GDPR simplified for US-based and non-EU companies

This article is intended for non-EU companies that have questions regarding their compliance requirements surrounding the European Union’s General Data Protection Regulation (GDPR). Specifically, this information is geared for businesses that do not directly market to individuals in the EU but may indirectly have EU contacts or even customers. If your company actively targets and markets to citizens in the EU the information below will be helpful, but you should take a deeper dive into your process, both online and offline, to ensure compliance. Most importantly, this article is not legal advice.

We’re assuming if you’re reading this article you already have a basic understanding of what GDPR is and are simply looking for some clarity and answers as to how it affects you and specifically what you need to do about it. General Data Protection Regulation (GDPR) goes into effect May 25, 2018 and comes with some big changes for how companies handle data, specifically when it comes to data of individuals physically within the EU. Many US-based and non-EU companies were previously able to avoid the Data Protection Directive (which GDPR is replacing) by simply being outside of the EU, but these new rules change that.

I don’t sell to the EU, does my company need to be GDPR compliant?

At MODassic we have clients in the US, Australia and Canada and do not specifically market to the EU. However, we get web traffic and contacts who opt-in to our content from around the world, including the EU. Many of our clients are in a similar situation and that’s where there are a lot of gray areas surrounding GDPR compliance.

Should I just block all traffic from the EU?

Anytime lawyers are involved there’s an overwhelming amount of information generated on the subject, but we somehow rarely get any closer to black and white answers.

Because of this we’ve seen a ton of frustration, panic and misunderstanding online with people unsure what to do. Several are simply resorting to blocking all traffic from the EU so they don’t have to deal with it. We understand that, since there isn’t a lot of clear information out there, but it’s a bit drastic. Blocking all of that EU traffic could really hurt your organic search rankings outside of the EU as well. At MODassic we don’t target customers in the EU, but we do have a lot of traffic from around the world, including the EU, from individuals that find our blog posts via search engines. Those individuals may download our ebooks and therefore become contacts of ours. Even if we never worked with anyone in the EU, this search traffic benefits us. Blocking that traffic could affect our domestic search rankings.

It’s all about intent and targeting

The internet doesn’t have borders (for the most part). So if you have a website there are some things you may need to do, but you don’t need to panic and don’t need to block all EU traffic.

First, a clarifying point, collecting data is not just related to a sale or financial transaction. Any data collected automatically through a tracking script or through a contact form counts. So even if you never sell to someone in the EU, you need to be aware of the following.

To fall under GDPR your company would have to specifically target individuals in the EU. Therefore the most important thing you need to do is get a clear understanding of what targeting is and see if you have any information or language on your website that could be identified as targeting the EU.

What is and isn’t considered targeting?

EXAMPLE – NOT TARGETING

If you are a US-based company and someone in the EU (say Italy, for example) was searching on Google for general information and then discovered your website and filled out a contact form, that is not considered targeting assuming your website doesn’t meet any of the targeting criteria below.

EXAMPLE – TARGETING

If in that same scenario above your website did any of the following, it would be considering targeting and therefore subjective to GDPR.

• You had an Italian (or any EU language) translation of your website or landing page. That would be considered targeting users in countries that speak that language.
• You have verbiage that implies you serve customers in the EU. This could include case studies, clients logos or testimonials of EU customers.
• Statements such as “worldwide leader”, “global” or “international” as well as showing global service area maps or graphics could imply you do business around the world (or at least in the EU). Many small or medium-sized companies often want to appear larger than they are and can sometimes fall into this trap. Beyond being a little silly, if those things aren’t true, it could be viewed as targeting the EU.
• Running PPC or other paid ads within EU countries. Be sure that at the campaign level you are excluding EU countries, especially if you’re running remarketing ads. With remarketing ads it’s important to exclude EU countries because you could be serving ads within the EU without intending to.
• You have email marketing automation that sends automated message to contacts. See the next section about content & opting in.

What do I need to do to be GDPR compliant?

CONSENT & OPTING IN

If you are targeting EU customers, you will need to update your contact forms to obtain explicit consent. In the language of the GDPR, consent must be “freely given, specific, informed, and unambiguous.”

However, at MODassic we think this is a best practice to do even if you don’t target EU customers—especially if you do any marketing automation or paid media. This is because EU customers could find their way into your database without targeting them (which is fine) but then they could start getting your marketing emails or remarketing ads without you realizing it. By having everyone consent you cover yourself. In addition, it’s simply a best practice to let people know what they’re singing up for.

This can be achieved by doing three things:

1. Contact forms will need a checkbox that users must check to show they agree. This should not be checked by default, but it can be required to check in order to submit the form.
2. Next to the checkbox you need to have a short and clear statement about what you will be doing with these email addresses. You can’t have the user click a link that goes over a long Terms & Conditions document filled with legalese. If you do target EU users, you should have a banner pop-up right upon visiting your site that explains that you are tracking visitors with cookies and that by closing or clicking they do consent to this.
3. Update your full Privacy Policy or Terms & Conditions to clearly explain what kind of information and data you do collect. Iubenda is a great resource for generating and managing Privacy Policies and Cookie Policies (and you can get 10% off their pro account just by clicking that link).

PROTECT DATA & HAVE ACCESS TO REMOVE DATA

A term you may have heard a lot surrounding the GDPR is the “Right to be forgotten”. In short, EU users have the right to see what info you have on them and request that it be deleted. Therefore companies that are both targeting and collecting data on EU users need to be able to access and delete that information.

Most businesses use 3rd party cloud based platforms such as Hubspot, MailChimp, Marketo, Sugar CRM or Salesforce to collect this data and store it. These legitimate organizations are taking the necessary steps to ensure that data is protected and compliant. They should be taking care of the heavy lifting within their platform to ensure that you have access to easily look up and delete what info you have on an EU user, should they request it.

A few examples includes MailChimp’s Export Proof of Consent tool, Hotjar’s Visitor Lookup tools and if you use Hubspot they have great information on how to enable privacy policy alerts.  Check with the provider of any marketing platforms you use and they’ve likely already taken care of it for you.

SUMMARY / CLOSING

In closing, the main thing to remember is not to panic and don’t simply block all users from the EU. Instead run through this checklist and implement a couple very basic notification and content options on your website and contact forms.

• If you really don’t service or target EU users, make sure you’re website doesn’t contradict that.
• Make sure your PPC, paid ads and remarketing ads aren’t accidentally targeting EU residents.
• Obtain consent by making users aware and actively check a box before submitting their data.
• Update your privacy notices to make sure you communicate what kind of info you do collect.
• If someone from the EU requests info you have on them, you need to be prepared to show them what you have and also be able to delete it.