NICA’s Associate Member Mary Gillen is an exceptional web developer and internet “go-to professional.” She always stays up to date with the ever-changing landscape of the internet. If you send out electronic newsletters, this article, written by Mary, is full of important and time-sensitive information.
New European Privacy Rules – The General Data Protection Regulation – take effect May 25, 2018.
These regulations were passed by the European Union in 2016, setting new rules for how companies manage and share personal data. In theory, the GDPR only applies to EU citizens’ data, but the global nature of the internet means that nearly every online service is affected, and the regulation has already resulted in significant changes for US users as companies scramble to adapt.
The GDPR sets a higher bar for obtaining personal data than we’ve ever seen on the internet before. These requirements include:
- Any time a company collects personal data on an EU citizen, it will need explicit and informed consent from that person.
- Users also need a way to revoke that consent, and they can request all the data a company has from them as a way to verify that consent. It’s a lot stronger than existing requirements, and it explicitly extends to companies based outside the EU. For an industry that’s used to collecting and sharing data with little to no restriction, that means rewriting the rules of how user info is collected online and stored.
Most importantly, the GDPR gives companies a hard deadline: the new rules go into effect on May 25th, 2018 – so if you’re not following the rules by then, you’re in trouble. The result has been a mad dash to adapt current practices to the new rules and avoid one of those crushing fines.
You are probably thinking, “I just do local home inventories, so this doesn’t apply to me.” This is addressing what happens to information when someone signs up for your newsletter. Since there is no control over who subscribes (or from where), it is imperative to abide by these rules.
What You Need to Do Now If You Have an Email Newsletter Subscription Form on Your Website
Email consent needs to be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services, unless email consent is necessary to complete that service. A solution is to add an (unticked) checkbox to the bottom of your subscription form just before the Submit button. The explanation needs to be simple and understandable. The checkbox needs to be a required element on the form, which means the user will not be allowed to submit the information on the form unless the checkbox is selected.
What You Need to Do If You Have Contact Forms on Your Website
Add an (unticked) checkbox to the bottom of your Contact Form just before the Submit button with a consent message to collect and store the data.
GDPR not only sets the rules for how to collect consent but also requires companies to keep a record of these consents. It is important to know that this does not only apply to signups that happen after May 25th, it applies to all existing subscribers on your email list as well.
If your existing subscribers have given consent in a way that’s already compliant with GDPR—and if you kept a record of those consents—there’s no need for you to re-collect consent from those subscribers. If your existing records don’t meet GDPR requirements, however, you have to take action.
What to do:
- Audit your existing email list. Figure out who on your email list already provided GDPR-compliant consent, and ensure that you have a clear record of those consents.
- Implement a re-permission program. If for any of your contacts you don’t have GDPR-proof of consent—or if you are unsure about whether or not their consent is compliant—you’ll have to run a re-permission campaign to refresh that consent or remove the subscriber from your mailing list.
This is a lot to digest. Please feel free to contact Mary with your questions. Also, please pass this information on to other website owners you may know. It is important that they receive this information as well.
If you need help implementing these changes on your website, Mary can help you, and can also assist you in creating a mailing for a re-permission program. Please don’t ignore this. Make these changes before the May 25th deadline.