert in the UK, gets very granular with the myriad things we need to know about GDPR. While I found the information helpful, my blood pressure rose a few notches as I attempted to ingest the plethora of info.