With GDPR being talked about so much, I thought I’d give a quick breakdown as to what this means and how it affects your business.

(Note: even if you’re a marketing agency, you can be held responsible for marketing done using data that is not GDPR compliant)

Let’s begin by answering “what is GDPR (General Data Protection Regulation)?”

It’s a European law taking effect on May 25, 2018 which essentially says that we are all global digital citizens and we should all own our individual data. Meaning, if you or I visit a site, we should have full control of the data they collect from us. Sounds simple and makes sense, right?

There’s three main points to GDPR that I’d like to focus on:

1) We, individually, should KNOW the company has our data and what sorts of data they have on us. This means that when you go to a website, you should know they are collecting your data. Even further, GDPR laws say that you should have to give the consent to do so BEFORE they collect.

WHAT THIS MEANS: The opt-in is crucial and is the main problematic part to all of this. If you have a Pixel on your site, I or any visitor, need to give permission before the pixel fires. If you’re using ecomm platforms like Shopify, that’s impossible. By the time they visit the site, your pixel already fired. Same with almost every other website or platform in the world. There seems to be ONE solution and it’s an ugly one: A landing page with no pixel before they get to your website which has an opt-in. If the user accepts, they go to your site and the pixel tracks them. Can you imagine a landing/opt-in page before every website you ever go to?

Formula 1 main website GDPR opt in.

2) You should be able to ACCESS the data they’re collecting and have the right to CHANGE or DELETE it. For example, if you order a green hat for $19.99, you should have the right to ACCESS that info and have it CHANGED to a blue hat for $4.99 or DELETE that info all-together. Even if you visit a news or media site, you should have the right to change any data they have (age, sex, location, etc) or delete it.

WHAT THIS MEANS: Right now, there’s a major problem – How is that even possible? Does this mean every customer or website visitor has the right to call every business and ask for it? If so, how does a company even comply?

Going even further, from a marketing/marketer standpoint, it’s a lot more complicated. Suppose you run Facebook ads and you make an audience of Website Visitors in the last 30 days. If an individual complains they want you to delete their data, you would also have to remove it from the Facebook audience as well. you’d also have to remove it from any Lookalike Audience made too!

3) You have the right to know WHAT THEY’RE USING YOUR DATA FOR and FOR HOW LONG.

WHAT THIS MEANS: The need for a solid Privacy Policy, complete knowledge of the different audiences you’re building and reporting you are doing is a must. All which come with big hurdles and problems (which we’ve covered).

Most people are just assuming that GDPR affects only the European Union but it’s just simply not the case. Let’s use the NFL (National Football League) as an example. They have visitors come to their site from across the world. They have 3 options:

– Comply with GDPR,
– Restrict access from anyone in the EU or
– Not care and say “we are an American entity that does not abide by European law”.

Since we’ve explained earlier that to be fully compliant by the letter of the law is virtually impossible, that eliminates option 1. Restricting access just doesn’t seem in their best interests so that leaves doing nothing. But what if the EU now says “OK, if that’s the case, we will block all business (ex merch sales) and television rights to our countries”. That’s a HUGE loss of revenue.

As you can see, GDPR is a massive law that affects not just EU citizens but all of us worldwide! Any shop that has an EU visitor (even just 1), or any website period for that matter, needs to be compliant. The problem is, as I’ve pointed out, it’s nearly impossible to be 100% compliant. This opens up the gates for massive lawsuits and class actions since the penalties can be as harsh as up to 4% of a company’s annual global turnover!

So, while the aim is to give digital rights back to its citizens and as data collectors we are responsible to do all this, it’s not practical nor even doable.

GDPR is coming (whether you are ready or not) and businesses and marketers need to be compliant by May 25, 2018. Even if you’re a non-EU company, GDPR is likely going to impact your business and, without a doubt, your marketing.