Whilst we’re all bracing ourselves against a steady bombardment of privacy change emails and consent forms, the General Data Protection became law last week, representing vast changes in requirements around data collection, handling and privacy.
Reaction to these new requirements has reached a fever pitch recently, with information and misinformation doing the rounds on business blogs, forums and social media. Although we’ve all had a number of years to get to grips with what the GDPR actually means for the running of our business, there is still a lot of confusion around the actual implications on digital marketing activities post regulation. Amidst this confusion we’ve listed the top five things we see businesses doing wrong in response to the new requirements.
Some of these unnecessarily reduce the effectiveness of a companies marketing activities, whereas others more seriously breach the new data laws.
1. You can’t email anyone without their consent any more
We’ve seen lots of panic in the business community around not being able to send B2B marketing emails any longer. There’s lots of advice on various forums to never cold email businesses or utilise any business contact databases. This simply isn’t true.
The GDPR does not specify around the handling of B2B data however a separate piece of legislation, the Privacy and Electronics Communications Regulation did. Under this piece of legislation it suggests that it is acceptable to use a soft opt out approach for existing customers. In terms of direct marketing an opt out is suitable. As long as you include an unsubscribe link, relevant email topic, avoid spam and your contact has a reason to be interested in your services, you’ll be compliant.
Yes, if the email is clearly a private email (e.g. email@example.com) then you certainly want to steer clear. B2C data handling adheres to a more rigorous standard and you therefore don’t want any confusion around whether your contact is an individual rather than a company.
Keep an eye out on this one though as the PECR is also being overhauled in line with GDPR laws.
2. You can’t track your website usage without consent any more
You might have had a little panic about how you were going to be able to track and monitor your website usage following the introduction of the GDPR.
By default, Google Analytics collects IP addresses, a piece of data that is now classed as personal information. Leaving your tracking code as it is without giving users the opportunity to consent or opt out of this data collection is indeed within breach of new GDPR laws. One option would be to give users the opportunity to block Analytics cookies unless they consent to their IP address being captured. This isn’t ideal however as it’s unlikely that many visitors will opt in. Either way you’ll never get an accurate analysis of your website unless 100% of your users do this.
Fortunately by amending your tracking code you can anonymise IP addresses within Google Analytics. Without any personally identifiable information being captured, you can use Analytics cookies without the consent of the visitor as long as you notify them. We covered how to make your website GDPR compliant in a previous post, including how to make this amendment to your code. View it here.
3. You have to delete all your existing data or seek consent again
Just like everybody else, we have been sent dozens of emails from companies looking for us to opt in to their marketing lists, newsletters and other communications. If you’re wondering whether you should be doing this as well, it all depends on how you received this contact information in the first place.
You only need to gain new consent or delete your existing data if is was collected in a way that wasn’t GDPR compliant. For instance:
– You had a pre-ticked consent box on your checkout page
– You added people to your email lists as they contacted you for something else
– You collected emails in exchange for a free resource but did not notify people they were signing up for your newsletter too
These would all be circumstances where you now need people to consent again to receive information. These are a few examples of collection of information that is in breach of the new regulation.
If you received email subscribers by people opting in to your newsletter, knowing that this is what they were subscribing for – you’re fine. If they originally bought a product for you and actively consented to be listed in a mailing list – you’re all good!
4. Sending a consent email that presumes consent
Oh how amazed we are every time we receive a privacy change or consent email that includes the message: “if you don’t do anything we’ll assume you consent to the handling of your information”. We’ve come across a few of these over the past couple of weeks and they aren’t sent from small businesses!
This approach directly breaches new GDPR requirements around gaining consent that is “freely given”. If you have any similar language or approach to the way you are seeking consent, get a refund from your legal consultant and do a bit more research.
5. I don’t sell to the EU so I don’t need to bother with the GDPR
The GDPR is far reaching and every business no matter how small is effected. If you are either based in the EU or based outside but serve EU customers you need to comply with the new requirements.
Got any questions?
If you’re still a bit perplexed about anything GDPR related we’d be happy to help. Just get in touch.
Disclaimer: This article was prepared by Liam Pedley as non-authoritative guidance. Neither Liam Pedley Design or the author accepts any responsibility or liability that might occur directly or indirectly as a consequence of the use, application or reliance on this material.