If you send email, especially email marketing or other bulk email, then there are the two things that your business contracts must contain, even in the U.S., to be not just GDPR compliant, but GDPR-proofed.
Last week we discussed how GDPR affects data you have collected before GDPR went into effect (GDPR goes into effect on May 25, 2018). But what about the case where you have data acquired from a particular individual before GDPR went into affect, and then that individual provides you with additional data after GDPR is in effect? That is the subject of this article.
Despite that GDPR is coming up on its fifth anniversary, people are still asking questions like "What is a 'data controller' or a 'data processor' under GDPR?" And "How is a GDPR data processor different from a GDPR data controller?" And even "Can a company be both a data processor and a data controller at the same time under the EU General Data Protection Regulation?" And the ever important question: "Do we have to comply with GDPR if we are in the U.S.?" Here are the answers.
There is a lot of confusion over what exactly qualifies as "legitimate interest" under GDPR. Additionally, you may be wondering whether GDPR governs the handling of personal data which you collected before GDPR went into effect and, if so, whether you can keep it under the legitimate interest test. The answer is both 'yes' and 'no'. Below we talk about the legitimate interest test generally, and how it applies to data acquired before GDPR went into effect. We also include information about how to obtain the model legitimate interest assessment (LIA) template which has been developed by a GDPR expert and which we have been given permission to share.
GDPR applies to any business that collects any personal information data about individuals. This personal data, or 'personally identifiable information' (PII) includes things from which identity can be derived, such as, for example, a street address, a telephone number, an email address, and even an IP address.
ISPs are allowed to bounce your email for any reason, or even no reason at all. We've touched on this briefly before, but we think that it's time to make it crystal clear: ISPs do not have to accept and deliver your email. Or any email. Including, yes, again, YOUR email. Even if your email is double confirmed opt-in with a cherry on top, an ISP is under no obligation to accept or deliver your email.
We talk about CAN-SPAM often, and you may even hear about it from time to time when email spam makes the news, or when looking at your own email marketing policies, or, even, when dealing with spam complaints. But what exactly is CAN-SPAM and which parts of it are most applicable to you? Here are the 10 things that you NEED to know about CAN-SPAM.
Listen to Our Blogcast
- Iowa, Montana, Indiana, and Tennessee Join the Ranks of States with Email Opt-in Requirement in New Data Privacy Laws (Season 3 Episode 8)
- New Texas Data Privacy Law is Strict on Email Collection and Email Marketing (Season 3 Episode 7)
- The Value of a Political Email List: Ready for Ron (RFR) versus the FEC (Season 3 Episode 6)
- Who is Behind the Domain Kmail-lists? Here's Who (Season 3, Episode 5)
- Get a Great Return on SMS Marketing While Following SMS Marketing Laws and Best Practices (Season 3 Episode 6)