The GDPR: 29 Things ALL Marketers Must Know

First: None of this is legal advice. I’m 24 years out of law school, and my eyes cross when I read any form of legislation. For the legalities, visit the GDPR site and/or hire a lawyer.

I wrote this list while ranting about the various awful blog posts I’ve read by “experts,” and marketers’ tendency to try to game their way out of everything. You can’t game your way out of GDPR. It’s not like link schemes or content spinning. It’s a real regulation with real, ulcer-generating consequences if you violate it.

Here are my random thoughts, in a somewhat-orderly list:

I’m a marketer. What is the GDPR, in non-politician speak?

It’s a pile of rules that politicians and lawyers call a “regulation.”

That means it’s not a “recommendation” or a “suggestion.” It’s more of a “follow this, or you’ll get beaten to a pulp” kind of thing.

1. The EU wrote the GDPR to protect their citizens’ data. It regulates how businesses can collect, use, and distribute your information
2. The GDPR is not another please-don’t-dump-records-off-the-back-of-a-truck-thanks law. Someone in the EU got one too many “greetings of the day” emails and decided to kick some marketer ass. It’s thorough and complicated
3. It’s official May 25th, 2018

Does it apply to me?

4. If you’re outside the European Union and EU citizens visit your site, the GDPR probably applies
5. An easy test: Would you be OK blocking all traffic from the EU? No? Then you had better comply with the GDPR

What’s all this “consent” talk?

6. In the GPDR, Personally identifiable information is anything that can be used with any other information to identify someone. If a CSI character could use it to track you down, it’s PII
7. You need to collect some form of consent for any PII
8. You need to collect explicit consent any time you collect sensitive personal data.
9. Explicit consent doesn’t mean someone stares at the screen and says “Yes, f–k you!” It means they opt-in to share information, allow you to use it as stated, and know what information they’re sharing
10. Sensitive personal data includes things like race, politics, religion, union membership, medical information, criminal proceedings no matter how they concluded, ongoing proceedings regarding alleged crimes, or anything around lifestyle, health, or sex life
11. Non-sensitive data includes things like cookies
12. Non-sensitive data does not require explicit opt-in
13. Want to be smart about it? Collect explicit consent any time you collect personal data. That’s name, address, phone number and such

The following are not explicit consent:

14. A pre-ticked box. Well, it might be, but it’s a serious schmuck move, so avoid it
15. Failure to opt out
16. Asking for consent later
17. Linking to a 900-word pile of verbal cud called “Terms and Conditions”
18. Any cute tactic you used to use to pad your contacts lists and get subscribers isn’t consent

And here’s what most folks can comfortably say is consent:

19. Ticking a checkbox
20. Configuring privacy settings
21. Providing opt-out ability on a case-by-case basis
22. However, GDPR compliance doesn’t require a crappy user experience. Read this Econsultancy article for some tips
23. One tip: Make it easy for people to delete their accounts/records from your databases. A nice form where they can say “please forget about me. It’s not me, it’s you” will go a long way

Corrections

I’ve heard some awful advice. So read these and hang them on your monitor:

24. No matter what folks tell you, IP addresses are personally identifiable information!!! GDPR specifically states this
25. Facebook, Google, et al. will not protect you. They consider GDPR compliance our responsibility. Don’t rely on them

This is an outrage!!!!

You’re right! In the good old days, we could collect user data like candy and trade it at the corner store. I could stalk consumers around the internet in ways that make Hannibal Lecter look cuddly.

GDPR infringes on my rights.

I’m furious.

26. Yes, compliance will cost you money. It costs me money. And time. It’s a pain in the tuchus. It will cost a lot more if you don’t comply.
27. Yes, the EU might miss you. You’re thinking, “Oh, no one’s going to check my compliance with GDPR. I’m little.”
28. Yes, if they catch you, they can pound you out of existence. Penalties are absurd
29. Sure, you can fight it in court for years and years, bleeding money while lawyers argue. Let me know how that goes

The smaller you are, the easier it is. The bigger you are, the greater your risk. Just read up and comply, people.

The post The GDPR: 29 Things ALL Marketers Must Know appeared first on Portent.