GDPR, the EU’s General Data Protection Regulation, went into effect on May 25, 2018. The UK adopted their own UK GDPR after Brexit, which closely tracks the original EU GDPR. GDPR applies to any business that collects any personal information data about individuals. This personal data, or ‘personally identifiable information’ (PII) includes things from which identity can be derived, such as, for example, a street address, a telephone number, an email address, and even an IP address.
In other words, it applies to pretty much any business, collecting pretty much any data, pretty much anywhere. And because GDPR specifically states that GDPR will be enforced against any organization anywhere, that means that organizations in the U.S. and other non-EU or UK countries still need to comply with it, or risk being hit with, among other things, massive fines.
Because here’s the thing: you really have no way of knowing whether someone with whom you are interacting online is actually in the EU or the UK or not. Sure, you can do IP address geolocation, but not only is that not always 100% accurate, but it can be spoofed. Or, you could only collect personal data from people who come into your store, in person. But even then, there is no real way of knowing if, for example, the email address they are giving you is theirs and only theirs, or actually the email address of someone sitting in – you guessed it – the EU or UK.
How to Comply with the EU GDPR and the UK GDPR with Respect to Email
Collection and Use
Never, ever, collect or use an email address that the holder of the email address did not directly give you themself, and for which they did not give you their direct, verifiable consent to use. And you must disclose exactly how you intend to use their email address at the time that they are giving you their consent. For example, if you tell them that you will use their email address to correspond with them about their purchase, and if you don’t tell them you are going to put it on an email marketing list, then you can’t put it on your email marketing list because that use is not included in the consent which they gave you. In order to add a new use for an email address (or any other piece of personal data), you first must go to the holder of the email address and request consent for that new use.
Opt-Out and Revocation of Consent
You must make it “as easy to withdraw consent as to give it.” In other words, you must make it extremely easy for them to opt out, and to revoke consent. Of course, in the email marketing context, U.S. Federal law already requires that you provide a “one step” method to unsubscribe.
Deletion
Sometimes a person will not only opt-out, but ask you to delete their personal information from your system. Do it.
This has been a brief overview of how to comply with GDPR with respect to the collection and use of email addresses. For more in-depth information see https://www.isipp.com/how-email-marketing-must-comply-with-the-eu-general-data-protection-regulation-gdpr/.
Let us help YOU get to the inbox like we've helped these others!
No responses yet