That’s because today is the day! Is your business up to date and compliant in time for the deadline?
The General Data Protection Regulation is a major new policy impacting the European Economic Area (and Switzerland!) as of today and, “In a nutshell, that means any company, whether a retailer, publisher or ad tech company, must gain (or regain) approval to use audience and customer data.”
In other words, it’s a pretty big deal for a ton of marketers, businesses, publishers and more. But how will this impact everyone?
The short answer: In a ton of ways. The GDPR is a pretty big law with a couple major components:
(If visuals are more you’re thing, here’s the TL;DR version from the Skimm.)
For what it’s worth, no one’s really ready for the deadline, even though companies had two years of notice to get ready for today.
I think the Verge said it best: “For companies that have operated under the principle of ‘extract as much data as possible and figure it out later,’ reorganizing under GDPR is a lot like an episode of Hoarders, especially one of those episodes where the hoarder doesn’t finish cleaning and everyone sort of falls apart crying at the end.”
The hardest part of figuring out what steps to take? It’s super boring to read about this stuff – my eyes glazed over within 10 seconds of starting each article. And I read at least 40+ articles just to write this blog post for you, because I care.
This has been a sticking point for a lot of American businesses: If you’re not gathering data about users on the level that Facebook does, or if you’re not catering to international clients, does any of this apply to you?
Technically yes, if you’re collecting data from EU citizens, either directly or indirectly. So if your business has a German-language version of your website, you accept payment in Euros and your marketing specifically targets customers in Germany, then you can bet your behind that GDPR applies to you.
More specifically, GDPR applies if your business collects personal data or behavioral information from someone while they are physically in an EU country. So if an EU citizen visits your website while they are in North Carolina, GDPR does not apply.
Then this point from Moz should give you some comfort:
“As long as it’s clear that a company’s goods or services are only available to consumers in the United States (or another country outside the EEA), GDPR does not apply.”
That means if you’re a hyper-local business, such as a landscape contractor who only serves Richmond, you’re probably in the clear. And if your website communicates pretty clearly that you only serve American customers in the U.S., then you shouldn’t have anything to worry about. But if your company actively seeks to do business with EU citizens, then you probably already knew you had to make these changes and best of luck to you!
If your business is impacted by these new rules, you should have already started making some changes to your marketing and data collection practices. Although there’s technically a “grace period” before regulators will start targeting noncompliant businesses, individual people could put pressure on businesses to abide by the rules right away.
Here’s the worst-case scenario for businesses who must comply with GDPR: An EU citizen contacts your company asking for access to all the data you have on them, but you don’t know exactly what data you have, where it’s stored or what format it’s in, and if you can’t figure out how to adequately respond to them within 30 days, they report your business to a regulator and have you fined.
But again, if you’re not collecting data on EU citizens, you’re fine. There’s no law empowering Americans to request their data in the same way, and right now Americans outside of Europe can’t make requests to access their own data, or request that their data be deleted. Also, it’s still not completely clear who will have the authority to enforce GDPR compliance in the U.S. anyway.
Start thinking about this very important question:
“Do I know how data is collected, stored, used and shared in my business?”
Even if you don’t have to take any actions right now, it’s safe to say that this conversation about privacy and data regulation is far from over.
Currently there is no US-equivalent law in place to give Americans the same rights and protections to their data. But based on the slew of privacy update emails we’ve all received from companies like Facebook, Twitter, Etsy and others with international reach, you can bet that the consequences and ramifications of GDPR will eventually trickle down and impact Americans anyway.
No one really knows at this point what the future will look like after the dust has settled. Eventually, companies and regulatory bodies will find their groove under the new rules, but until then everyone affected will be scrambling to get compliant. And perhaps if/when the US decides to pursue a similar policy, watching how everyone responds to GDPR should give the rest of us a bit of a learning curve.
So, here’s the moral of the story: These regulations are for the greater good, especially for consumers – can’t argue with that! But for marketers and businesses, it’s a wake-up call to pay attention to what you’re doing, understand your current situation and anticipate some kind of GDPR-style measures to come into law in the U.S. – it might just be a matter of time.
That’s it! Now go laugh at these tweets and enjoy your long weekend!