There are three problems however that I have with GDPR and I’d love to hear how other small non-EU businesses are dealing with this.
First is the requirement to have EU representation (Art. 27). Since I don’t have any physical presence in the EU, GDPR requires the appointment of a representative. It would appear that a new industry has been created selling non-EU businesses GDPR representation in the EU which in my brief Google searching can cost $1000 per year or more. Are other small businesses owner out there paying for this? Or how else to deal with this requirement? Not a lawyer but this is the only part of GDPR I am tempted to ignore.
Second is the common practice of using lead magnets to collect emails for marketing. My email signup forms are very clear about marketing use, and are double opt in, and subscribers can opt out with a single click. But my research suggests that this is still not GDPR compliant unless there is an explicit consent, which I believe will reduce email signup rates. Also, while Mailchimp has a GDPR form, but it is quite large and doesn’t work embedded in web page headers, sidebars or popups. I’ve only seen one of these Mailchimp GDPR signups in the wild and they opened a new browser tab to present the hosted Mailchimp GDPR form which to me isn’t ideal. How are others handling email marketing signups? Disclosure and checkbox for consent seems a reasonable compromise but I haven’t seen this very often in the wild, at least not yet, that may change come May 25. Not a lawyer but I’m tempted to keep my current forms until I see more websites make changes.
Third, I have a medium sized mailing list (less than 10,000) mostly US based emails which is important for my business. Are people running consent campaigns (as suggested by Mailchimp?) I’m concerned that I will lose a substantial part of my list due to non-response. Again, the list is double opt in and I am very reasonable with my marketing emails. (Not a lawyer) but my thought is to segment my list into EU and non-EU customers and run a consent campaign only on EU emails. Has anyone run a consent campaign and how did it work out for you?
Any thoughts or suggestions from other small and solo business owners would be much appreciated.
The lead magnet thing is such a good example. It’s a clear and voluntary trade-off: you can have this free resource if you join my list, from which you can unsubscribe at any point. It can obviously be done in a scammy way, but you’re clearly not doing that. But some people think you should have to provide that resource without any restriction.
Or that forcing people who already opted in to do so again is fair, because if they don’t reconfirm, then they must not have wanted to be on the list. This is like a SaaS company calling every customer periodically to ask them if they might want to cancel.
It makes no sense, but the pro-GDPR crowd on HN in particular is very hostile to marketing in general and email marketing in particular.
No one here who likes the GDPR gives a shit about your business. They’ll be happy to give you bad advice based on how they wish the world was, and if it costs you dearly, that’s not their problem and you probably deserved it anyway.
I’m doing some of the same activities as you, and I personally will be changing basically nothing for GDPR. I’ve always treated customers fairly and I’ll continue to do so. Governments that have no jurisdiction or enforcement mechanisms against my company can pound sand.
But if it required user activity to register for those lists AND you explicitly identified them as for marketing purposes, that seems like you already HAVE consent? I mean, what do you imagine consent to mean other than "an active affirmation from the user that they're ok with this". If it's indeed double opt-in AND clearly communicated, it seems you clear that bar by a mile?
It sounds like you don't value your time. In my universe (software development), time is money.
1. In the same article[1] that you reference, the following paragraph might apply to your business: >27.2 The obligation laid down in paragraph 1 of this Article shall not apply to: >processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) I would ignore it for now. If any supervising authorities would contact you regarding compliance issues, talk to an expert.
2. This is if you use Consent as the legal basis for collecting the data. I have seen a few business use 6.1.f [2] (legitimate interests) as their legal basis, which has other issues like the weight test of interests not being tested in court, yet. The Article 29 Data Protection Working Party have released opinions on how 'legitimate interests' should be used [3]. However, there are other laws about marketing that could apply on a country per country basis. If you select the consent route, a double opt in with possibility to opt out at anytime that should be sufficient as long as you document the text for the opt-in's and record it together with the date&time of the opt-in. Oh, and you don't make the consent conditional on getting your goods/services. I can recommend the Article 29 WP guidelines on consent[4] for extended reading. It sounds like your current process is enough or requires very little tweaking, I would keep it as is.
3. I have not run a consent campaign. I have run information campaigns about our users rights with links to required documentation and they have been appreciated. I would not run a consent campaign as I believe your consent should be good enough based on the process mentioned above.
Hope this helps! - [1] https://gdpr-info.eu/art-27-gdpr/ [2] https://gdpr-info.eu/art-6-gdpr/ [3] http://ec.europa.eu/justice/article-29/documentation/opinion... [4] https://iapp.org/media/pdf/resource_center/20180416_Article2...
That said, your point is still fair. I sometimes spend my time less-than-optimally because it feels "free."
I just found another article however with another solution which may be better. The article suggests instead of saying "Get this free ebook! And p.s. we will send you information and marketing emails about our product." you should say "Sign up for our newsletter to receive information and marketing emails about our product. Also we will send you a free e-book as a gift." It's not as good of a call-to-action, but changing the order does turn into explicit consent for marketing. Source: https://blog.mailrelay.com/en/2017/12/28/new-gdpr#_What_abou...
Re #1: To be exempt you must fit all 3 criteria: 1. processing is occasional 2. does not include, on a large scale, processing of special categories of data (e.g. religious, political, criminal backgrounds, sexual orientation, etc.) AND 3. unlikely to result in a risk to the rights and freedoms of natural persons I collect a number of emails on my website and apps every day, so I don't think my processing is "occasional". If I collected emails once a year or even once a month, sure I could argue that processing is occasional. But collecting 10-20 email signups per days doesn't seem occasional to me.
2. Thanks for this opinion on this. I think I agree your assessment.
3. Again, I think I agree with you - thanks for you opinion.
Very helpful, thanks!
Source: https://ec.europa.eu/info/law/law-topic/data-protection/refo...