Why U.S.-Based Companies Should Take GDPR Seriously
3 practical tips for marketers to comply
Does the U.S. need federal General Data Protection Regulation (GDPR) laws like Europe to protect consumer data privacy? Even though not yet federal law in the U.S., marketers would be wise to follow basic GDPR guidelines.
Let me share an incident that happened recently regarding collecting personal information about me without my permission.
I was browsing a major brand website looking to hire a property manager for a vacation rental. I did not enter any of my contact information. When calling the phone number posted (with a local area code) to speak with a sales person, I was careful to use caller ID blocking before dialing. The phone was answered by an out-of-state call center. Providing only a nickname, I was able to get some basic questions answered, but there was a heavy push to obtain my contact info “so a licensed agent could call me back.” I declined, asked for the agent’s name and number instead, then ended the call.
A couple of hours later, I received a call from the agent affiliated with the company. She could not answer how my phone number was obtained after I explained that I had used caller ID blocking, and hadn’t provided my phone number to the call center. She was apologetic. I was disturbed yet intrigued.
Collecting customer data in digital form is the norm for marketers for all sizes of businesses. Customers may be asked to submit their information, or it might be mined from activities such as a website visit, phone calls or uploading images to the cloud, leaving a digital footprint.
You can assume pretty much everything you do in the digital world is trackable, because it is of great value. An article in The Economist called personal data “the world’s most valuable resource” ahead of oil, because of how much it now informs the way companies communicate with their customers and how it positively impacts customer experience.”
Because personal data is so valuable, there have been legendary cases of data theft. In addition, issues related to privacy are becoming more serious. Consumers want to know how their personal information is being used and shared. More scrutiny is landing on how companies use data, sometimes without permission.
About GDPR and why it is important for U.S. businesses
When introduced in 2018, GDPR standardized a wide range of different privacy legislation across the EU into one central set of regulations that will protect users in all member states. There is no equivalent to it in the U.S. There is a mishmash of state and federal policy that attempts to regulate the same issues, but there is no central authority to enforce them. However, GDPR will still affect U.S. businesses.
GDPR requires companies to build in privacy settings and have them switched on by default. It also strengthens the way companies collect permission to use personal data and communicate about data breaches.
Most pertinent to U.S. companies, it is a legally binding regulation that protects EU customers, even if the company they are doing business with is based in the U.S. or elsewhere in the world.
GDPR also forbids buying customer lists, or scraping customer information from a website.
If marketers use automation, companies must verify that every person in the database has given permission to market to them.
Failing to comply has resulted in some hefty fines for global companies, including the more than $132 million fine dealt to Marriott over a data breach, and over $17,000 to Honda for sending an email asking for permission to send a future marketing email.
Have a small business based in the U.S.? Better check your contact database and see if you have any customers that are EU citizens. Two of my small business clients do.
How does GDPR impact marketing?
GDPR may seem complex, but there are only three key areas businesses must focus on: data permission, data access and data focus.
Here is an overview of each of these three areas:
1. Data permission
Data permission involves how opt-in permissions are managed. The way the regulation reads, consent must be “freely given, specific, informed, and unambiguous,” which is backed up by a “clear affirmative action.”
So how is that applied?
Simply put, a customer must physically confirm they want to be contacted, generally by them checking a box. The box cannot be preselected with a check mark.
Interesting side note: I have disputed two charges in the past from companies that pre-selected my acceptance to something and then billed me. One was AT&T, and the other was an employee screening service. In the first case, my credit card company took action against AT&T and got the charges removed. In the second, I asked for the charges to be removed directly and they were. Also, as a website designer, I have been asked to change website shopping carts for the same reason, giving people a choice rather than preselecting their opt-in. Point being, even if not illegal yet in your state, this is not a good practice.
Along these same lines, if you have a referral program, where a current customer provides the contact info for a friend or associate, under GDPR you can only send an acknowledgement email to the friend, where they can take the initiative to find out more information. You cannot send marketing communication to the referee’s email address.
2. Data access
The Right to Be Forgotten may be one of the most unusual and talked about aspects of the GDPR. Basically, it gives people the right to have outdated or inaccurate information about themselves removed. Companies such as Google were forced to remove search results pages to comply.
With GDPR, people can have more control over their own personal data, including the ability to access and remove it. Marketers in the U.S. should be ensuring users can access their own data, make updates or deletions.
Try this: Google your own cell phone number and see if your personal information appears in search results.
The Right to Be Forgotten practice is not as complicated to apply as you might think. If you are sending out marketing, hopefully you are already including an unsubscribe button. This could link to a customer’s profile where they can manage email preferences and make updates to their information.
3. Data focus
With the vast amount of information that can be gleaned about a person from the internet, it is fairly easy for anyone to learn about you and create a complete profile. The third key element of GDPR is only collecting the information we need as marketers. If you are selling clothing, collecting size information and color preferences can be justified, but favorite hobbies are a stretch.
Focus on the critical information and let go of the “nice to have” data.
A study by TRUSTe/NCSA found that 92% of online customers cite data security and privacy as a concern. Most customers do not trust brands to use their data responsibly. Since there is a clear disconnect between consumers and companies over data use, it should be a signal to U.S. companies to improve security and privacy measures, even if there is not yet an overall federal policy like Europe’s GDPR.