Digital marketers have a shared responsibility for GDPR compliance in the realm of preparing for and upholding General Data Protection Regulation GDPR compliant practices.
Minnesota user transparency and consent law in 2018 are no longer just about topics like a refusal to take a chemical test or breath tests to keep our roads safe. Nor is it about obtaining a medical patient’s permission to use photography in marketing efforts or consent in user research. Ethics may also be legal obligations when respecting user’s rights. It is now more about how you are collecting Internet user data, will use it to market better, and manage requests for internet user transparency data usage. GDPR user transparency and customer consent requirements are being better defined and that is a good thing.
It is about respect for persons. Today, privacy is a right. They are autonomous when searching on the web. We have long known that Google returns “not set” data in Google Analytics reports.
A lot of great questions are surfacing. Is this GDPR talk just hype? Will users put up with it if they go to my website and face new privacy terms to agree to? What should I do and what must I do as a US small business to take data protection seriously? Larry Downes, Project Director at the Georgetown Center for Business and Public Policy believes that user information collection and how it is used is becoming more expensive through GDPR and its progeny; regardless, most digital enterprises are finding themselves forced to accept it.
In anticipation of meeting better transparency and user choice requirements, we are participating in the digital media, advertising and analytics ecosystems as to collaboration on Transparency and Consent Frameworks to meet client needs.
We believe that businesses can make customer data transparency and trust a competitive advantage.
Do Businesses in the United States Need to Worry About the GDPR?
Providing transparency and user choice to ensure that users know, understand, and consent to the data collected.
The New York University of Law********* states that “Also important to note is the possibility that, because these definitions—particularly the definition of personal data—are specific to the EU and the GDPR, U.S. companies may be less familiar with their scope and contours.” To address levels of awareness, it also states that “U.S. organizations that handle even small amounts of EU personal data may be surprised to find themselves subject to the GDPR and need to take steps to bring themselves into compliance before the regulation goes into effect.“
“The European courts have a strong relationship with the United States government and much of the GDPR is bound to international law.”
While there are no actual policies in place to deal with specific GDPR measures, it is widely accepted that, due to long-standing levels of official cooperation between both U.S. and EU data protection authorities, the U.S. will support any cases of GDPR infringement made against American corporations.
The result is that if you are found to be in breach of GDPR, penalties will be levied against you. If you fail to meet the demands of the European data protection authorities, the U.S. government will enforce the ruling. The bottom line is this: You cannot hope to avoid the impacts of GDPR by sheer distance between your company and the governing body enforcing the new regulations.” – Russell Smith, chartered accountant (https://www.business.com/articles/what-is-gdpr/)
A few foundational terms used to understand what GDPR compliance means:
“Personal data” broadly means “any information relating to an identified or identifiable natural person.” “Processing” means “any operation or set of operations which is performed on personal data or on sets of personal data.” The “right to be forgotten” regards individual’s right to have their personal data eradicated and to prevent further processing in certain circumstances. “Data minimization” is about the process of restricting personal data collection levels, storage and usage of user data, simplified disclosures of the intent and reasoning for which the data was processed.
Since the GDPR mandates the same user data safeguards be carried over for “onward transfers” or transfers following the initial third-country transfer, falling in line with transfer requirements may be critical for any organization down the chain.
“The GDPR not only applies to organizations located within the EU, but also to all organizations processing and holding the personal data of any individual in the EU (citizens, residents and visitors) as well as EU citizens living abroad, including all organizations processing and holding the personal data of these individuals, regardless of the organization’s location.” – Baker Tilly*******
“More directly, users will be barraged with interruptions to the flow of their online lives, forced to review, decide, and reconsider each element of information they enter. In economic terms, every new mandatory disclosure, user control, and privacy “dashboard” introduces transaction costs into interactions that previously didn’t have them.” – Harvard Business Review
Keeping Business Advertising Practices in Check
According to IMDEA Networks Institute’s March 14, 2018 article titled Raising Transparency in the Online Advertising Ecosystem “online advertising business, led by companies like Google or Facebook, generated over $200 billion revenue in 2017, with an year-over-year growth over 15%. This online advertising explosion is raising serious data privacy concerns”. Dr. Arturo AZCORRA, IMDEA Networks Director speaks to how advertisers track users when they are interfacing online by shadowing and tracking them as they browse websites, perform web searches, visit social profiles, or watch movies. Many stockpile a profile of each individual based on such activities.
The data protection directive hopes to reduce the percentage of data breaches by enforcing its new privacy laws. One of the more complex tasks of a digital marketer is to understand their third party service provider’s user privacy stance or ignorance of the GDPR.
The general data protection regulation includes disclosures by vendors that are Controllers to end user. Clearer privacy-related disclosures to users are actually a watershed chance to engage with your customers and build trusted relationships. When data is collected it should be done in a transparent manner way while simultaneously offering a reasonable value added factor to users.
Key GDPR Compliance Action Plan for Readiness
- Improved Ad Choices support; proudly displaying business logos on all units.
- Endorsed IAB’s Transparency & Consent Framework for obtaining user consent.
- Make it super easy for readers to opt-out of personalized business recommendations and communications.
Multiple webinars, events, and even entire conferences are currently devoted to this topic in the United States and globally, so, at this point, there’s no excuse for your business not getting educated. Conduct a simple search on the topic to find events that you can attend. Learn along with others how to meet critical implementation GDPR checkpoints and what all is involved with better user transparency.
“Legal Disclaimer: Due to the dynamic nature of websites, no single step or one plugin can give your business 100% legal compliance. Please consult a trusted internet law attorney to decipher if you are in compliance with all applicable US laws for your jurisdictions and unique use cases. Our efforts are to build awareness and offer helpful insights. Nothing on this website should be considered legal advice.”
Brief GDPR Overview
* The first GDPR proposal surfaced in 2012. It was generated in response to the need for better data regulation law, and was the 1995 European Data Protection Directive. It moved the realm of much-discussed data protection policies into an enacted law. As with many new regulations, the need for a more improved and comprehensive law was quickly evident.
* In our ever-more global world, European markets indicted their protectionism in EU technology policy since in the March 25, 2015 release of the plan for a “Digital Single Market,” including recent announcements of new taxes for U.S.-based internet companies and continued antitrust complaints by EU regulators.
* On March 7, 2018 Github posted an easy to download PDF version of the draft for Public Comment Transparency & Consent Framework.
* On April 9th, the Harvard Business Review brought this home to business owners in the United States. It says, “In the U.S., lawmakers are now circling waters bloodied by revelations regarding potential abuse of Facebook’s social media data, with CEO Mark Zuckerberg scheduled to testify on Capitol Hill this week about the “use and protection of user data.” Facebook’s woes, following continued reports of major data breaches at other leading companies, have amplified calls for GDPR-like legislation in the U.S.”
As the GDPR compliance deadline goes into effect on 25 May 2018, your business can get prepared and avoid any last minute panicky compliance efforts.
* Technology advancements mean that websites can transfer data at faster paces, especially outstripping many businesses’ understanding of user data privacy issues on social media platforms. Foremost Facebook has faced interrogation. Its Chief Executive Mark Zuckerberg squirmed tough questioning during recent congressional testimony, largely due to American lawmakers being poorly versed about how the social network functions.
* Come May 25, 2018, the General Data Protection Regulation will take effect, and will look to change the way EU and US business owners handle data control and user protections on the internet for the foreseeable future. This regulation is seen as addressing one of the biggest issues on many websites; it requires better user information and private data management and accountability.
“While there has been a lot of alarming headlines about GDPR, mainly that the fine for non-compliance with GDPR regulations is equal to 4% of annual global revenue or €20 million, remember that this is the maximum fine, and will likely be reserved for repeat offences.” – Aaron McKenna, Managing Director, Digital Marketing Institute, The Definitive GDPR Checklist for Marketers April 5, 2018
Small Business are Targeted in over 50% of Data Breach Attempts
As we look at user permissions and take to clients that Hill Web Marketing serves, the questions that come up from small businesses are typical: “Does GDPR really require an explanation of Machine Learning algorithms?”, “what user data do we track?”, “do we need tracking anyway”, why would a small business need to worry about potential data issues? They are great questions. No business wants to deal with fines and the bad publicity that comes with data breaches. News has been full of many data breaches. People are global. Our URLs are global, We have worked hard to structure our URLs for the greatest global impact; meaning brands extend beyond the US shores and to individuals and possible searches in the European Union.
Marketers have long relied on the ability to use predictive analytics for qualified leads, align marketing spends to consumer preferences, activities, and geo-location. The means to maximize advertising dollars come out of the insights gained from user data. What is changing is the focus intensity on big data in medical search and law on keeping customers’ information secure.
Profit-driven marketing must center around the best messages to users without leaving them vulnerable to unwanted data collection. One of the most manually intensive requirements of the EU General Data Protection Regulation (GDPR) that ripples over to US businesses is documenting compliance.
According to Joseph Steinberg at inc.com, “someone attacking a small business is much less likely to get caught, arrested, and punished than someone who attacks a large business. Criminals know this”********.
Understanding the General Data Protection Regulation (GDPR)
How to feel clear and miss the probable misconceptions about rules and best practices to protect consumers personal data that is uploaded in the cloud market:
According to Timothy Morey, consumer trust is key to leveraging personal data in an increasingly connected world. Consider GDPR “compliance” as a means used to achieve an end more than obeying a clearly defined legal regulation, like a 65-speed limit law. What remains challenging about much of GDPR is the uncertainty that remains, which is why we see such a wide range of approaches to implementation and compliance. Keep the goal in mind; it is to protect consumers’ personal data.
For a fair comparison of how much consumers valued their data, Timothy Morey and the Harvard Business School participated in a conjoint study to determine what amount survey participants would be willing to pay to safeguard various types of data information. (They went by purchasing parity rather than exchange rates to convert all costs to U.S. dollars.) Though the value assigned varied widely among participants, a median price by country, for each data type was established.
Some folks are adopting the approach that adherence to GDPR should be left to the lawyers. What is clear to digital marketers is the message: “You should deploy security measures everywhere you engage/track users.” While the aim is to keep hackers and the myriad of data thieves away, some specific ways to achieve that is left up to you and your business.
Adherence to GDPR is a needed form of “risk management 101″. It includes whenever your company creates new policies, buys new software, and forms new approaches to reduce the risk of leakage or misuse of personal data. More sensitive types of data such as health histories, financial information, and sensitive communication records merit more consideration. In fact, according to Morey work in tandem with the Harvard Business Review, “97% of the people surveyed expressed concern that businesses and governmental organizations might misuse their data. The more trusted a brand is, the more willing consumers are to share their data”.
The May 2015, Customer Data: Designing for Transparency and Trust Issue assess the number of businesses still in the dark about data collection issues and the price the average US resident is willing to pay for additional data protection.
10 Marketing GDPR Compliance Responsibilities
2. Audit and improve opt-in consent processes, ensuring site visitors are actively opting-in for each way in which you wish to use their data and that consent is documented.
3. Educate marketing teams and sales departments about the new marketing consent processes and the importance of data privacy compliance, and which databases they are permitted to use for certain online sales and marketing activities.
5. Create a digital process for user’s freedom of information requests, striving for providing an adequate response within 30 days, assuring users that personal data can be expunged on request.
6. Prepare a crisis communication plan for a security breach.
7. Audit existing company databases for opt-in consent records for the way in which you decide to use that personal data.
8. Determine when consent has not been granted or recorded, and create communications to reach out to those individuals and ask for opt-in consent.
9. Businesses can ensure that an atmosphere exists so that freelance marketers can work with their internal IT departments to ensure that the right processes and procedures are followed and that third-party partnerships and vendors are vetted properly.
10. Businesses need to ensure that teamwork exists so that internal marketing staff, outsourced marketers, IT security and legal teams understand the right process and requirements for marketing’s infrastructure (stack) and ensuing third-party risk.
NOTE: You can expect that most digital marketing agencies will be auditing and adjust their own levels of access to client databases and be requesting decreased levels of access to reduce personally identifiable information (PII), or sensitive personal information (SPI). it is best to schedule routine and on-going technical SEO audits of tracking pixels all forms that collect data.
Web Forms that Collect Customer Personal Data
- Registration for an event
- Request for a download or brochure
- Request for timed coupon or offer
- “Following May 25th, you will be unable to receive your monthly newsletter unless you re-opt in. For those who do not re-opt in, we will be sending a reminder email leading up to May 25th.” Hover email communication.
- Termsfeed: “You can visit our website without giving away your personal information. Our business uses Google Analytics and Cookies in order to improve our service, the user experienced and analyses how the website is used. Aside from the approximate location (IP address), the information collected by Google Analytics is mostly anonymous traffic data including browser information, device information, and language.”
- Cloud security concerns – While adoption of cloud computing is escalating, security and consumer transparency concerns are showing no signs of declining. 9 of 10 cybersecurity professionals confirm they are concerned about cloud security, up 11 percentage points from last year’s cloud security survey. The top three cloud security challenges include protecting against data loss and leakage (67%), threats to data privacy (61%), and breaches of confidentiality (53%).
- Most significate threats to cloud security – are the misconfiguration of cloud platforms jumped to the first spot in this year’s survey as the single biggest threat to cloud security (62%). In 2nd is unauthorized access through misuse of employee credentials and improper access controls (55%), and insecure interfaces / APIs (50%).
- Cloud Security Concerns – As more workloads move to the cloud market, cybersecurity professionals are increasingly aware of the challenges to protect these workloads. The top three security control challenges security operations centers (SOCs) are burdened with: visibility into infrastructure security (43%), compliance (38%), and setting consistent security policies across cloud and on-premises workspaces (35%).
- Need for more cloud market legacy security tools – Only 16 percent of organizations report that the capabilities of traditional security tools are sufficient to manage security across the cloud, a 6-percentage point drop from our previous survey. Eighty-four percent say traditional security solutions either don’t work at all in cloud environments or have only limited functionality. Cybersecurity professionals are struggling with visibility into cloud infrastructure security (43%), compliance (38%), and setting consistent security policies across cloud and on-premises environments (35%).
- Means to better cloud security – For the 2nd simultaneous year, training and certification of current IT staff (56%) ranks as the most popular path to security compliance. 50% percent of survey respondents use their cloud provider’s security tools, and 35 percent deploy third-party security software to ensure the proper cloud security controls are implemented.
- Effective cloud security solutions – Encryption of data at rest (64%) and data in motion (54%) heads the list of the best cloud security technologies, followed by Security Information and Event Management (SIEM) platforms (52%).
- Cloud security budgets get more expensive – Looking ahead, close to 1/2 of organizations (49%) expect cloud security budgets to climb, with a median budget increase in 22%.
- Separately, a publisher can use features in their AMP page that collect data on the publisher’s behalf. Because the publisher chooses the behaviors and vendor integrations on the page, the publisher is responsible for managing the compliance obligations that stem from those choices. Check out this post on how to implement user choice flows in AMP documents.
- A publisher may use a Google service (e.g. Google Analytics) on their AMP page and create an additional relationship between Google and the publisher concerning data. In that case, there are specific additional arrangements in place to cover the relationship between Google and the publisher with respect to that data and scoped to the Google service involved.
- The 60-Day Countdown to the GDPR Checklist by Zapproved (www.jdsupra.com/legalnews/ready-or-not-here-it-comes-the-60-day-46329/)
- The Definitive GDPR Checklist for Marketers from the Digital Marketing Institute (digitalmarketinginstitute.com/blog/05-04-2018-the-definitive-gdpr-checklist-for-marketers)
- All the GDPR resources marketers need, in one place from Econsultancy (econsultancy.com/blog/69825-all-the-gdpr-resources-marketers-need-in-one-place)
The GDPR pertains to any party inside or outside the EU who is marketing goods or services to, and/or tracking user behaviors of any EU citizen. If your online activities involve the processing of their personal data, this ruling applies to you. Collecting someone’s personal data for a specific purpose has become commonplace and will need to adjust to comply within GDPR regulation that stipulates the need to be more “specific and granular”.
What you can do:
2. Let them know that you will remove the data after the event has ended or the promotion has expired.
Requesting Internet User Transparency, Internet Privacy Ethics, and User Consent
Add a simple marketing permissions checkbox to all your website forms that users fill out.
Every business owner has the responsibility of knowing about and following the state consumer protection laws that apply to your business type. Conversely, on many social media marketing platforms and other third-party services, you will now need to indicate you have read and accepts their terms of service and privacy practices.
“Feel free to change your mind at any time and let us know by simply clicking the unsubscribe link in the footer of any email you receive from us. Learn more about our privacy practices by visiting our website. By clicking below, you approve that we may process your information and agree to these terms.”
Communicate Clearly and Be Transparent About User Data
In this case, over-communicating is better than under-communicating. Transparency builds trust and protects your relationship building processes. GDPR gives businesses in the United States the freedom to individually establish their own rules, processes, and timelines for data collection and storage, as long as they fall within the regulations. Let your followers and customers know how you collect email addresses for communication purposes.
Communicate that to your site visitors and customers.
Giving people the ability to opt-out of personalized recommendations and business communications is simply a polite and professional way of doing business. No one wants messages crammed into their mailboxes. Make your communications and data collections process seamless by allocating sufficient resources to accomplish it. Remember, going forward, anyone may request their personal data from you, at any time. And it will be up to your business to supply it.
Feeding this trend of data tracking invasion, are consumers who use new smart, connected products, like fitness trackers to home systems, GPS systems used for Google Maps, all that gather and transmit detailed information. People are demanding to know more about the information businesses gather and be given control of their personal data. It is clearer than ever that business communications should offer fair value in return for personal information. Transparency on how data is collected and used fosters trusted relationships and will earn ongoing and even expanded business opportunities.
Getting Your Google Analytics Ready for GDPR
Even if your business doesn’t have a physical office or a staff person living in the EU, these new data privacy regulations may have an impact on how you use Google Analytics.
Google has announced additional new analytics tools with the intention of helping businesses and marketing managers to comply with data privacy regulations. These new features include a data retention setting and a user deletion tool. While they are not active until May 25th, it is a great time to get educated on the pending changes and decipher how to use these Google Analytics features.
Survey Predicts About 60 percent of companies will be compliant on time. Many are unaware of risks:
On April 23, 20a8, London-based McDermott, Will & Emery released pertinent GDPR research carried out by the Ponemon Institute that announced that “40 percent of the companies surveyed will not be ready. The Race to GDPR: A Study of Companies in the United States and Europe surveyed a total of 1003 individuals: 582 in the United States and 421 in the European Union.”
Almost half (48 percent) of the companies surveyed say they will not meet the May 25 deadline though 40 percent expect to be in compliance after the deadline.
Forrester research released January 31, 2018, reported that 39% of organizations were still almost completely unprepared for GDPR compliance. The report also discovered concerns about over-reliance on IT departments to lead the charge within companies on GDPR compliance. 53% of the businesses surveyed reported that the Chief Information Officer was the ‘owner’ of their GDPR compliance program, whereas it is better to engage a lawyer who can assure businesses of the legal terms and that they are complying with their obligations.
How the GDPR May Impact SEO
For SEO and SEM professionals, the major impact that these new user transparency regulations will have will be on website email subscriptions, user insight data, and event registration services. Every business using the web will have to comply with new data protection policies by obtaining data consent. The technical aspects of this will need auditing, review, and updating.
Just how will become more prominent in the next few months. For WordPress sites, in particular, those already migrated to Accelerated Mobile Pages; new functions have already been added to select plugins. Further testing will come.
A lot of questions are being asked as to who this might impact web rankings, since we know the user experience will be impacted due to the data permissions and prompts that must be present to gain new user permissions. Time will tell how users react. Analytics is another area of SEO that is forced to update, as users must be told how their data would be leveraged in website analytics. Google is already rolling out numerous updates with more sure to come shortly; changes may ensue as to how SEO’s use Google Analytics to improve online sales.
Key Takeaways from Cybersecurity’s March 26, 2018 Report
The security survey respondents see “cybercriminals as the biggest threat to sensitive data (60%), closely followed by accidental loss through employees (57%), and deliberate theft by employees (30%)”.
The 2018 cybersecurity report was produced in partnership with vendors Alert Logic, AlienVault, Bitglass, Cavirin, CloudPassage, Dome9 Security, Edgile, Evident.io, GoAnywhere, HelpSystems, (ISC)2, Securonix, and Sift Security.
What’s Included in Enhanced Consent Requirements
Before your business collect basic personal information online (email addresses, names, financial details, race, etc.), you need to obtain clear, unambiguous affirmative consent. This is necessary under the new GDPR user transparency law.
Before collecting sensitive personal information such as sexual orientation, health information, political or religious opinions, etc.), you need to have gained explicit consent. The best way to satisfy these requirement is to add checkboxes and use clickwrap in your UX web design.
While consumers may be upset by the data privacy breaches that they read about in the news, and are oblivious of the fact their data is collected, a surprising lack of knowledge exists about the specific types of information collected. The GDPR is improving awareness. The widespread expansion of smartphone usage has escalated data concerns. A mere 25% of users in 2014 indicated awareness that their data footprints included information on their geolocation.
GDPR, User Transparency, and Google’s AMP Viewer
GDPR compliance questions about user interactions when using Google’s AMP Viewer spurred a response from Antje Weisser on the Google Product Forum as to how data flows in the hybrid environment of the Viewer.
Here are the unabridged user data flow consequences she listed:
Data collection is important. Resolving privacy tensions requires companies and policymakers to esteem the data privacy discussion beyond advertising use and the simplistic notion that we don’t need to worry about this in the United States. The nuanced guidance that includes guidelines that align business interests with their customers can ensure that both parties gain from personal data collection.
“The only conclusion you can reach when looking at such disparate survey results is that there is a world of confusion around GDPR. Even while I was sitting in a workshop about GDPR compliance at this week’s MarTech Conference, attendees were unclear about issues such as what is data (yes, it does include photos); can you bundle data (no); and what they needed to do to be in full compliance. The only thing we can say for sure that is that May 25 is coming, whether companies are prepared — or not.” – Robin Kurzer on MarTech***
“The GDPR’s definition of what personal identification information has a broad scope, requiring a high level of protection for a wide range of information. It also has an extensive reach, with many firms — particularly in the U.S. — not even aware they will be subject to the new EU regulations. The primary principle behind the GDPR is that it views personal data as the property of the individual, not data controllers or processors. It applies to all EU citizens wherever they may be situated and regardless of the organization’s location. Consequently, in today’s digital and global world, it’s almost impossible to avoid dealing with some form of personal data from the European market.” -Thompson Reuters****
“[The trend toward a unified view of data privacy] has been percolating for years. It takes time for things to catch up. What GDPR is doing is forcing function. By pure chance, we have a seminal event that’s forcing companies to finally get it together. Because they’ll either be fined, or they’ll be dragged to Capitol Hill [to testify like Facebook Chief Executive Officer Mark Zuckerberg did earlier this month].” – Rob Glickman, Chief Marketing Officer at Treasure Data, Global SaaS Marketing Leader, Digital Transformation Executive******
Wrapping it up:
Additional Resources on GDPR User Transparency:
We personally place the highest value on building and nurturing lasting relationships by being present and well informed. The data explosion creates a bigger need for personal integrity, a positive approach in the midst of increasing workloads, and being forward looking to enjoy the silver linings amidst evolving marketing complexities. Stay tuned in for addressing critical cybersecurity and privacy needs through the development, integration, and promotion of GDPR compliance.
Hill Web Marketing strives to be educated and help the marketing teams that we partner with, and give oversight to, concerning the changes necessary to adhere to marketing consent best practices and the importance of these changes to each organization. As a marketer, we love to inspire, motivate, and nurture teams by doing what’s right, not just what’s easy or expected. We are all familiar with the importance of tracking and learning from performance metrics that boost user engagement
If you have questions or comments about how to ensure that your data collection is done properly and ethically, please leave a comment below and let’s chat further.
Schedule a time to talk with us about your Website Data Collections via a Technical Audit
NOTE: The information presented at this site should not be construed to be any form of legal advice. It is meant to educate and support online digital best practices. We have conducted more advanced research, sought professional advice, and attended more webinars than ever before prior to completing this post in a dedicated effort to offer complete and accurate information. Hill Web Creations LLC urges our readers, partners, and clients to ask their own business legal representatives for respective legal compliance obligations.