• This field is for validation purposes and should be left unchanged.

What is GDPR, and how do I know if I need to care?

Posted on May 25, 2018

You’re probably getting ready to enjoy a long weekend but your (hopefully) short Friday has been interrupted by a flood of “We’ve updated our privacy policy” emails and notifications, most of them mentioning that 4-letter word:


That’s because today is the day! Is your business up to date and compliant in time for the deadline?

Wait, what are we talking about?

The General Data Protection Regulation is a major new policy impacting the European Economic Area (and Switzerland!) as of today and, “In a nutshell, that means any company, whether a retailer, publisher or ad tech company, must gain (or regain) approval to use audience and customer data.”

In other words, it’s a pretty big deal for a ton of marketers, businesses, publishers and more. But how will this impact everyone?

The short answer: In a ton of ways. The GDPR is a pretty big law with a couple major components:

  • New rules govern how businesses are able to collect data on people: Everyone must be transparent about what, why and how they’re collecting your data, and whether they’re sharing it with anyone. Also, businesses can only collect information that is directly relevant to how they intend to use it, so if they decide to put that information to a different purpose down the road, they have to get explicit permission for that use, too.
  • When businesses communicate the above, they can’t hide behind those ambiguous, miles-long privacy policies anymore: The details must be clearly and simply, in plain language. And users have to actively take a step to give consent, such as checking a box, and they can’t be denied access to content simply for refusing consent.
  • People have the right to see all of the information a company has about them: They also have the right to have it corrected, exported or deleted according to their wishes. And they can revoke their consent at any time.
  • Businesses must be prepared to respond to the requests described above, and to provide proof that they’re being compliant with the new rules. Also, they must notify consumers of a data breach within 72 hours. If that breach occurred because the company was noncompliant, they could be hit with a pretty big fine. This applies even if the noncompliance is accidental, so don’t say you didn’t know.

(If visuals are more you’re thing, here’s the TL;DR version from the Skimm.)

Do I have to be ready for all that, today???

For what it’s worth, no one’s really ready for the deadline, even though companies had two years of notice to get ready for today.

I think the Verge said it best: “For companies that have operated under the principle of ‘extract as much data as possible and figure it out later,’ reorganizing under GDPR is a lot like an episode of Hoarders, especially one of those episodes where the hoarder doesn’t finish cleaning and everyone sort of falls apart crying at the end.”

The hardest part of figuring out what steps to take? It’s super boring to read about this stuff – my eyes glazed over within 10 seconds of starting each article. And I read at least 40+ articles just to write this blog post for you, because I care.

But you said EU, and I’m a small business in the U.S. Do I have to care about GDPR?

This has been a sticking point for a lot of American businesses: If you’re not gathering data about users on the level that Facebook does, or if you’re not catering to international clients, does any of this apply to you?

Technically yes, if you’re collecting data from EU citizens, either directly or indirectly. So if your business has a German-language version of your website, you accept payment in Euros and your marketing specifically targets customers in Germany, then you can bet your behind that GDPR applies to you.

More specifically, GDPR applies if your business collects personal data or behavioral information from someone while they are physically in an EU country. So if an EU citizen visits your website while they are in North Carolina, GDPR does not apply.

But I don’t do any of that. Then what?

Then this point from Moz should give you some comfort:

“As long as it’s clear that a company’s goods or services are only available to consumers in the United States (or another country outside the EEA), GDPR does not apply.”

That means if you’re a hyper-local business, such as a landscape contractor who only serves Richmond, you’re probably in the clear. And if your website communicates pretty clearly that you only serve American customers in the U.S., then you shouldn’t have anything to worry about. But if your company actively seeks to do business with EU citizens, then you probably already knew you had to make these changes and best of luck to you!

So what’s going to happen right now?

If your business is impacted by these new rules, you should have already started making some changes to your marketing and data collection practices. Although there’s technically a “grace period” before regulators will start targeting noncompliant businesses, individual people could put pressure on businesses to abide by the rules right away.

Here’s the worst-case scenario for businesses who must comply with GDPR: An EU citizen contacts your company asking for access to all the data you have on them, but you don’t know exactly what data you have, where it’s stored or what format it’s in, and if you can’t figure out how to adequately respond to them within 30 days,  they report your business to a regulator and have you fined.

But again, if you’re not collecting data on EU citizens, you’re fine. There’s no law empowering Americans to request their data in the same way, and right now Americans outside of Europe can’t make requests to access their own data, or request that their data be deleted. Also, it’s still not completely clear who will have the authority to enforce GDPR compliance in the U.S. anyway.

What should I take away from all of this?

Start thinking about this very important question:

“Do I know how data is collected, stored, used and shared in my business?”

Even if you don’t have to take any actions right now, it’s safe to say that this conversation about privacy and data regulation is far from over.

Currently there is no US-equivalent law in place to give Americans the same rights and protections to their data. But based on the slew of privacy update emails we’ve all received from companies like Facebook, Twitter, Etsy and others with international reach, you can bet that the consequences and ramifications of GDPR will eventually trickle down and impact Americans anyway.

No one really knows at this point what the future will look like after the dust has settled. Eventually, companies and regulatory bodies will find their groove under the new rules, but until then everyone affected will be scrambling to get compliant. And perhaps if/when the US decides to pursue a similar policy, watching how everyone responds to GDPR should give the rest of us a bit of a learning curve.

So, here’s the moral of the story:  These regulations are for the greater good, especially for consumers – can’t argue with that! But for marketers and businesses, it’s a wake-up call to pay attention to what you’re doing, understand your current situation and anticipate some kind of GDPR-style measures to come into law in the U.S. – it might just be a matter of time.

That’s it! Now go laugh at these tweets and enjoy your long weekend!

  • This field is for validation purposes and should be left unchanged.