There has been a lot of attention about the lack of transparency around consumers’ personal data and how businesses need to be held accountable for what they collect, store, and share. In response, the European Union is cracking down, enacting new enhancements this week to their original (now outdated) law that will affect most businesses, including those here in the US, called General Data Protection Regulations (GDPR) legislation.
If this is tl;dr, just ask yourself this simple question –
Do you know what data you’re collecting about your visitors?
- Did you forget about that media pixel you placed on your site for that Facebook campaign?
- And that you have Google Analytics on every page on your site?
- And the fact that you may not know exactly what country every person in your database lives in?
Now, if I called you up today and asked for access to all this data about me, your customer, do you feel any hint of panic?
Don’t worry, we’re here to help.
While we’re not lawyers, we certainly want to prepare our clients as best we can and share some considerations and helpful links that offer more details around the regulations, and what they mean for you. If that panic referenced above brought on a full-blown sweat, then call your attorney and make a plan together. (And… maybe reconsider some of your tactics.)
Embrace the changes.
While the regulations are coming from the European Union, these changes probably do affect you. If you have collected data directly or indirectly from any EU citizens, then you are liable. And don’t forget, Privacy should be taken seriously. The EU has done a great job in spearheading this movement. We’re all consumers, not just advertisers, and we should expect more from the companies that collect and share our data.
What to do, what to do.
Well, if we’re running media for you, then great news – the onus is on us, as your partner, to make sure all media publishers are compliant. We’ve already taken all the necessary steps and you’ll start seeing this reflected in upcoming media plans and IOs. If you’re running media through another partner, then make sure you’re asking the same of them. Beyond media, we’re working to address these new rules with and for our clients, and want to make sure all of our clients feel confident in their strategies and approach, so we’ve compiled the list below as a reference point.
The shortlist
- Consider seeking legal counsel. Evaluate your own legal needs, and consider professional advice. True to form, new consultants have popped up on scene offering compliance audits, technical solutions, and counsel, so do your due diligence and make sure your partner is legitimate and not looking to make an easy buck.
- As your media agency, we’ve proactively taken the followings steps – but if you’re using another media partner, make sure you ask them how they are ensuring compliance.
- We’ve added language around GDPR compliance to vendor RFPs, Insertion Orders’ Terms and Conditions and any other Scope of Work/Contracts between agency/advertiser and vendor.
- We’re asking vendors to provide their data collection methodology and highlight how they’re being GDPR compliant.
- Take an inventory of all the data you collect from users, the data you collect from other sources, and understand exactly what is done with that data. Remember that at any time, a user should be able to contact you and ask what data you collect about them. Make sure you’re prepared with an answer.
- Make your updates.
- Make changes to your existing contracts with your advertising partners. Again, CTP is responsible for this step if we’re running your media.
- Check your Google Analytics configuration.
- Check your forms.
- Make sure that check box on your opt-in form is not pre-checked.
- Make sure you have an opt-in checkbox.
- Review your privacy policy, and make sure any relevant information about data is reflected here, and as needed, throughout the website.
- Consider your own privacy notice pop up.
- Communicate the changes. Your lawyer can advise on double opt-in, and if and when that makes sense.
- Additional data protection language can be found from a variety of industry experts:
- Digiday’s very comprehensive and supremely helpful guide
- (Yes, I realize the irony that this is gated but check out their note “By downloading this guide, you are allowing Digiday to store and use your data to keep you up to date on top stories, events and other programs. As stated in our privacy policy, we won’t share your data unless you explicitly provide permission.”)
- A guide to the GDPR
- The full text of the GDPR
- Glossary of terms
- 12 steps for preparing for GDPR
- Self assessment
- Digiday’s very comprehensive and supremely helpful guide
Notice that I didn’t have you check Google Analytics to see how much of your traffic is coming from the EU. It’s unfortunately just not that simple.