Selling anything in Europe - get ready for GDPR or risk big fines (18)
Selling anything in Europe - get ready for GDPR or risk big fines
If you are selling to European countries (or analyse behaviour), you need to be aware of the GDPR and implement a program to comply with this new law.
So what is it?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
When?
It's law already (since April 14th 2016), but the enforcement data is 25 May 2018 - "at which time those organizations in non-compliance will face heavy fines" - quote from http://www.eugdpr.org/
Who is affected
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Heavy penalties
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
IMO, a few companies will likely be made scapegoats to enforce compliance.
We have seen that last year in The Netherlands when returns and refunds were high on the agenda. Both small and big companies were made examples and fined heavily. 50K to about 300K.
The 50K fine was enough to bankrupt the small ones, so this was negotiated down after compliance and "no bad intent"was shown. Still they paid big time.
Now what?
That's the big question, because the law defines different roles:
"What is the difference between a data processor and a data controller?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller."
And where is your data really?
So it's not even easy to figure out exactly how you know you are doing it right and complying with the law.
Good thing is, there is still time left and I am working with a specialised consultant on a plan for our business.
Once I have this ready, I'll share further info.
Emailers and sweeps networks in particular will be hit hard by this. It will also likely require a lot more strict opt-ins ... overall, not great for affiliates.
@cmdeal - indeed.
Don't think it's great for anyone. Not even consumers.
Lot of confusion around this.
I friend is already preparing for this, so once the is 100% ready, he did the audit, but still got a lot of mistakes there.
Here is a simple to understand post I read recently about GDPR from the email marketing perspective:
http://www.automationninjas.com/emai...on-regulation/
@erikgyepes That's a pretty good resource - thanks.
The thing is, that's JUST email marketing. One part of the puzzle.
There's analytics / tracking / order processing / payment processing / CRMs etc.
So the impact is pretty big on lost of processes.
And..as the article you referred to mentions, you need to get your current records up to standard.
In practical terms, you need to be able to prove - without a doubt - that people on your email list (for example) have given you permission to do that. Explicitely.
How did your friend prepare BTW? On his own, or did he get help? Also, who did the audit?
Would love to hear more about his experience.
Originally Posted by pekadis
Looks like we're going to need an STM guide to GDPR pretty soon! I'll look to do that before the end of the year, unless anyone else wants to volunteer 
@caurmen I'll share what I learn here, but that will be "ecommerce with email marketing" specific.
Hard to judge now what it will all entail, but let's see what the journey brings
I would avoid doing any guides on it since unfortunately the implementation depends a lot on the situation. Kinda like giving out tax advice -- you have to talk to a professional anyway since a mistake means lots of $$ lost.
@dragoshd - Good point. I might look and see if there are any definitely-true generalities as there are in other areas of law - IP law has plenty of general "do this, don't do this" points, for example - but if it's going to be very specific the guide will consist of the phrase "HIRE A FECKING LAWYER!" in 400-point type Impact font
@dragoshd I do agree to some extent, but a lot of people and businesses think they're unique.
They're not.
For example, if you collect email addresses, there is a process, a place where you store these and people that have access to them and work with them.
You need to comply with the law for all these elements. Now how you go about that, will be very similar if not the same for a lot of businesses.
Sure, you it's best to do as much as you can. And get a pro in to get to 100% (if that's even possible)
But following a guide that gets you quite far and showing the right intent are above and beyond what I see many do. Not just here, but anywhere in the ecommerce space.
And if anything, a guide will give you insight in the processes and things to think of.
The result of that, depends on the person working with the guide.
While there is a lot of considerations for specific circumstances the basic foundations of the legislation are well documented, the grey area is how elements will be interpreted and enforced.
The ICO responsible for enforcement here in the UK are still clarifying their guidance, as you can see here:
https://ico.org.uk/for-organisations...pect-and-when/
Their will be big impacts to offer owners in the lead generation and sweeps market which may have an eventual impact on publishers. For example explicit consent means that sweeps owners will find it very difficult, perhaps impossible, to sell co-sponsor data compliantly, nor run opt out campaigns in their paths. This will impact revenues and ultimately payouts.
From a publishers perspective you will see impacts across:
Email - I can't try and share advice specifically on this prodding away on my mobile but happy to share more detail later. Simplistically you will need explicitly consent from a consumer who needs to understand the purpose their email will be used for, your company name, address along with rights to update or change their preferences. Ideally you will have an audit trail to demonstrate any changes to opt in text.
SMS - this has already been regulated stringently in the UK and again similar consent to email is required. It's my understanding that you would need separate and clear permissions for email and SMS rather than bundling both permissions in one sentence.
Process: lots of documented process required to cover SARs, breach reporting, data protection processes, demonstrate team training etc
HR: if you have a team more considerations here both in terms of protecting their data and ensuring they cannot create a data breach of your users data (access controls, training etc).
Network compliance: Expect networks to be hotter than ever on compliance. For our network we now have a draft compliance document that we will require every publisher to have completed before being approved for email or SMS campaigns. These forms include requirements for publishers email collection forms screenshots so we can check for compliance. Regular audits will also be part of the process. We intend to be rigorous with these, erring on the side of caution. I think anyone with non compliant spammy emails are going to find it tough to find networks willing to work with them in future.
Adtech: Lots of guidance still required, some of which might be cleared up for those in UK when the new ePrivacy directive clarifies impacts on cookies. For example want to run a FB lookalike campaign, well that's PI, I can't see how you can claim legitimate interest here so will consent be required. One issue I'm trying to clarify, suppression lists, these contain PI, how can these be distributed to publishers in a compliant manner? Is the eprivacy directive going to really screw up the entire retargetting market and create new 3rd party cookie tracking limitations. Lots of changes coming all of which I'm sure will result in new taxes, sorry I meant to say fines, for Google and FB.
I'd suggest your first step is to perform a Data Protection Impact Assessment on every area of your business. I'll take a look at our templates for these tomorrow and see if they are shareable.
The news on FB lookalike campaigns is particularly concerning. Hopefully some specific advice/information on those will come to light soon - otherwise anyone in the EU will be at a huge disadvantage running on FB.
(My assumption is that FB may update their terms and conditions to include consent for lookalikes.)
Originally Posted by caurmen
My understanding is that with FB lookalikes the situation may change dependent on whether the advertiser is targeting lookalikes by email import or cookies.
If the advertiser imports emails into FB then the advertiser is acting as a data controller and sharing PI - I believe this would require the advertiser to have explicit consent (bear in mind in this case FB is acting as data processor but the two are jointly severable so FB would be required to ensure compliance). Explicit consent would involve a clear explanation, try explaining to the average user that you will take their email, import in into FB to then find people that are similar to them to target with advertising - no doubt the typical user will be completely lost have no incentive to do so and tick the 'No' box alongside the consent statement.
In the case that the advertiser uses FB cookies to target lookalikes then the advertiser is no longer the data controller. However there's also a new EU law (ePrivacy Regulation) which is going to further police cookie use - the only problem is this new legislation is still in an early draft so we don't actually know exactly what restrictions it will require. The EU are trying to push this through in time to coincide with the GDPR implementation date, all feels rather last minute but perhaps FB will find a way to work compliantly here.
For now, we have placed a statement in our our draft GDPR flow that mentions FB (on the basis we use cookies not imports) but once the ePrivacy Regulations are announced we should get some more clarity. Here's our draft GDPR compliant flow if anyone's interested:
https://ukmysteryshopper.co.uk/313/t...yout=3&cgdpr=1
I just got an email from google about it.
I am using google suite and there are updating it thanks to this.
This is a link with some info on how Google is going to tackle this
Here another great article about Google and FB advertising and GDPR; https://pagefair.com/blog/2017/gdpr_...o_the_duopoly/
Home > Paid Traffic Sources > eCommerce