Do you run a website with customers or even visitors in Europe? If so, then you need to be aware of their new data privacy law called General Data Protection Regulation (GDPR) often referred to as GDPR data protection laws. The GDPR is landmark internet privacy law that intends to safeguard the private personal information of the European Union’s 508 million people and 28 countries. The EU recognizes 24 official languages (about 90 are spoken), with the majority knowing English as a second language, and an average internet penetration upwards of 90%. Also, the UK has passed an almost identical law, enforced by the ICO (Information Commissioner's Office), and will essentially remain covered by the same rules regardless of the Brexit situation. Under the GDPR, privacy breaches through mishandling or unauthorized use of personal data is punishable by fines no matter your location: If your customer or user is in the EU then this law applies to you.

This article is not professional legal advice and should only be seen as an overview of the laws as we interpret them. We have summarized or left out many details to make this more of a consumable experience covering just specific elements of the GDPR laws pertaining to email marketing, user tracking and personal data storage.

Examine your business for invasion of privacy laws

For your business to be compliant with the law, you have to examine where you are using personal information and for what purpose. The GDPR addresses a patchwork of European privacy laws created to deal with the abusive, illegal, or negligent tracking and logging of user data. Previously, the information your business learned about someone through logging or tracking belonged to you, but the GDPR now protects identifiable data as if it were theirs. Websites use many methods for tracking people, some for marketing purposes and others to improve user experience, with cookies and third party cookies being one of the most common. Cookies are stored pieces of information on the visitors computer to help track them for future purposes, things like staying logged into a website, keeping items in a shopping cart, or being used to count the number of people who view the site. Most cookies are considered personal data because they can be used to identify a person to their device although some tracking cookies that expire with the user’s session are exempt. Identifying information that can be tracked to a device or an email address may now require permission to use, but the GDPR allows businesses to use personal information under certain restrictions and rules. Once you know what kind of information you are using, you will have to address how to handle the personal information you already have and what changes you will need to make when gathering it.

You may have to:

1. Send an email requesting consent to keep contacting someone
2. Write a document assessing why and how the data is used and its necessity
3. Change how information about people is gathered
4. Stop your website from gathering information until consent has been given

It's important to note: Information that either cannot be used to identify anyone or is only using personal data in a way necessary for the function of the site is exempt from these restrictions.

Know your privacy rights

Not all information about a person is protected by the law. If it can identify a person, it is protected. Same goes if it can be easily used to identify them even if it doesn’t directly do so, but information that cannot be used to identify anyone isn’t protected. An email address or anything pointing to a specific device are identifiable to a person and require legal reasons for saving or using for business purposes. Two reasons under the law that will allow you to legally use people’s protected private information are Consent and Legitimate Interests. If you are asking for a person's consent to use their data, the GDPR requires that the wording be in plain language that is unambiguous, concise, and informative. Consent must be easily revocable while allowing users the ability to delete or access their data, the law asks that it be as easy to do so as possible. Website visitors cannot be blocked from accessing your core services for refusal to consent to the sharing of their personal data and you must assure that no tracking begins until consent to do so has been given. As well, you need to have a clear and straightforward privacy policy accessible to the user you are requesting data access from. If you are using legitimate interests as a legal basis then an assessment of the necessity of using that data has to be produced before you begin using it.

Following the EU GDPR laws properly

Whether through consent or legitimate interest the first step for you business to have and use data about your users is having proof that you are allowed to. It is not enough to follow the law, you must be able to prove that you did, so you must document that the personal data was legally obtained. The wording you use when requesting consent must be saved so that you can show when a user consented to using their data and under what terms. A Legitimate Interests Assessment needs to be done for each mass email campaign, and should be recorded so that you can show your reasoning for using the information if required to. The first part is establishing your purpose in using the information, then showing the necessity for the use of the personal data, and finally a balance test to determine if the rights of the individual override the legitimate interest. Documenting your legitimate interest or the consent of the user is required before you begin to use any personal information.

Legitimate Interests Assessment

1. Establish a purpose
2. Show the necessity to store personal data
3. Balance test to consider the rights of the individual

Tracking personally identifiable information

Your business website will need to ask each visitor for their consent before tracking them, you can accomplish this through an overlay popup, but it must be opt-in. That means you cannot use pre-checked boxes agreeing to your terms, instead the user themselves will have to click the checkbox or make other actions showing that they agree to share their data. This must be direct, clear, and in plain language with a link to the company’s privacy policy which must be highly visible even if attached to your terms and conditions. A choice between agreeing to share their personal data and continuing without sharing is also fine, and may have better results then a choice that can be declined more easily than accepted.

Upholding European privacy laws

It is up to you to decide how you want your business to ask for permission but you must:

1. Specify what data you want
2. Say what you need it for
3. Tell them who will have access
4. Let them know how long you plan on retaining the data,
5. Offer an easy method of rescinding that permission,
6. Not preselect an agreement to your terms

When offering a subscription, the reason you want the email address must be specified, if it’s in exchange for an offer then only that offer can be sent and they will have to explicitly agree to anything more. When asking for an email address you may have a checkbox for the person to consent to receiving other emails as they input their email or you can choose a two-step approach called double opt-in. With double opt-in, the subscriber is sent an email asking for permission to contact them for specific purposes which includes a link to confirm the subscription. Either the email or the confirmation page will need a link to your privacy policy and a way to unsubscribe. The same principles apply regardless of your businesses contact method, you need permission and you need to get it through a simple and direct method.

Third party cookies

Many websites use third-party services for analytics, advertising, or marketing automation. These services will often issue cookies to all your website visitors in order to work. While some of your websites cookies may be exempt from the consent rules of the GDPR, such as the ones necessary for the website to work, all third-party cookies require consent from the user. It remains up to the business to get the users consent for those tools, however it is illegal to share personal information about a user with a third party without some form of explicit business relationship. Agreeing to the terms of service of a third-party tool is a contract under the GDPR, but the third parties terms and conditions must include a clear privacy statement about the handling of the data, same as required of your business. Agreement to those terms and asking consent of the user is all it takes to continue legally using these tools. You will need to ensure that the third-party tools you use do not load any cookies until after the user has consented to their use. The responsibility to secure any communicated information is split between your business and its partners. By keeping the personal data of your users safe, you will help to keep your own business safe.

Improve Data Privacy

Europe is a massive market, so you will likely find yourself dealing with a client or user covered by these laws unless you limit yourself to only local customers outside of Europe. These rules on the handling of data complicate the process of marketing but if implemented correctly, with "privacy by design" as the law calls for, it can become an opportunity to have a better understanding of that person.The more transparent your goals are to the user, the more trust you can have in the user being receptive to your marketing. Asking the user for their information is an opportunity to provide marketing relevant to them, which can lead to a better rapport and better conversion rates. Everyone will be asking the same questions which will lead to users with reactive habits for and against granting consent to the use of their data. When designing your consent request consider how to entice a cookie-wary visitor into being a valued subscriber or user. We can expect more laws of this kind in the future, and likely wider adoption across governments, so learn how others are addressing their compliance and be innovative with your own approach. The EU’s official website, europa.eu, offers an example of what is acceptable but it was made clear that the law was written using guiding principles instead of hard rules so that the market could develop a best practice model.