While all European Union (EU) businesses should now be fully compliant with the General Data Protection Regulation (GDPR), B2B firms based in the United States are still wondering what GDPR means for them. Do they need to comply? If so, to what degree?
Over the past few months, we have assisted many of our B2B clients in meeting GDPR requirements at different levels, depending on their connection to the EU. In this article, we will summarize GDPR and present several options for your US-based company to work toward compliance, based on its relationship with the EU. Although only EU citizens are currently protected by GDPR, we expect that similar rules may come to the U.S. in the future.
So what exactly is GDPR?
By now you probably know that the GDPR is legislation approved by the EU to create greater and more uniform data privacy protection for all EU citizens. The goals of the GDPR are to give EU citizens insight into the data collected about them and put the control into the hands of users, rather than companies.
Here are three main areas of focus for the GDPR:
- Consent: Companies must alert users when they are tracking them with cookies, munchkins, etc. and also get their explicit CONSENT. This includes implementing double opt-in for forms, documenting consent by users, and giving users the ability to control their subscription preferences.
- Data Management: Companies must give users the right to: a) understand what data has been collected on users; b) give users the option to update that data; and c) give users the right to erasure/deletion of that data.
- Privacy Policies: Your privacy policies may need to be aligned with the new GDPR requirements and you will need to document your legal basis for processing personal data.
There is a lot of gray area with this regulation, but we’ve seen clients fall into three general areas, based on EU involvement. The levels are based on several different parameters:
- Do you actively pursue business in the EU? If yes, you’ll fall into level 3.
- Do you have a cookie tracking system on your website? A cookie-tracking system would be defined as platform that captures user information and tracks visitors using cookies. This would include marketing automation systems (e.g. Hubspot, Act-On, Marketo), advanced web analytics (e.g. HotJar, Crazyegg), and advertising-related cookies (e.g. Google/DoubleClick, Bing). If the answer is yes, your company falls into level 2.
- Is your firm in a compliance-heavy industry (i.e. financial services)? If yes, start at level 2.
Level 1 – Your firm is not actively doing work in the EU and does not have a cookie-tracking system.
- Add an SSL certificate to your website – An SSL certificate will add a level of security to your site, keeping data secure between servers, plus it will display your site as “secure” beside the URL, building user trust. SSL certificates are mandatory by the GDPR, and Google Chrome will start to mark all non-HTTPS sites as “not secure” beginning in July 2018. As an added bonus, an SSL certificate can also give your site a boost in Google’s ranking, so adding one will help not only with compliance, but also with SEO!
- Change your Google Analytics snippet to make IP addresses anonymous.
- In your privacy policy, put a simple line about how your firm is only actively targeting U.S.-based businesses. While this may not fully cover you legally, it’s a good start for a firm with a low level of risk.
Level 2 – Your firm is not actively doing work in the EU, but may be tracking cookies or you are in a compliance-heavy industry:
- All Level 1 items
- Update the privacy policy on your website with your legal team to follow GDPR regulations. This will likely involve adding a paragraph on consent, specifying that by using your website, users are consenting to having their data collected, written in simple language free of jargon. The consent language should specify what data is collected and how it will be used. Your legal consultant will also likely recommend adding in language clearly stating that users have the right to be forgotten (to revoke consent and have their data erased), or to have their data edited upon request.
- Require double opt-in on subscription forms (i.e. blog or newsletter subscription). Double opt in means that users must submit a request to be added to subscriptions twice. This could mean having an email verification triggered to verify consent after users have clicked submit on a form on your site, or having users click two separate submit buttons when submitting a subscription form.
Level 3 – For clients actively targeting or working with clients in the EU:
- All Level 2 items
- Add a cookie consent tool to your website to allow users to manage their cookies settings. We have found OneTrust to be the most robust tool for our clients.
- Add a link to your Terms and Conditions on all forms across your site.
- If you have a newsletter or blog subscription, add a subscription center so that your users can adjust their settings to what they want to receive.
- Ultimately, you need to comply with all of the regulations of the GDPR and should hire a legal team to assist with consultation and implementation.
Ultimately, our team is not equipped to guide from a legal or compliance standpoint, so it is imperative that you speak with your legal team and assess your firm’s needs when it comes to GDPR and how to adapt to the new regulations. With that disclaimer, we hope this article can provide you with some basic guidance to determining what level your firm falls into and to what degree you need to comply with GDPR.