You may or may not have already heard of this new thing called The GDPR. I am really grateful that I have Christy Westerfeld here today to talk to you guys about what you need to know. Maybe you’re hearing about this for the first time and thinking, “I don’t even know what you’re talking about.” Well, hang out for a sec because we are going to dive into all of what it is and how it’s going to affect you. But first, I just want to quickly introduce Christy!
Jen Casey (JC): Christy is an attorney and legal resource for online entrepreneurs and coaches. She helps savvy, badass business women cut through the confusion and overwhelm of legal and create easy and affordable plans of actions to legally protect their websites, their businesses, and now this new world of GDPR! So Christy, THANK YOU for being here and showing up to clarify some of what’s going on!
Christy Westerfeld (CW): Of course, of course! Thank you so much for having me. I love your podcast and I’m so excited to be here to chat with you, and hopefully relieve some of the panic and confusion that’s starting to boil up around the GDPR; to talk about how it really affects us and what we need to do.
JC: OK, so to kick this off: what exactly is the GDPR?
CW: Yes, great question. The GDPR stands for General Data Protection Regulation which probably doesn’t really help that much. It’s a set of regulations coming down from European Union laws. It basically surrounds data protection and privacy for all individuals within the European Union. I realize that’s kind of confusing, but that’s the definition. What the GDPR is really about is a way for those in the European Union to have more control over what happens to their data. It also requires us as people (who are typically collecting data from people in the European Union) to be a lot more straightforward, transparent, and get a lot more specific with our consent requirement for the reasons that we collect and use people’s data. And when I talk about data, this is the names, email, credit card information, billing information… things that we typically collect. It’s not just data like IP addresses and more kind of automatically collected data, although that is included too. It’s really anything that we collect from people that are in the European Union. We have to change the way we act towards them.
JC: Got it. So why specifically did they decide to create this new law?
CW: Yeah that’s a good question. I think as far as the bigger picture of why this is so important. if anybody has seen the crumbling of Mark Zuckerberg and the Facebook situation. I think he did great in front of Congress. But, you see the effect that Facebook’s data breach had. He went to Congress; people care about that. I think, as far as the GDPR, interestingly enough it’s not actually new. It was created a couple of years ago. It’s just becoming an issue now, because the compliance deadline is May 25, 2018. So it’s not technically new law, but they’re going to start enforcing it; which is why it’s generating a lot of question now.
Really, the reasoning behind not only the GDPR but also on a broader level: as things become more automated online and as people are transferring a lot more data online, third parties are having access to it.
We’re doing things like Facebook marketing, we’re creating “look-alike” audiences, we’re uploading people’s email lists.
We are able to do crazy things with people’s data.
It’s the other side of that argument; looking at, “Is this ok with people?” Like, if I’m signing up for someone’s checklist, DO I consent to my email address being used for everything else on that email list, or look-alike audiences, Google Analytics… the things that we do to track people’s behavior?
What’s at the center of all of this is accountability, transparency, and a bigger responsibility for us as business owners.
When we’re collecting information from people, a lot of people think of email lists as nothing, unless you’ve got like eight thousand people. Right? Even if it’s just 600 people:
you have a responsibility to protect, safeguard, and responsibly use all their information.
I think it’s going to encourage people to think of the list not just as statistics or numbers, but of actual people who have been trusting them with their information. To really take a minute and think more about what consent these people have given. So, we’re going to talk about consent. It’s a huge piece of GDPR, but really, I think it’s going to allow people to have a greater connection with their audiences. You’re getting that consent from people, and you’re going to have maybe a smaller audience in the beginning, but it’s going to be a more engaged audience and I’ll talk more about that. I think it’s actually going to be a good thing once we get compliant, even if our lists are smaller. So the people that we’re going to end up deleting are people who weren’t engaged anyway.
JC: I like that you put it that way. Like you said, people are going to need to be a little bit more responsible about the way that they handle data. Marketers are going to have to really nurture and take care of our people and not see them as a statistic; know that every single one of those e-mails is a person.
CW: Exactly. A person that is entrusting you with their personal information. Their name, their email… sometimes phone numbers. But yes, these are people that are saying, “I want to receive what you’ve created, and in exchange, here is some personal information.” It eliminates the ability for us to say that I’m going to add you to a million different lists.
JC: Absolutely. And ultimately, it could end up being a revival of e-mail marketing in some ways. I talk to people all the time who are trying to build their freemiums,but how many freemiums do you open? You’re getting inundated with so much content in so many e-mails. Often, you’ll think, “How did this even end up in my inbox? I did not sign up for this.” So I totally agree, now that you’re framing it for us. This really is going to be a huge benefit to nurture and connect with people we actually want to, and really all of us being more protected in the online space.
CW: Absolutely.
JC: So, why don’t you fill us in on a little bit of what is included under the GDPR and what are the changes that we need to be aware of?
CW: Yes. So to get a little bit legal here (and this may seem a bit classroom-y), under the GDPR, it applies to companies involved in the processing of personal data of those located in the EU. A lot of people are struggling with the “Does it apply to me?” question, so I want to hit this point.
If located in the U.S. or Canada or not in the European Union, a lot of people brush this off because they think it’s only for the EU. Not true.
It applies to companies involved in the processing of personal data of those located in the EU. So the processing of personal data just means collecting, using, organizing, storing, even deleting accounts as processing, and just using in general. Personal data, of course, is any information relating to an identifiable person. So, interestingly enough, somebody who is not located in the EU will be subject to the GDPR when processing activities. So the way you’re collecting the data are related to offering goods or services to people in the EU.
So, if you have a website where you’re offering goods or services to people and that includes those in the European Union, or if people in the EU can join your email list. You ARE collecting data from that.
Even if it’s less than a hundred people, if you’re marketing to those in the EU and if they’re able to join your list,the GDPR applies to you.
JC: Do you want to pick a specific thing, like maybe talk about e-mail marketing, that the GDPR impacts? That’s one of the biggest things I know for a lot of the people who are listening to this right now. They might be thinking, “Wait a minute, if I’m getting somebody’s e-mail from an opt in, what’s different now? How is this going to change?” And if there’s already a sizable list, how do I now figure out how to differentiate from those that are in the EU?
CW: There are certain things that you now need to do in order to make sure that you have consent from them to continue marketing to them. So let’s talk a little bit about how they can maybe do that and a little bit more detail about how that what exactly that entails.
Number one: you need a privacy policy.
This is not new. I mean, if anybody has listened to me before, chances are you’ve heard me say that you need privacy policy. This is something that you should already have in place with California laws.
But now, you not only need one, you need one that’s GDPR compliant. And what that means is basically you need to have additional information in your privacy policy to be even more transparent about the data you’re collecting; why and how you’re using it, how you’re protecting it, how you’re going to share it.
The GDPR also adds eight different rights of users. If we want to add in the show notes, I’m happy to add more information rather than kind of read it all aloud. There’s additional rights that people need to be made aware of, and that has to be in your privacy policy.
All of this can be resolved by just making sure you have a GDPR compliant privacy policy on your websites.
Make sure you have it in the footer of your website. In addition to it being in the footer of your website, it has to go on ALL of your opt-ins. So, any time you have a form where people can put personal information (a landing page, for example), you also need to provide a link to your privacy policy.
JC: Wow. So now, it’s not just needing to be at the footer of the landing page, but also in the actual opt in box, or wherever they’re entering their data.
CW: Really, the reasoning behind this is for transparency and consent. What I want you guys to always consider is: every time you collect someone’s data, ask yourself, “What is my reason for collecting this information?”
The GDPR requires that you always have a legal basis for collecting any type of information.
Let’s unpack this a little bit. There are six different legal bases in the GDPR that you can lawfully collect and use information from people. There’s a main one that we’re going to use probably 95% of the time, and that’s going to be consent. So, every time you collect and use data from someone, you’ve got to check that you have a legal basis for doing that. This really matters when we’re talking about our email lists. Because, when someone signs up for an offering (say, a freemium), we use that to build our e-mail list. The main difference now is that that’s where their consent ends.
We can’t then add them to our e-mail lists but then send them into our sales funnel; because, they only have given us consent to use their personal information for the freemium.
Does that make sense? I actually just did a webinar on this; we can link to it in the show notes below.
JC: Sure. You had mentioned that it was, like, two hours long, so you’ll get a lot more specific detail on how this is going to impact your business. I am curious though… when we’re talking about sales funnels, what would be the things that people now need to do? Because, of course, some of us might say, “Well, I don’t really have too many people in the EU coming in, so I don’t want to just cut off funnels that I’ve created…” What is something that you’ve heard people are doing now to qualify whether that person is in the EU or elsewhere? I know some people are tracking IP addresses and that’s determining where people can go; if they’re going to continue down the sales funnel and get these follow up emails or if I need to reengage them to get their consent. So I’m just curious how that would all work together?
CW: So there’s a couple different ways you can do this. Let’s talk about how to comply with our current list that we’ve built. First, let’s talk about what to do with our current list, and then we can talk about moving forward with how we can comply. So, with our current list, number one: act quickly. GDPR goes into effect on May 25th. That doesn’t mean start doing this by the 25th.
If you don’t have “fresh consent” from people that are located in the EU by May 24th, you’ve got to delete them. Deleting is actually a form of processing their data!
So ironically enough, you will actually be in violation of GDPR if you delete your information after May 25th.
JC: Oh my gosh!
CW: Yes, deleting counts as accessing, which is a form of processing. So I would encourage you guys to start this process now. There’s a couple different ways you can do this.
So you can start with considering: really, who do you need consent from?
If we live in the U.S. and we’ve got people on our list from the EU, in order to comply with GDPR, it’s just the individuals that are located in the EU that are on your e-mail list that you’ve got to deal with.
This goes above my education in terms of technology, but the way that a lot of email companies or marketing systems work is you can actually track people via their IP address to see where they were located when they opted in. So, if that’s the route you want to go, make a list of everybody located in the EU. Or, if you’re not sure of their location, add those people into the potential E.U. list as well.
The best way that I can think of is re-engagement.
Reach out to them, and resell them on why they want to be on your list.
What value are you offering?
Then, in that email, give them the option to opt in and to join your email list again.
The other thing that I would recommend doing: once you’ve got your GDPR compliant privacy policy on your Web site, email your entire list to advise them that you’ve updated your privacy policies. I’m sure I’ve been getting like at least one or two emails a day from tons of people saying “We updated our policies.” You’re one of those people as well.
JC: Amazing. So I’m curious… if you are not in compliance, how or in what ways are they able to take action? What are the consequences of not being compliant?
CW: This is a good question. The short answer is huge fines. What the realistic answer, in my opinion, and I say this with a huge bold legal disclaimer…
Are they really going to focus on small companies? I don’t know. Really the way that this could come back to bite you is if someone on your email list complains. That’s very likely.
Everybody is becoming more educated on this topic.
As you become more educated on this topic, you become more aware of when it happens to you.
If you send 5 emails a day to someone who didn’t agree to be on your list, and you irritate them to the point where they don’t want to just hit “unsubscribe,” if they want to tell on you, they can. If someone is alerted to your noncompliance, that’s probably the most likely way that you’ll get hit.
JC: Sure. And I’m curious too, and you may not know the answer: Email marketing systems, like Leadpages or Kajabi, are they going to be more sensitive to service providers who are misusing their software? I’m curious if they’re going to take action in some ways. Like, “You’ve abused the GDPR; you can’t use our system.”
CW: That’s a really good point. I hesitate to get into this, because this is a little bit of the nitty gritty of the GDPR. But I’m just going to do it. There’s one other thing, and I swear this is related to your point, because in terms of marketing services, the GDPR breaks down data controllers versus data processors. Basically, if you are collecting and using data, you’re a data controller. Really, that is pretty much all of us, unless you’re a virtual assistant who doesn’t have their own business and you just work for other business owners. If you’re the one that decides the information you’re going to collect. Data processors are email marketing services. Active Campaign, MailChimp, all of those services. They don’t decide what information to collect. What they do is process our data that we give to them.
And the reason this is important: the GDPR requires that data controllers (you) have processing agreements with data processors (email marketing systems).
So, I have to have a data processing agreement in place with Active Campaign. Obviously, Active Campaign isn’t going to sign a million users’ different data processing agreements. So what they’ve done is they’ve created a service where you can click on a link. You’re taken to their Data Processing Agreement, and then you can sign it via Hello Sign or Docusign. Then, you download it, and then you have a data processing agreement with that.
So, it’s possible that now the responsibility is on us as the data controller and not on them. They might say, “They haven’t signed our agreement so if they’re going to be non-complying, it’s not our fault.” But I guess we’ll have to see!
JC: This is really fascinating, because now everyone is starting to talk about it’s. I would have started this six months ago, but I only even heard about it about a month ago. So yeah. It’s made its way through the grapevine.
CW: Absolutely. I know and it is something to that creeps up on you. Many people assumed that since it was just the European Union, they were okay. But, as you learn more and more, you get more and more concerned until it becomes organic.
But, it’s not panic worthy.
That’s really my goal with you today: to give people actionable items and actionable steps to take, so they walk away with a list of what to do.
It’s not the end of the world.
JC: We’ve covered a LOT, but just to be sure: what are the other important key pieces of this that we haven’t covered yet?
CW: Well the main thing that’s left, to comply to the GDPR privacy policy, you need a template. I sell them. ChristyWesterfeld.com. If you click on the individual templates, “privacy policy” is the first one right there. You can purchase it, and then once it’s on your opt-ins, you’re protected.
Then you can email your current list about your updated privacy policy.
Really, the key piece to keep in mind: you have to get that clear, unambiguous, specific consent from each individual to allow you to use their data in each way you want to use it.
The GDPR also specifically prevents you from getting conditional consent. The consent has to be freely given. So, you can’t say, “You HAVE to sign up for this list, and then I’m going to give you a freebie.” Everything has to be freely given; they can only sign up to your email list by saying, “Yes, I want to sign up for your email list.”
Some companies have already been compliant; when you’re about to buy something, it might say, “Would you like to receive our promotional emails?” You have the option to click yes or no. You can still purchase or download the freebie with or without clicking those boxes that they’re giving. This is exactly right, except one thing: the prechecked boxes are not allowed now.
JC: Oh wow.
CW: That person can’t prove that they gave you affirmative consent if you have that prechecked block, because they’re not actually doing anything. So, they simply disallow the prechecked boxes and the automatic opt-ins. We just have to take additional precautions.
JC: Absolutely. Now, what if somebody says, “Well, I don’t want to work with people in the EU, so I’d rather remove the headache and really just continue to market to the U.S. and Canada and not have to add in all these new layers.” ?
I mean, I guess there might be people out there who don’t want people in the EU on their email list because maybe they have a physical product that doesn’t ship outside the U.S. For those types of people, what would they put in place if they really just didn’t want anybody outside of their direct market on their list?
CW: This is kind of a tricky question. My products and services are really for the people in the U.S. from a legal perspective. But, does it work for international people? Yes. Do I have people from the E.U. on my list? Yes. They can view and opt in to my stuff. So, it’s tricky, because in order to make the cut off, you would really have to prevent opt-ins. That’s going to require a little bit of creativity in my opinion, because you’re going to have to look very, very clearly to cut them out.
I would say: if your website is viewable to the EU, get compliant.
If they see an opt-in, you’re marketing to them. Maybe you don’t have a store in the UK, but they can still opt-in to your list. Would you delete them from your email list? Probably not. Do you want to monitor that every day? Probably not.
I totally get the hesitation, but instead of thinking about it that way, just figure out how to get compliant. If you don’t have that many people from the EU, it’s probably not that big of a deal. But, it’s just going to take up more of your time to get compliance when people opt-in without a policy.
It is worth it to just comply across the board.
Who’s to say that next year another countries are going to do this? People might follow suit. The U.S. is certainly threatening to, with Congress cracking down on Mark Zuckerberg.
This is not necessarily a one and done thing. You know if if other countries started enacting these these additional regulations certainly if Just have everybody consent, regardless of where they’re located. You don’t have to try to figure out every time someone walks in.
JC: That’s so true. It didn’t even occur to me that other countries might very well jump on it you know. I’m going to link in the show notes to the action steps you can take, as well as the webinars that Christy did the other day, so that you guys can dive into that and go a little bit deeper. And, if you guys need to update your privacy policy (which you probably do), Christy has really awesome templates that you can grab so that your stuff is going to be privacy policy compliant.
JC: What would be the best place for them to come and connect with you and hang out with you if they have additional questions?
CW: Sure! My website is just ChristyWesterfeld.com. I also have a free Facebook group called The Legal Entrepreneur. I host a weekly show there where I take questions and answers. It’s really a great spot if you’re an online business owner and you want to be legally compliant. And yeah, any questions that you guys have please feel free to look me up on Facebook – Christy Westerfeld – or through my website.
JC: Amazing. Well thank you so much for coming on here today and helping us get legally protected. I really appreciate everything that you do in the online space; just showing up and giving so abundantly. So thank you.
CW: Thank you so much! I truly love this and I love being able to teach you guys. And thank you for your interest! Being legally compliant; I know this isn’t the sexiest topic in the world, but it is important. Hopefully I’ve made it somewhat easier to understand!
JC: Yes; you make it sexy and simple!