GDPR: the question of consent in B2B and B2C email marketing
Our director and legal expert in marketing automation has written a comprehensive article about GDPR. Read the article and contact us for more info!
The General Data Protection Regulation (GDPR) is the core of the European Union’s privacy rights movement and the most thorough framework passed to date. Enacted on May 15, 2018, the legislation affects every organization that handles the personal information of European citizens.
Even though the GDPR defines privacy and which organizations must comply, it can still be unclear who falls under the regulations, especially for businesses that don’t physically operate in the EU.
While the GDPR affects all EU businesses, it also applies to many organizations that interact with consumers in any of the 27 member states.
GDPR compliance is a requirement for companies that:
Operate in the EU and process the personal data of its citizens or residents
Operate outside the EU but offer products and services to its citizens or residents
Operate outside the EU but monitor the behavior of its citizens or residents
While the need to comply with the GDPR is pretty clear for businesses operating in the EU, marketing operators of non-EU enterprises can easily face confusion when it comes to which data privacy laws apply to them. Two questions that we see non-EU companies frequently ask regarding this are:
Does GDPR apply to US citizens?
Does GDPR apply to my website?
It’s important for CMOs and their marketing teams to understand whether or not they must comply with the GDPR. Let’s clarify what the two conditions for non-EU companies listed above actually mean.
Understanding the GDPR’s definition of offering goods and services/monitoring behaviors is key to assessing whether or not your organization is required to comply with the privacy laws.
For these companies, attempting to do business with any consumer located in the EU is often enough to fall under the GDPR. The European Data Protection Board, designed to enforce the new data privacy laws, looks for businesses that “direct activity” to the EU market. Other than receiving payment from EU residents, activities that require GDPR compliance include:
Marketing campaigns that target an audience in the EU
Having a dedicated address or phone number from the EU
Mentioning clients that reside in an EU member state, including endorsements
Having an EU domain name
Using any EU languages or currencies
Delivering products to an EU state
The other condition that requires non-EU businesses to comply with the GDPR is “monitoring the behavior” of EU residents, but what does that mean for marketers? For our purposes, monitoring can be either over the internet or through any method that involves processing personal data. Activities that fall into this category include:
Monitoring a person’s health status
Geo-localization for advertising purposes
Behavioral studies and market surveys
Online tracking using cookies
Offline tracking methods like fingerprinting
Online health analytics
In addition to these activities, a non-EU company must comply with the GDPR if it:
Employs even a single worker in the EU
References EU customers in any marketing or advertising effort
Has a business plan that references obtaining EU customers
While this is not an exhaustive list of activities that can make a non-EU business fall under the GDPR, and there are still some gray areas in the regulations, any of them can trigger a need for GDPR compliance.
We’ve covered which businesses must comply with the GDPR, but who in the organization is responsible for maintaining compliance? There are two types of people who the GDPR mainly applies to: data controllers and processors. Also, anyone who was subject to the United Kingdom’s Data Protection Act is likely required to maintain GDPR compliance.
A controller is a person or entity that, by themselves or as a joint effort, determines the purposes of personal data, while a processor is a person or entity that processes that data on behalf of a controller.
According to the United Kingdom’s Information Commissioner’s Office, data controllers and processors have “significantly more legal liability” if they are responsible for a data breach. Maintaining compliance is a new obligation for them under the GDPR.
The GDPR requires processors to maintain records of how personal data gets processed, and it requires controllers to ensure that their processors maintain compliance.
Our agile customer activation platform has helped hundreds of businesses attract and retain customers, increase conversions, and boost revenues, all while staying fully compliant with the GDPR legislation. Here’s how Actito can get your business GDPR compliant:
Create GDPR-compliant data collection forms and securely store proof of consent
Keep audit trails of every change in data
Use first-party data to ensure your data processing methods are within the scope of customer consent
Only collect and process the data for purposes that the customer consented to
Ensure the data you process is qualitative
Automatically delete or archive inactive data
With Actito, you can focus on building meaningful, lasting customer relationships rather than worrying about GDPR compliance.