You might have seen the term ‘GDPR’ across the web a lot lately… but what is it? You might know that it has something to do with data and something to do with Europe, but if you’re like a large percentage of small businesses, you’re not really across what it is yet.
Essentially, if you’re a company anywhere in the world (even Australia!) and you work with customers in the European Union, or you just have site visitors from the EU, you need to pay attention and comply with the law.
This post is my understanding of the essentials that small businesses need to get across for GDPR for their digital marketing. However, GDPR isn’t just about digital marketing, it’s also about data security, so I recommend you check out some of the other resources online to make sure you’re compliant.
There are great summaries online for small business, there’s the GDPR website, or you might just want to talk to your friendly neighbourhood lawyer. I am not a lawyer, and this is my understanding of GDPR, so if you want to dig deeper into other resources across the web and consult a legal expert, I recommend you go for it.
So…what is it the GDPR?
GDPR stands for General Data Protection Regulation. It’s a new law from the EU to regulate how personal data is handled and it kicks off May 25th, 2018.
In short, It’s giving individuals more control of our personal data – we choose who has our data and what they can do with it.
So for your business, you need to help your customers the understand why you’re tracking them, what you’re doing with their data, the right to opt-out and the right to have their data deleted.
Oh, and there are some pretty massive fines if you don’t comply.
This is a pretty great overview:
Is this even relevant to me?
If you have customers or website visitors in the EU, you need to comply with the new legislation. Big businesses (over 250 people) need to get pretty serious with their record keeping, but smaller businesses don’t need to be as detailed – and, to be honest, probably use third-party tools to manage that data (for example, your email newsletter provider), but you are still responsible for ensuring that they are on top protecting that data.
Here’s a little flowchart I’ve created to help you think about it:
What you need to be across
In terms of your digital marketing, there are a few things you need to be across in terms of what customer data you have access to, and giving your users the right to consent. (There’s also more to do with data protection, but I’ll just be talking about the marketing stuff here.)
What are you tracking?
For many of us, the customer data we are tracking will come down to two things: your email newsletter, and your online ad retargeting (ie. your Facebook Pixel if you have one).
So let’s jump into these in more detail…
Mailing Lists or Newsletters
Australia has some pretty ace laws around the email spam already, so if you’ve been a good little digital marketer, you should already be fairly compliant with GDPR. Hooray!
The highlights of GDPR for your email list are:
a) Ensure people have explicitly consented to be on your list and you have a record of it (For example, they have signed up on your website (ie. given consent). Your email provider will have proof of this.)
b) If you think you have people on your list who haven’t consented, then you will need to get consent before May 25th 2018. (If you’ve added people to your email list when they’ve given you their business card, or you have bought an email list, they probably didn’t explicitly state they wanted to be on your newsletter. Email your list asking for everyone to opt-in to your emails now as it also applies to existing people on your list.)
c) You need to give people the option to unsubscribe from your list, such as in the email footer. This is a default for all good email providers, many of whom won’t let you send an email without this.
The new thing that many businesses may need to update on their website is that when people sign up for your email list, they need to give explicit consent to be on your list.
Now, many of us use lead magnets to grow our mailing list, where we send an amazing free resource in exchange for an email address with a fast-and-loose caveat of ‘by getting this resource, you’re also signing up to our email list’. Now, there is no grey area: you need to get consent to add the user to your email list.
Many email providers like Mailchimp are providing tools to update their signup forms, so you may need to update your website to include a checkbox to allow explicit content. If you use a plugin with your WordPress site to get signups, see if your plugin provider has updated it for additional GDPR consent.
For those of you doing B2B sales, this blog post is a great read which covers a few more angles of email marketing which might you might want to be across:
- consent for email automation or multiple lists
- 1-to-1 cold emails are fine
- if you have a website form asking for a demo, you need to justify what data you’re asking for and why
GDPR To Do Item: Ensure everyone on your email list wants to be on your list, and there’s an easy option for them to get off your list. Ensure new subscribers explicitly consent to joining your list with a checkbox.
Ad Retargeting (or tracking users with the Facebook Pixel)
Online ad retargeting is a little bit of a tricky one, because the responsibility to inform the user of tracking lies with whoever owns the data (or, in GDPR lingo, the ‘data controller’ vs the ‘data processor’). So, informing the user sits with different parties based on the type of retargeting.
For example, if you are sending ads to people based on your personal email list, you are responsible for that data. But if you’re sending ads to people based on their online activity on a social network (ie. people who Like your Facebook Page), then Facebook has responsibility for that data.
So – a quick rundown of who is responsible for different ad targeting, with a big hat-tip to this post from Blacktypedigital:
- Ads to people based on website visits – you need to tell your users
- Ads to people if they are on your mailing list – you need to tell your users
- Creating a Facebook Lookalikes audience based on a contact list or website visitors – you need to tell your user
- Ads to people based on social media activity i.e. Page Likes – Facebook needs to tell them
- Creating a Facebook Lookalikes audience based on activity on Facebook (i.e. people who RSVP to a Facebook event) – Facebook needs to tell them
Hopefully, you get the idea – if you have the ‘raw’ personal data with people’s info, you’re responsible for telling your users about what’s going on.
Okay, so if you’re using any retargeting pixels and running ads with them, you might be asking how you now need to ‘ask for consent’? Well, you might have noticed a little pop up on websites across the web lately where websites are telling you that you’re tracking them. They are called “cookie consent” boxes.
They are a little pop up that asks users to consent to being tracked, and look a little something like this:
These cookies consent boxes look pretty different for different sites, sometimes they are a pop-up, sometimes a whole page. If you’re going down the pop-up road, IAB Europe has provided some sample text if you’re not sure what to put, especially if you’re serving ads on your site, too:
So, cookie consent boxes have been around for a long time, but the big change with GDPR is that it’s not just about letting users know that you’re tracking them, it’s that users now have the option to opt-out and refuse to be tracked.
GDPR To Do Item: Set up a pop up for your users to choose whether or not they consent to you tracking them with cookies, and they can choose to not be tracked.
Now, of my favourite parts about the GDPR is that privacy policies must be in ‘plain english’. Or, as I like to think of it: something your Mum could understand.
The GDPR lowdown
So, from the digital marketing side of GDPR, there is a little bit of work if you’re a small business, but, to be honest, it can be done and dusted in a couple of hours. I recommend you check out the full set of GDPR regulations and how they apply to small businesses, because there are a few more things that you need to be across in terms of data security and documentation.
My digital marketing checklist for the essentials for GDPR includes:
- Ensure everyone on your email list has explicitly stated they want to be on your list, and there’s an easy option for them to get off your list.
- Set up a pop up for your users to consent, or not, to cookies and online ad retargeting.
I know it can seem like a lot of work to get across GDPR, but it’s all for a bigger, more important cause of data transparency, autonomy and consent across the internet. And that’s a checkbox I’m sure we’d all agree on!
About Rachel Beaney
Rachel Beaney is an Australian freelance social media specialist with over a decade in digital media. She’s worked with global names like Microsoft, Samsung, News Corp and General Assembly, in addition to not-for-profits and government bodies. She loves helping clients solve their business needs with creative and data-driven solutions. Get in touch today to jump on a free consultation call to find out how Rachel can help you.