The EU GDPR and the UK GDPR (General Data Protection Regulation) apply to any business – arguably anywhere – that collects any personally identifiable data. And personally identifiable data also includes things from which identity can be derived, such as, for example, an IP address.
In other words, it applies to pretty much any business, collecting pretty much any data.
Because here’s the thing – you really have no way of knowing whether someone with whom you are interacting online is actually in the EU or UK or not. (The UK adopted their own UK GDPR after Brexit.) Sure, you could do IP address geolocation, but not only is that not always 100% accurate, and not only can it be spoofed, but the very act itself arguably violates GDPR! GDPR specifically calls out IP addresses in its prefatory language, saying that “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
Or, if you are a brick & mortar shop, you could only collect personal data from people who come into your store, in person. But even then, there is no real way of knowing if, for example, the email address they are giving you is theirs and only theirs, or actually the email address of someone sitting in – you guessed it – the EU or UK.
Or heck, they might even be someone headquartered in the U.S., giving you a U.S. address, but while they are in midflight over an EU country!
Even GDPR itself is cagey, if not downright vague, about when you might get in trouble for using data acquired from someone that you thought wasn’t in the EU or UK during the time of acquisition. It doesn’t spell out “citizen” or “resident” of the EU/UK, but rather talks about “data subjects” (natural individual persons – ‘natural’ as contrasted to ‘legal’ entities). It says it applies to those data subjects “in the Union” (the EU) or UK, but it doesn’t actually spell out what “in the Union” means, and interpretation could include “anchored in the Union”, such as a telephone number that is anchored in the EU or UK, or an email address that is anchored in the EU or UK.
Finally, there is a clear prohibition against ‘profiling’, meaning using automation to determine certain information about a data subject, including location.
This means that in order to confirm that your data subject (the individual whose data you are collecting) is not in the European Union or the UK at the time of data acquisition, you have to manually confirm it with them, and you have to hope that they are being truthful, and that no data they are giving you is tied to the EU or UK.
The bottom line is that it’s just a whole lot safer – and actually easier – to just assume that every one of your data subjects is or can be construed to be “in the Union”.
Now on to the actual “how to”.
(Note: With respect to email marketing and other email sending practices, it’s important to note that under the GDPR, the term “data” includes email addresses. We will be using the term “email address” throughout this article, as we are talking about email marketing.)
How to Comply with GDPR for Email Marketing in the U.S.
First and foremost, for any email address that you collect, the person’s consent to the collection and use of that email address must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In other words, you cannot collect, let alone use, a business’ or person’s email address unless they have provided you with clear, specific, informed consent. (Note: There is some wiggle room if the email address is a business email address that is a role account, such as “info@” “customerservice@”, etc. IF that role account is used by and accessed by more than one person, but how would you know? We still say play it safe.)
And guess what? Pre-checked boxes are out (of course anyone who has read our Email Deliverability Handbook knows that) – they are not considered informed consent. Same for “lack of action”. In fact, the GDPR specifically says:
Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.
And that’s not all.
That consent applies only to that use which you have clearly specified to them at the time of their consenting.
For example, if you collect their email address so that you can “email them your free white paper”, that is the only purpose for which you can use their email address. You cannot add that email address to a mailing list or otherwise use it for email marketing (or anything else).
This means that you have to disclose every single way that you might use their email address – clearly and in plain language – at the time that they are giving their consent. If a particular use of their email address was not clearly disclosed at the time they gave their consent, then it wasn’t informed consent for that purpose, and you cannot use their email address for that particular use.
Moreover, you must document that consent, and store that documentation regarding the consent.
Now, again, we are talking about email addresses here, by way of example, but these requirements apply to any data that you collect from a data subject.
The GDPR also addresses data retention, and with respect to email addresses it means that a) you need to keep all of the data you collect secure, and b) the withdrawing of consent (such as unsubscribing) “shall be as easy to withdraw consent as to give it.”
Also, if your stored data is breached, you must notify the Data Protection Authority within 72 hours, and inform all affected parties “without undue delay”.
(Speaking of stored data and data retention, just how does GDPR apply to data that you acquired before GDPR went into effect? It does apply, read our article How GDPR Affects Data Collected Before GDPR Went Into Effect containing information generously provided by GDPR expert Gary Payne.)
It’s also important to note that legal action under the GDPR is available both for individuals, and against individuals. This ‘private right of action’ is available to any citizen of the EU and, presumably, any individual anywhere against an EU-based email sender.
And fines are hefty. Up to 20million euros or 4% of a business’ gross annual worldwide income, whichever is higher.
So how are they going to enforce it? Given the potential exposure, it almost doesn’t matter how they are going to enforce it – it makes a lot more sense to just comply. That said, while it will be relatively easy for them to enforce against anyone in any EU member state, it’s unclear how they will reach a company in, say, the United States (the act of sending an email from the United States to the EU gives them a hook; what’s unclear is how they will prosecute it).
But make no mistake, they do mean to enforce it. According to the EU GDPR site, “The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
This has been a brief overview, and only with respect to the collection and use of email addresses. You can read the full EU General Data Protection Regulation (GDPR) here.