Prepare your ecommerce marketing for the EU’s GDPR
One of the most far-reaching changes affecting the ecommerce world in 2018 will be the European Union General Data Protection Regulation (GDPR). This new and unified approach to personal data protection gives EU citizens a lot more control over who has access to their data. The good news is that it won’t be implemented until May 25, 2018, so you still have time to learn and prepare! And we’re here to help you.
Adopted on April 27, 2016, the GDPR affects not only European companies, but every company that processes data of EU nationals (or could process their data in the future). So that’s basically every company in the world regardless of its location.
A new regulation that pretty much every company has to follow and that comes with severe fines of up to 4% of global turnover or 20 million euro (whichever is greater). Proper scary stuff.
In all likelihood, you probably don’t have to make drastic changes unless you run all custom software: from the one that runs your site, to email marketing, to popups and A/B testing.
If you rely mostly on SaaS products – like Shopify for your ecomm store, Klaviyo for email marketing, Optimizely for A/B testing, WisePops for popups and the like – the changes you have to make are not that drastic. But since visitors have a lot more rights going forward, it makes sense to look at what exactly changes and how.
Key Areas of GDPR
Definition of Personal Data
Perhaps the biggest change in the GDPR is redefining what personal data is. Under the new regulation, personal data is defined as any information that can be used to directly or indirectly identify a person.
This far-reaching definition includes:
- a name
- a photo
- an email address
- bank details
- posts on social networking websites
- medical information
- computer IP address
- random code that is assigned to users to track them for analytics and A/B testing
- and more!
Going forward, the bulk of information collected when someone visits your website is considered personal information and thus, it falls under the GDPR. This is the big one – everything else that is under the GDPR concerns personal data and with this new definition, 99% of data collection falls under the GDPR. This is why it’s such a big change.
The next big change is user consent. With this new regulation, withdrawing consent has to be as easy as giving it.
Meaning that if you use the prototypical automatic notice of “If you continue to use XYZ you agree to our Terms and Conditions,” you also have to have one hovering somewhere on the page the whole time a visitor from Europe is on your site, declaring the opposite or, in other words, taking away consent.
Additionally, the GDPR bans the use of legalese and long, illegible language in the Terms & Conditions. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent using clear and plain language.
Data Subject Rights
Europeans have three key data rights: access, to be forgotten, and data portability. Currently, there are similar rules in existence, but the new regulations are a lot tougher and give consumers a lot more control.
Right #1 – Right To Access
Europeans have the right to know if their data is being processed, how it’s being done, and for what purpose. Upon request, data controllers (that’s you) have to be able to provide a copy of that personal data, free of charge, in an electronic format.
For example, when a European customer asks, you have to provide a list of all the ways that her/his data is being used. That means that you have to be able to provide a list of every tool you use that accessed their data. So GA for analytics, Facebook pixel for ads and retargeting, Klaviyo for email marketing, and the like.
This is not so much a problem for you as it is for software providers. Software companies must build functionality into their products that offers a way to check if a certain customer’s data was processed or not.
Right #2 – Right To Be Forgotten
Also known as Data Erasure. This one means that when a customer asks, her/his data has to be deleted from ALL the tools and software you use. And again, withdrawing consent has to be as easy as giving it in the first place.
Right #3 – Right To Data Portability
Europeans have the right to request all their personal data from a company be provided in a “commonly used and machine readable format.” And once the data is obtained, they have the right to take that and give it to another company.
In theory, a customer could ask for their data (things like buying history) and take it to a competitor. Or vice versa, you could theoretically leverage the data your customers have with a competitor to better entice them to buy from you.
Additionally, there’s the right for Breach Notification. That means that notification of data breaches become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first becoming aware of the breach.
Same applies for data processors like Klaviyo. We have the responsibility to notify our customers (that’s you!) “without undue delay” after first becoming aware of a data breach.
This is actually good for both consumers and companies that rely on third-party providers to run their business. This way companies can’t downplay data breaches and by law, they have to let everyone know about such breaches. This one is truly great all around.
At first glance, the amount and scope of changes in the new European privacy regulations are mind boggling. They range from redefining what personal data is, to making data consent work both ways, to ensuring the three consumer rights – access, to be forgotten, and data portability.
The changes are big indeed, but the good thing is that most businesses relying predominantly on third-party software have little to worry about. The most extensive changes have to be made by the software makers. All you have to do is click the right button when the request for data comes in.
This also means that you have to communicate directly with all your software suppliers to make sure that they are going to support all the needed new “features,“ or simply switch to a new provider that does.
The European Union General Data Protection Regulation brings about a lot of change, but by understanding and preparing yourself for what’s to come, it’s not nearly as scary as it first seemed.
For more information, check out these helpful links: