On May 25th, 2018, the new General Data Protection Regulation (GDPR) went into effect. Maybe you've already heard about GDPR during the past several months since it's been a very hot topic.
That’s because the new regulation comes in to make some big changes to data privacy and individual rights for people from the European Union (EU), and these changes affect all businesses around the world, especially online businesses.
Even if you don't have clients who live in the EU, there's still a high likelihood that you will attract such people to your website or online resources. Once that happens, your business can quickly fall under the GDPR rules, which is whywe are going to talk about everything you need to know about this new regulation.
Let's get right in...
What is GDPR?
GDPR is a General Data Protection Regulation coming from the EU and its associated nations. Its main purpose is to answer legal questions that have existed for several years about how personal data is collected over the internet and how this data can be used.
The big question that's been asked over the past years is whether the data collected by companies is owned by the individuals whose data is being collected, or by the company that collects the data.
The courts determined that individuals are the sole owners of their data, not the companies (or websites) who collect the data. Therefore, customer data has to be cleared from these company websites on a regular basis. Otherwise, customers would have to constantly reach out to those businesses they may have visited in the past in order to ask for their data to be deleted.
This new regulation is specific to EU citizens, so while it has a huge impact towards businesses that are based in Europe or regions whose main customers are from EU, the vast majority of American businesses didn’t even know this was coming.
How Does GDPR Affect My Personal Training Business?
The EU has substantially expanded the definition of personal data within the framework of the GDPR, to reflect the types of data that organizations are now collecting from people.
Online identifiers, such as IP addresses, are now considered personal data. Other data, such as names, email addresses, economic data, cultural or mental health information, are also considered as personally identifiable information.
Because GDPR requires businesses to get explicit consent before collecting email addresses or sending any promotional emails to EU citizens, some people have even come to the conclusion that this is the end of internet marketing in the EU.
Other marketers have considered starting to block visitors from the EU in order to avoid facing huge fines and penalties.
Thankfully, if your business isn't based in the EU or you don't get any visitors from the EU, you might think this isn't a big deal for you. Now, GDPR also applies to EU citizens who are living in other countries, such as the US.
It's very difficult to determine whether you need to take actions to protect your business from being affected by this GDPR regulation or you just don't have to bother.
What Actions Do I Need To Take?
Like I mentioned before, GDPR requires you to get explicit consent before collecting any personal data or sending any marketing emails.
This is their definition of "explicit consent":
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data related to him or her.
Since GDPR doesn’t give you any specific way in which you need to obtain consent, there are a couple of suggestions than can ensure your business stays compliant:
1. Always ask for explicit consent.
This is basically the approach most businesses are taking. This includes getting consent via email, either with a “re-consent” or confirmation from existing subscribers or using a double opt-in subscription for new email subscribers.
Getting explicit consent with a double opt-in confirmation email can be very useful to get your back covered before sending marketing emails, but you also need to be mindful that you're not forcing visitors to provide consent.
This is what I mean...
If you offer any kind of freebie or lead magnet, let's say a free diet or an exercise routine for people who signup to your email list, then you need to make sure they're getting the freebie, even if they don't provide the consent.
Your confirmation email could be something like this email I received from Elegant Themes:
Please notice how they're being specific about how they will use my email address and they're also obtaining my explicit consent. If I do not click "subscribe," they should not add me to their email list.
2. Use a Required Checkbox on Your Opt-in Forms.
Another option some businesses are choosing as a way to obtain explicit consent from all new subscribers is adding a checkbox on the opt-in form itself. If the visitors don't check the box to agree, they won’t be able to submit the signup form.
Here's an example:
If the visitors really want to get that diet or they really want to be subscribed to your email list, they will more than likely check the box and submit. In my perspective, this should work better than the double opt-in.
Two FAQs About GDPR
Here are some of the most common questions I've seen about GDPR and how does this affect online businesses.
1. Do I have to comply with GDPR even if my business is not based in the EU?
Yes, GDPR regulations apply to any company that processes data from EU citizens or people living in the EU, no matter where your business is based. So, that includes you if you receive visitors who live/are from the EU.
2. Can I still use lead magnets to get people to give me their email address?
Yes, absolutely. Some people say you just have to get their consent before you send the lead magnet, but the fact that they want that freebie doesn't mean they give you permission to send marketing emails to them.
My advice is to give them access to the freebie, even if they don't give you their consent, but still try to obtain their explicit consent and be clear about how you're going to use their info.
If you’re still not very clear about this new GDPR regulation, then please consult with a lawyer and implement the tips I've suggested above before May 25, 2018.