5 Things American Businesses Need to Know About GDPR
July 24th, 2018 by
In the wake of the Cambridge Analytica scandal here in the U.S., the General Data Protection Regulation (GDPR) was established by the European Union in May to give users complete transparency on how their data is or will be used. Here’s everything you need to know about GDPR and how it will affect marketers not just in Europe but here at home as well.
1. Why Did the EU Create GDPR?
GDPR went into effect on May 25, 2018. It was initially approved by the EU in 2016, well before the news of the Cambridge Analytica data misuse broke. However, it’s hard not to associate one with the other because of the timing. To provide a bit of context, I will quickly outline the details of the Cambridge Analytica case. The data of an estimated 80 million Facebook users was sold and then used to create “psychographic” profiles of American voters. This data was collected through a seemingly harmless personality test called “thisisyourdigitallife.” The test filed away the data of participants and their Facebook friends. The participants unwittingly gave the app’s developers access to this data because by opting to take the test, they agreed to the test’s terms of service, which granted the test access to their information as well as their friends’.
Though this example of misuse has brought personal data protection to the forefront of the world’s attention, this is not a new practice. The personality test in question was launched in 2014, and people have been using similar techniques to acquire user data for years. The difference is that we rarely questioned the terms of service we agreed to for things like apps, free wifi, and other services in the past.
2. What Does GDPR do?
GDPR aims to give users more information on how their data will be used. Its central goals are to keep users informed and to require their consent. The exchange of data for free services such as Facebook and Google can be a fair one. The text of the GDPR legislation is a decent read and is broken into chapters here. Any sites or services attempting to collect data must do so transparently, with “unambiguous” and “specific” purposes. “Data subjects” must be able to request logs of all of the data collected about them and then allowed to ask for the data to be corrected or deleted (appropriately named the “right to rectification” and the “right to be forgotten,” respectively). Also, businesses cannot deny or restrict services to users who opt out of data collection.
3. Does GDPR Apply to US Businesses?
Strictly speaking, GDPR applies only to EEA (European Economic Area, see image) citizens while they are in EEA countries, so one might expect that it won’t have a huge effect on American companies that only operate within the United States. However, because the internet is global in nature, it’s rarely that simple. Websites run by American businesses are frequently visited by people around the world.
Tourism is one of the industries that will be most affected. 39.4 percent of the American tourism market is comprised of European travelers. Zoos, museums, aquariums, and other attractions should review their data and cookie collection methods.
Also, American businesses must ensure that data they receive or purchase about EEA citizens were collected using techniques aligned with GDPR’s regulations.
4. What Can You Do to Make Sure Your Business Is Compliant?
GDPR isn’t intended to stop all data collection or to make targeted marketing less effective. On the front end, the main changes businesses would need to make to adhere to GDPR are stating that they are tracking user data and then how they plan to use the data, whether it’s cookies for remarketing, user session data for site analytics, or other reasons. Further down the line, companies would need to ensure that their records are well-maintained so that they can provide users with their data should there be a need to review or delete them. The key is transparency. As long as you let users know what you’re doing and why, there shouldn’t be any issues.
5. Will the U.S. Adopt Similar Policies?
Anyone who watched Mark Zuckerberg’s testimony to Congress in April might not think there will be changes in US data privacy laws anytime soon. The questions some congressmen and women asked revealed a lack of technical knowledge, as noted by Vox. However, on May 22 Vermont passed the nation’s first data privacy law. Vermont’s legislation focuses on “data brokers,” companies that sell or license data about their consumers to third-party companies that do not have a direct relationship with the consumer whose data they are purchasing.
A few weeks ago California passed a law that is more all-encompassing than Vermont’s. Similar to GDPR, the law requires businesses to state the type of data they are collecting and how they plan to use it. These changes will not go into effect until 2020, but the process was pushed along because Californian lawmakers were pressured by a grassroots ballot initiative with measures even more stringent than the bill the state passed.
Due to public outcry and interest, other states are bound to follow suit, so there’s never been a better time to review your data collection practices and consider how easily they can be adjusted to fit the level of transparency that is becoming the new standard.
Consult With Experts Who Are Up to Industry Standards
At Search Influence, we consistently stay apprised of new industry standards and regulations regarding how our client’s information is disseminated, including GDPR. Our goal is to help your business grow and optimize your potential online, all while making sure your business is in compliance with data protection laws. If you’d like professional insight into how we can help your business thrive, call 504-336-3422 or request a proposal online today.