We invite you to listen in and learn how this new set of rules impacts your marketing, and the steps you should be taking to prepare for the GDPR.
Webinar
Unlock this Free Webinar
Mark O’Brien: This is titled “The GDPR is Forcing You to Change How You Market,” brought to you by Newfangled, but this is Mark O’Brien. I’m the CEO of Newfangled and we also have Lindsey Barlow.
Lindsey Barlow: Hi, I’m Lindsey. I’m the Director of Digital Operations.
Chris Butler: I’m Chris Butler. I’m the Chief Design Officer.
Holly Fong: And I’m Holly Fong. I’m the Director of Digital Marketing Strategy.
Mark O’Brien: So, basically the brief background is this: This was presented to us as a pending issue about six months ago when we began to take it seriously, and Lindsay, and Chris, and Holly, and Dave, and some other team members have been doing a ton of research. We’ve gone so far as to actually hire a law firm to help us work on this. We’ve invested a ton of time and we’ve realized how big and complicated and harry of an issue this is. We actually had a different webinar schedule for this quarter but we realized with the deadline coming up… What is it? May 25th? That it was actually more important just to do a webinar on this because I, as the principal affirm, was woefully out of touch with what it was actually about.
And as Lindsey, Chris, Holly, and Dave are presenting the facts to me, I was quite upset by what the facts were. I figured that a lot of the people we serve, meaning you, who are attending today, also are similarly in the dark. So, we’re just going to tell you everything we know about this… A little proviso, a little safe harbor announcement. This is just what we know. We are not giving you direct advice on this. Don’t cite this webinar as a reason for doing anything with this. Right?
Chris Butler: Except for learning more. I think…
Mark O’Brien: Yeah, learning more.
Chris Butler: What we know is probably pretty sound, but Mark mentioned that the impending deadline May 25th… That’s the date after which this is an enforceable regulation. There isn’t really much organization in place for enforcing it. It’s not going to be like roving bands of auditors or inquisition around this, so you wouldn’t expect to get a knock on your door and email complaining the next day, but this regulation was passed in April of 2016. So, all of us have had two years to get up to speed on it. But the reason why it really has come into focus in the last six months is because it’s taken about that time for people to come together and figure out, well, What do we do about this?
For instance, Mark alluded to the fact that we worked with legal counsel of our own on this and they’ve had to do some trainings, and when we spoke with them, they’d just been to a workshop on this within the last few weeks. So, it isn’t that everyone’s just sort of at the “eleventh hour” getting their act together and cramming for this test, but it is the fact that it’s taken about this long for everybody who does have relevant expertise to sort this through and figure out what the next steps are. But, right, don’t take this as legal advice. The best next step for you after you hear what we’re doing with this, is to consult your own legal counsel, talk to your teams, and figure out what’s going to be the best move for you.
Mark O’Brien: Okay. Let’s see here. So, this is Holly.
Chris Butler: Hi, Holly.
Holly Fong: Hey.
Mark O’Brien: So let’s get into this.
Chris Butler: Before we look at what we’re doing, let’s just actually define some terms and talk a little bit about the concepts, because many of you listening probably know a little bit about the GDPR and many of you listening are probably hoping to learn some more. So, first and foremost, GDPR: What does that mean? It’s the General Data Protection Regulation. The whole purpose of this though isn’t really meant to go after people like us. The problem with this regulation is that it’s so big and expansive that we are caught in its net, but ultimately, firms like ours… And there’s probably a good variation of people listening right now… Probably firms and organizations that are bigger than Newfangled even, but it’s really not meant to go after us. It’s going after organizations like Google and Facebook. And yet, it’s written in such broad terms and applies to such a broad set of actions and interactions, that it does affect us. The whole purpose though is to give citizens control over the data that they share with organizations, and in this particular case, citizens of EU countries, European Union countries.
Holly Fong: Yeah, and I would say the biggest misconception really about the GDPR was initially that this is only going to apply if you do business in the EU, which isn’t true. It has to do with if you have any data on individuals in the EU, you’re making sure that (1)you’re protecting that data, but (2)they’re aware of what you’re doing with their data… All the other 3rd party tools that you could be using to store their data. They also have the right to be forgotten and to get their data back from you.
Chris Butler: Right. So, within the GDPR regulations, there are some key terminology that we’ll probably mention quite a few times in the next hour. First and foremost is this idea of “controller” and “processor.” These are the named entities that are subject to these regulations. So, a “controller” is any organization that collects data. That might be you, that might be the CMS you use, that might be 3rd party tools that you interact with, like marketing animation tools, or CRM, that kind of thing. Those are all controllers. There’s also “processors” and a “processor” is an organization that processes data on behalf of the controller. Again, that might be an organization that you’re integrating a tool with, so a CRM or marketing animation tool, perhaps a CMS or Cloud-based tool. So, that’s something to sort out and the regulations, in terms of how you disclose that activity, are different, and the responsibility is different for those two entities. You might be both. It really depends on how you do what you do and what kind of data you’re collecting and processing. We’ll talk more about that when it comes to what we’re doing.
Holly Fong: Yeah, and just to be more explicit here too, it’s not just any data. It’s any personal identifying data, which could really be any data that could be used to personally identify an individual. So, obviously, name, email IP address counts… There’s a number of things that you might not think that could constitute as personal data, but that could be.
Chris Butler: Right, especially if it’s attached to somebody’s name. We’ll talk a little bit about this in a moment because we’ve got our own story, in terms of what we thought we would do and what we’ve ended up doing, and especially how this applies to things like data content, but we were wondering at a certain point in our process whether business data, or data that is specific to an organization but not an individual, could be absolved from these regulations. Because it’s not personal… As it turns out, any data that is attached to a personal identifier becomes personal data. So, if you ask for somebody’s name and email address, but then you ask for the size of their organization, yeah, that number (maybe it’s 52 people, maybe it’s 1000), that’s suddenly personal data. So, it’s subject to the same thing. There’s no get out of… Well, you just can’t do it.
Mark O’Brien: That’s part of the heart of the matter, which is a real headline here. Any business or individual that has a website, that has a form on that website, needs to adhere to this new rule. And that was one of the things, for me, that was so difficult… Is that the EU could put a set of laws in place that we, in the States and beyond, have to adhere to. And it’s everybody. So, every single client of ours, every single client our clients have, all of them need to change the way their website works, actually by May 25th, in order to be in compliance.
Chris Butler: I’m really glad you mention that, Mark, because that’s the best segue into what I was hoping we’d cover later, which is like, Okay, you’re listening to this new single… What do I have to do? What’s the minimum thing I can do here, because what if I don’t do business in the EU? What if I don’t want to? You might be looking at this and saying, You know what? Up until now I’ve been pretty cool with interacting with people in the EU, but not selling to them directly, and so how much do I have to invest in this? You can kind of ignore this but you can’t do nothing. So, what that means is, you have to give somebody the option to be protected by this regulation, and that means you will have to choose… You’ll have to change your forms.
You can stop there, but what that means is you have to let them identify their location and then change the logic of the forms accordingly. We’ll talk specifically about how that’s done. But, yeah, you can’t just… There’s no way to do a blanket shut-down for EU people. The only way to do that would be to use IP detection and to change logic. Again, that’s programming you’d have to do. But that’s a bit of a catch-22, because an IP address is considered personal data, so if you track their IP address with which to identify their location, all of the sudden, now you’re subject to those regulations and you have to disclose to that person what you’ve done with that data, which puts you in direct contact with them. It’s a no-win circle there.
Mark O’Brien: Right, and one of the key points is this… Anybody visiting your site from the EU, so any of us right here travel to Ireland, say, tomorrow and visit your site, we are now from the EU visiting. So, it doesn’t have to do with the citizens of the EU. It has to do with anyone visiting from that location.
Chris Butler: That’s right.
Mark O’Brien: Any of those countries.
Holly Fong: Yeah, and I would just point out that this has not been litigated on yet, so the interpretation that we’ve gotten from our legal counsel is very conservative and based on how it was written. But it is possible that some of this will change with time once it is litigated on, and maybe further defined.
Chris Butler: Yeah, with that, Lindsay, can you speak a little bit to the conditions under which somebody might have a legitimate claim to collect data. There are a few specific categories that entitle you, or that would motivate you to collect data, and to organize it according to the GDPR.
Lindsey Barlow: Sure. Yeah, there are some specific… They call them “lawful bases for processing.” The first one, which is what we’re using in most cases, our lawful basis is “consent” and that’s when an individual gives you clear, explicit consent for you to process their personal data for a specific purpose. Then, you have some obvious ones where you would be processing data because it’s necessary for a contract that you’ve entered into with that individual, maybe because you have a legal obligation to do so. That would be another basis. There’s a basis called “vital interest,” which is where the processing is necessary to protect someone’s life. There’s a “public task” basis, where processing is necessary for you to perform a task in the public interest or for your official functions.
The last one, which is sort of the most ambiguous, is called “legitimate interest,” and that’s where the processing is necessary for your legitimate interest or the legitimate interest of a third party, unless there’s a good reason to protect an individual’s personal data that overrides your interest. So, it’s a balancing act, and for that one you have to go through a pretty rigorous process of determining that your interests outweigh the interest of the individual.
Chris Butler: In this context, we’re really focused on the marketing application of this regulation, so something to note here is that Lindsay mentioned a few of these other reasons for tracking and a lot of them are not going to be applicable to us or this audience. So, for the purposes of this hour, we really want to focus on marketing and that really applies to the first and last condition. So, consent and legitimate interest. I’ll say that in all of our conversations with our legal counsel where we tried to construct a legitimate interest argument for things like data content and additional data collection, the advice we’ve been given over and over again is “That would be the legal argument we would use to defend you, but it’s probably not a good one to use preemptively.”
Again, there’s no legal precedent here for interpreting the GDPR, which is really tricky because if you get in touch with legal counsel after this, which we hope you do, you’re not going to get a whole lot of “Yes, this is exactly how you need to do it, what you need to do, this is exactly what you should do.” You’re going to get a lot of hedged statements and ambiguity. That’s because there’s no legal precedent.
Mark O’Brien: So, can I play Devil’s Advocate here just a little bit, just to get to the heart of what you’re saying there, and how this will come home to everyone on the webinar? Data content, right? White paper, webinar, right? Anything that we’re now using forms to protect, there is one clause in the regulation that said something about “You cannot withhold access to a website for any reason,” right? And we read that as website, being the entire site. Like you can’t put up a login form in front of your site to prevent access to the site, which is fine because we don’t do that and none of our clients do that, hardly anyone does that.
Chris Butler: Right.
Mark O’Brien: But that’s not what they mean, is it?
Chris Butler: No. The interpretation that we’ve adopted at this point and have been encouraged to adopt is that the notion of transacting data for access should apply to access broadly. So any information that you’d access. And if you think about it, that’s the nature of data content. You’re basically saying, “Hey, I’m going to let you read this white paper if you’re willing to tell us a little more about yourself, and we want that data so that we can put you through a filter and see if you’re worth the time to spend to market to you.” There’s nothing wrong with that. I think we all believe we can do that within ethical parameters that we feel really good about. The argument that we took in terms of legitimate interest was to say, “Listen, we should have the prerogative as an organization to say that this information we’re sharing is proprietary, of greater value, it represents risk to us as people who sell expertise, to put a little bit more of that expertise into the marketplace is a way of properly informing someone who might want to pay us for more of it…”
Mark O’Brien: And we put a ton of effort into it.
Chris Butler: Those are all the things that I think… I know the three of you really well and none of us are the kind of people that would have an easy time sleeping at night if we didn’t feel comfortable with how we broker information, how we sell our expertise. We don’t want to be hucksters and we have a high sensitivity for that.
Mark O’Brien: Well, that’s just not good marketing in the first place
Chris Butler: Right, and it’s funny you mentioned that because, and we talked about this on the podcast where you and I debated this, there were points along the way where I was wondering if the legal counsel really understood the nature of the marketing we did. Because I assumed they didn’t. I assumed, “You think that marketing is this sort of harassing, digital version of sales,” and it’s not that. And they really do get it. They actually participate in quite a bit of it themselves, and I think they also understand the angst because it does limit you in some way. But, back to the point. You can’t do that to people in the EU because the interpretation of the idea of consent and the idea of access for data applies to any access of any kind. So, it is no longer okay to basically do any data content whatsoever.
Holly Fong: I was just about to say the exception. The exception is… Webinars are one exception because that data is necessary to register that individual for that webinar, to be able to provide that service. Same with if someone signs up for your newsletter or your emails. Without their email address, you can’t deliver on that.
Chris Butler: Right. There’d be no such thing as a newsletter sign-up without an email address.
Holly Fong: Yeah, and we’re talking about data content because the way our data content works, it’s showing the information on the website once they fill out that form. If the way that you were delivering data content is in a PDF through an email, then it would be acceptable, if that makes sense.
Chris Butler: Yeah, if that was its only format. We explored having, in addition to displaying it on a webpage, delivering it via email as an asset, and would that give us a legitimate interest argument, and the answer of course was NO, because it would have to be if its true format was that. So, that’s why, you can have someone register for a webinar in the EU… Perhaps there’s someone listening from the EU right now and we have your email address and that is legitimate. Now, the thing that you can’t do is, once this webinar is accessed as something after the fact, and it’s just a video file on a page, we can’t request their email address in that scenario. The question then becomes, and this is the fork in the road that we’ve faced, do we want to give access to this content to people in the EU or not moving forward?
Mark O’Brien: Yeah, and just to be very, very clear about this… Anyone listening right now that has data content on their site, they are going to be out of bounds starting May 25th.
Chris Butler: Right.
Mark O’Brien: So, they are not in compliance with GDPR just by the fact they have data content anywhere on their site.
Chris Butler: Well, and also more foundationally, actually having a public privacy notice, and we haven’t talked about this yet, but this is actually complicated as well, in terms of what that notice needs to include. Many people who are listening right now, they’ve probably done something like a privacy policy in the past, which as it turns out is not the right terminology… The privacy notice is an explicit rundown of all the data that’s being collected and what is done with it. It also allows people to understand what their rights are. So, Holly, you mentioned this in the past, the right in the EU is the right to have access to that data, the right of erasure, and the right of portability. So that means that, let’s say six months from now someone in the EU gets in touch with Newfangled and says, “I need to know what you have on me. I’d like you to delete it but I’d also like you to give me a copy of it first.” We have to do that. We are obliged to do that for them.
Mark O’Brien: Just having this privacy policy on the site is not enough.
Chris Butler: It’s not enough. No, because it wouldn’t protect someone moving forward. So, there’s disclosure… There’s notice disclosure, consent, and there’s also the obligation that we would have as a controller and a processor. Those are some of the categories of action you need to take.
Mark O’Brien: When it comes time, we will walk you through how we’ve approached this and what this looks like. It’s pretty ridiculous.
Chris Butler: Yeah.
Holly Fong: I was going to say that probably the biggest misconception… Another big misconception, I should say, about the GDPR was initially, people were thinking that people just had to consent to being emailed to. If that makes sense, because they were thinking it was really similar to Castle and it’s not, in that people have to agree to the fact that you’re capturing their data and you’re keeping their data. They have to know what you’re doing with their data. So, having a privacy notice on your site is important, but it’s also really important when we go over our forms, and the solution that we’ve come up with will explain this further, but it’s also really important that people consent to that notice.
Chris Butler: Right. So, I think it would be good to share some of this stuff. Before we do it, let’s just review what we’ve covered so far really quickly, because I know there’s a lot of information and we’ve done it in a somewhat incoherent manner.
So, number one, the purpose of the GDPR is to protect people in the EU and give them additional rights that haven’t been explicitly documented in the past, and those are the rights to (1) access to the data they have, or the data they’ve shared with you, (2) erasure of the data, and (3)portability. It applies to anyone in the EU at anytime, so if you’ve got someone who works for an American corporation who lives in Austin, TX, but then goes to the EU for a business trip for the week, it applies to them during that time. It’s enforceable on May 25th.
Nothing is going to change overnight. You should be aiming for that as a goal, as we are, but actually some of the things that we’re doing to be in compliance with the GDPR probably won’t be 100% done by that time. That’s absolutely true for us. That’s absolutely true for our clients as well. We’ve got a lot of clients that are working with us to become compliant here.
Mark O’Brien: Can I say something about that? The reason why it won’t be done by May 25th is because it is a ton of work.
Chris Butler: Yes.
Mark O’Brien: This is very big deal; changes that are necessary.
Chris Butler: That’s right. And because we had an original approach to this that has been refined several times now, thanks to the legal counsel that we’ve received on this. So, we are a controller. We’re also a processor. Controllers are an organization that collects data. We collect data from our website users in a variety of different ways and we’ll talk about that when we look at the privacy notice. We’re also a processor. We are because we have a CMS and then we work with third party center processors, like marketing animation tools and sales force in this instance.
The scope of personal data, as Holly mentioned earlier, is really, really wide and this is troubling. It’s anything from someone’s name to their IP address. If you asked for their favorite color, if you have their name, that’s personal. If you ask for the number of employees at their organization, that’s personal. There’s really no wiggle room there. And the requirements to them are a notice of all the data processing, so we’ll get explicit there.
And then, finally, as Mark has been coming back to a few times, you can do nothing about this. You have to, at the very least, have a privacy policy posted on your site and enable people in the EU to identify their location, and have the logic of the forms changed based upon that. The logic options you have are varied, and we’ll explain that when we look at what we’ve done. But those are the minimum things that you must do.
Mark O’Brien: And not just to have the privacy policy, but make sure they have read the privacy policy.
Chris Butler: I’m actually glad you mentioned that too, because, as it turns out, these privacy notices are quite complicated. It isn’t just, “Hey, we collect your data and we’re nice about it and we don’t sell it to anyone.” I wish we could just say that. You actually have to be really, really explicit about what data is collected. Every little piece you have to disclose. What’s done with it, how long you keep it for, who else has access to it, what it’s being passed to back and forth… If you’re working with a third party that does some processing of its own, you need to explicitly explain what that processing amounts to. You can’t just say, “Here’s a link to Google Analytic’s privacy policy,” or “Here’s a link to Marketo’s privacy policy.” You need to actually duplicate some of those details in your notice.
And then you need to ensure that somebody has read the whole thing. Now, anyone who’s ever set up IOS or any piece of software from Apple, you’ve got the really long agreement that you basically don’t read. You just scroll through and click.
Mark O’Brien: But you have to scroll through.
Chris Butler: You have to scroll through it, but it would be easy to just not read it. I think none of us read it. I think someone calculated that the length of time it would take to read that whole thing is like an hour or more?
Mark O’Brien: That makes sense.
Chris Butler: Ridiculous. Our legal counsel has said that what they’d really prefer is explicit consent check boxes next to each line item, so that there’s no ambiguity about what someone has read.
Mark O’Brien: So, for example, if I was visiting from the EU, and I wanted to sign up for the newsletter, and it asked just for my email address… Just that, so I’m in compliance with GDPR… Before I do that, I’d have to actually go through the would be check off, what? Probably 50 different check boxes inside the privacy policy? At least 15?
Chris Butler: It might be less than that. It depends on how you headlined them. But our privacy notice is probably around 2000 words?
Holly Fong: It’s pretty long.
Chris Butler: It’s long. We’ve elected to not do that. We’ve elected to make them scroll to the bottom and click that they have read, and they do have to do that before they can submit the form.
Mark O’Brien: Right.
Chris Butler: So, that’s a significant barrier. But, we are taking the risk of, I don’t know, not being super pedantic about this? And assuming that when someone says they read it, they mean it. Again, we’ve received some really conservative legal counsel for which I’m pretty grateful, but this is the one area that we’ve decided to go a different direction and just say, “Look, if someone told me they read the thing, I’m going to take them at their word.”
Mark O’Brien: Okay. Should we take a look at a few things now?
Chris Butler: The only other background I was going to mention, and this came up in the podcast, is that there’s actually a piece of legislation on the docket for November in California called the California Consumer Privacy Act. It’s very similar to the GDPR. It’s meant to guarantee a consumer’s right to see all the info held about them by a company and have access, erasure, and portability, and those are for California citizens. So, anyone from California. I would imagine if we looked at our list of contacts, we’d have a lot of California residents.
And, again, what this is going after are companies that have much more weight behind them in terms of what they do with this data, particularly companies that gather way more data than we ever would and sell most of that for other purposes, but we’re going to be subject to it. I think it’s very likely to pass in November, so we may be back to the drawing board in November based on how explicit that regulation is in its documentation, because a problem with the GDPR is that it’s expansive and poorly written, and it was hastily adopted. Who knows what this one will mean? I haven’t read it. I just know the generalities behind it, but come November we may have some new requirements.
So, let’s look at what we’ve done on the site. Mark mentioned that Dave Mello, our Director of Technology, has been working on this, and everything we’re about to look at is something he’s built for us. And it’s built into our tools so our clients can make use of it as well. So, let’s start here and Holly and Lindsay, why don’t you guys take us through this?
Holly Fong: Yeah, so this is just an initial form on our site. As you can see, we’re asking for their first name, last name, email address, and then really important note here… We’re asking for their country. So, before they can submit this form, we’re identifying what country this individual is in. Once they identify a country that’s in Europe, if we go to the next slide, what will happen is that there is a check box that will pop up, which is basically requiring them to agree to our privacy notice. They cannot submit the form without agreeing to that.
Lindsey Barlow: That’s what allows us to actually store this data in our various systems. So, in the CMS, in our marketing animation system, and our CRM, we can’t even hold that data without them agreeing to that specifically.
Holly Fong: Another important thing to point out here is you can see, underneath that first check box is a second check box, which is giving them the option to sign up to receive emails, and that’s explicit. So, someone has to explicitly sign up for that on top of the fact that they’re submitting a form and agreeing to you processing their data.
Chris Butler: Good. Let’s keep going. This is what it looks like behind the scenes, so as I mentioned, Dave has built some tools. We are working with Word Press as our platform, so all of our marketing technology is basically operating within some plug-ins that are unique to Word Press that we’ve built. This is how it would look behind the scenes. This is you putting those buttons in place.
Holly Fong: Yeah, everything that we’ve written out here is editable, so anyone who has the plug-ins has the ability to edit the language to fit their brand.
Chris Butler: You can also see that there’s a little bit more detail here than just the additional fields. The EU… There’s no widget that knows exactly what countries are in there, so it’s spelled out… All 12 or so countries are listed here. But this also means that if there’s a California regulation that’s very similar, we’ll be able to just add that in, assuming that it’s the same application, which we’re hoping for.
I mentioned that the privacy notice is long. This is what it looks like when someone is required to look at it. It just displays in an overlay and you can actually scroll up on this, but it’s probably… Is it 2000 words-ish?
Lindsey Barlow: It’s pretty long.
Holly Fong: Yeah, and just to point out, when someone checks the box that they’re agreeing to the privacy policy, this is just automatically overlaying. So it’s automatically popping up based on the fact that they’ve checked that box. There’s also a link to it, so they can go to it, but when they check that box, it’s requiring that they see the privacy notice.
Mark O’Brien: So, again, just to summarize: What used to be a one-click for sign-up, now when you click to sign-up, this overlay happens. You have to scroll through the whole thing, click that you agree to the privacy notice, which gets rid of the overlay, then you have to again click sign-up. So, it’s a four-step process now when it used to be a one-step process.
Holly Fong: Yeah, and it’s also important to point out that we’ve opted to do this just when individuals show that they’re in a country in the EU, so it’s not necessarily happening for every individual on our site. Because it’s a pretty cumbersome process, we’ve decided to only do it if someone chooses a country in the EU.
Mark O’Brien: But all this logic was custom-coded. This is default Word Press functionality. And if you don’t custom-code this… What are your options if you don’t have someone on staff to custom-code this for you?
Chris Butler: Well, you know, Holly and I were on the line yesterday with a client of ours that’s in a Scandinavian country and is not using our plug-ins, and there is a GDPR plug-in now available in Word Press. We haven’t vetted it. We don’t know exactly what it does and doesn’t do, but someone has built one, and ostensibly, it would work for you if you’re not already committed to other plug-ins for this type of functionality. So, I doubt it’s integrated with any third party tool. I doubt that it would work with Gravity Forms, if that’s what you’re using. It’s it’s own thing. So, my guess is that it’s a forms plug-in that is compliant with GDPR.
So, again, I know that these things exist. They’re will probably be more, but if you’re doing the kind of significant marketing that this regulation is really looking to address, my guess is that a plug-in like that might not get you all the way. Don’t quote me on that. We had to build all of this from scratch because our functionality is fairly complicated.
Holly Fong: Yeah, I would agree that it probably won’t bring you all the way because it’s probably not accounting for things like data content, or if you have progressive profiling on your site, which we didn’t even mention, that’s also going to be something that you can no longer do for individuals in the EU, just because that’s information that’s not necessary to require.
Mark O’Brien: Even after they give consent.
Holly Fong: Exactly.
Mark O’Brien: So, consent or not, there’s no progressive profiling from anyone coming from the EU.
Chris Butler: It’s the minimum for the purpose for which you’re submitting the form. So, in the United States, the whole purpose behind data content and progressive profiling is that if there’s repeat options to get information from a prospect, that’s a great way to learn more about them in a seamless manner. Generally, I think… Again, this is the angst of something like the GDPR. The GDPR is designed to empower the individuals who feel like, “Oh my gosh, I don’t even know the thousand things that Google knows about me or the ten thousand things that Facebook knows about me, and I don’t know who they’ve sold that data to, and I don’t feel comfortable with that. Because there’s so much more that I don’t know than I do.” That’s what this is for.
It’s not for instance in which I, as a professional, say, “You know what? I feel comfortable giving Newfangled my title and the budget I spend on these types of projects, because I see them as a provider of knowledge that I need, and I might want to work with them in the future.” Most people who participate in this kind of marketing, they know why they’re submitting this information. It’s a totally different ball game, and yet we’re subject to it.
Mark O’Brien: What if there are businesses out there like ours who do very little, if any, business in the EU, and they… Can they turn their website OFF to the EU, or certain features off? What can they do there?
Chris Butler: Right, so we talked about the minimum viable option, or there being a fork in the road. We elected to adapt our forms so that basically if someone identifies that they’re in France, the fields get shut off and they still access the gated piece of content. We had lots of debates over that.
Mark O’Brien: Lots of debates over that.
Chris Butler: And we probably still will, on-going, because I think we all agree that, in the short-term, that was our best… The option we all felt best about with reservations. But, Mark, I know you were really interested in, “Well, why don’t we just not give them access to that content?” And that’s totally a legitimate option. We have a client right now we’re working with that has chosen that route.
Mark O’Brien: Yeah, that’s one of the things that has upset me, is that we put so much effort into creating this content, and our clients do too. We know full-well how much we care about this, how much we endeavor to educate our prospects, and our clients are doing the exact same thing we are. And the fact that we now basically just give it away for free to everyone in the EU because of the GDPR, just seems unjust.
Chris Butler: Yeah, so I know we can practically answer a couple of questions that David has asked about this. No, we’re not requiring explicit consent from everyone. Only those people who are coming from the EU, but also asking specifically about this issue, can we just not give them access? The reason that we decided to give them access… There are two reasons: Number one is that if they have access to that piece of data content, they might be reading it now and still subscribe to the newsletter, and they’d see that form on that page. So, I guess it’s like leaving the worm in the water longer. It just allows us to trust that if there’s a good option in the EU, someone who’s a good fit for us… And again, that’s not a big risk for us because we don’t typically, then they might convert at some point later in a way that’s considered okay from a GDPR standpoint.
The other reason why is because we are, right now, anonymizing those submissions. So, basically, what happens is, if somebody says they’re from France, and they’re asking for access to a white paper, we pass them through when they say they’re from France, and all we do is get a number. Yes, this form was submitted by this 16-character alphanumeric number.
Mark O’Brien: That we randomly assign.
Chris Butler: Right. If they convert later on, we can retroactively connect that conversion and that identification to that activity. So, potentially, six months from now, a year from now, we’re going to have some really interesting data on the lifespan of an EU conversion. Whether or not that’s relevant to us, we don’t know, we’re making a generous bet on the future data relevance of these transactions. Being able to connect those, there’s some value to that. I think, as an organization that cares about marketing data and cares about giving our clients cogent advice on this, I see it as, Okay, we’re making an experiment. A year from now, we might be able to even more directly lead our clients and provide some advice on this, based on data we’ve collected and seen. Right now, it’s a total guess.
Holly Fong: I would say that’s really important data to collect, given that other laws are changing throughout the world and even in the United States, which might lead us to look into other options. So, what this screenshot is showing is if someone were to try to submit this form without checking that box, it’s going to make that field required so they cannot submit that information without agreeing to the privacy notice. The secondary option below that, for them agreeing to receive email communications, does not need to be checked. So, they could submit a form without signing up for those email communications. Now, it’s important to note that this information is going to be feeding into marketing animation system and hopefully a CRM, so you’re going to have to do some segmentation to make sure you’re not sending to individuals who do fill out a form on your site but don’t agree to receive your email communications.
Lindsay Barlow: This is an example of what we’re doing with data content. If you visit a white paper or past webinar on our site, this is what you’ll see. And if you move to the next slide… You’ll see that what we’ve added is what we’re calling a “limited submit button,” so after the first field, or the fourth field depending on what form it is, you can add a submit button that shows conditionally depending on the country.
Chris Butler: The benefit there is that you don’t have to have multiple forms depending on the user’s location.
Lindsay Barlow: Right. So if we move on, we can see this is what, if I choose a country in the EU, I’m going to see the limited submit button with an optional message that will explain that I can submit this form without providing any personal data. Then, this is a webinar registration form that would show for a non-EU visitor. So, you can see this is somebody who has already submitted a form on our site, so we’re pre-filling their data and then we’re asking for additional fields like “title” or “business type.”
Chris Butler: Standard progressive profiling.
Lindsay Barlow: Right.
Mark O’Brien: Can I ask an annoying question? So, this is an example of somebody who, say, lives in Kansas, came to our site, converted probably multiple times in the past, but they’re on a trip to France at this moment, and they’re coming back to our site but they took their laptop with them. So, the same laptop we’ve cookied, right? Technically, then this should be all wiped out.
Chris Butler: Yeah, this is a flaw of the way that the GDPR is drafted and practically-speaking, there isn’t a great way to account for that case. The chances of Dave Mello, when he’s vacationing in France working are very high because chances of him actually saying, “Hey, I’m in France now,” on a form, are pretty low. So, while we might be able to, later on, forensically go back through the data and be like, “Oh, look at these submissions. Those IP addresses are in the EU. We need to purge this data…” We’re not going to do that. And the chances of Dave coming back to us and requiring us to do that are pretty low. That being said, it is always Dave Mello’s right to request the data, so if Dave Mello comes to us and requests the data and we say, “Well yeah, but Dave, you’re in the United States,” it’s still our obligation to find that data that does apply to the GDPR and purge it. That would be a pain in the neck and the chance of us being held accountable to that are pretty much zero.
Mark O’Brien: Now, an example of something that we could not do, because it would not, out of the gate, be in compliance with GDPR, would be IP tracking. So, if Dave were to vacation in France, if we were tracking IP’s, it’s like this person Dave is in France now, let’s just clear out his cookies because it’s coming from France. You can’t even do that because that IP address is something we can’t save or track or really be aware of.
Holly Fong: If you’re not anonymizing it. It would just be an additional, cumbersome step in this already convoluted technological solution. This is one of the cases where I feel like we had to make the call that if somebody were to complain about this, our best effort… We tried as hard as we could to make this comply with this law and the regulations, and this was the best technological solution we could come up with. So, banking on the goodwill of our intentions and what we’re trying to do here.
Mark O’Brien: And I’m pointing this out to point out how ridiculous some parts of this law are.
Chris Butler: Actually, it’s really good that you point that out because that is indicative of a crack in the logic of this regulation, and the haste with which it was drafted, the fact it was drafted by people who may not understand the complexities of digital marketing as it applies to people who aren’t in the realm of selling anonymously collected user data. There’s all kinds of problems with this.
Mark O’Brien: Now, let’s pretend all websites did do IP tracking, and when Dave goes to visit France, all of the sudden all of his log-in’s are cleared and nothing… The web is a very unusable place for him, if they wanted to choose to comply in that way.
Chris Butler: Well, that technically wouldn’t be a thing to do with the GDPR because it’s Dave’s right to have that data deleted on his request, to have it disclose what it is, and have it made portable to him. If we just deleted his cookies, we’d be purging that data without notifying him. He wouldn’t even know that would happen. We’d actually be doing something worse, according to the GDPR, by doing that. So, there’s a few no-win scenarios, and that’s one of them. Again, I think the reason we elected to not bother with trying to come up with some kind of weird conditional logic for that scenario is because, why would Dave Mellow, a United States resident… In what conditions would he come to us and say, “Hey, all the data I submitted when I was in France, I need you to do something with it.” I just don’t see that happening, so we’re willing to take a risk. It’s his right to do that though.
Lindsay Barlow: So, you can see in the editing experience of the upcoming webinar form, as Holly pointed out earlier because we need certain fields in order to allow people to register for the webinar and then give them access to the webinar, for e-visitors, we put that limited submit button after those required fields. So, we need first name, last name, email, and country, but we don’t want to collect business type or title from anyone in the EU.
Chris Butler: Ever. Under any circumstances.
Lindsay Barlow: Yeah, if it’s not necessary for that.
Chris Butler: It won’t ever be, like for marketing purposes with business type…
Lindsey Barlow: Well, say, for instance we have a contact form on our site, or a form that’s specifically asking somebody: get in touch with us if you want to do a project with us, then I think asking for what’s your business type, what’s your number of employees, because we have a specific documented fit-filter where we can say, Is this somebody that we want to actually take the next step and get in touch with or… Yeah, exactly. You just have to… There’s this idea of data minimization and what’s necessary, so if you make the determination that yes, for that form, those fields are necessary… But for a webinar registration form, why do you need to know their business type in order to deliver that service?
Mark O’Brien: Okay, so short of a contact form… great.
Chris Butler: The other thing about is this okay, is it not okay… We are logically trying to build a foundation upon which we would defend ourselves if found accountable. The bottom line is… This might sound cavalier, and perhaps it is, but I wouldn’t really expect to be held accountable to this anytime soon. I mentioned this in the podcast that we had a discussion but we did e-commerce work for many years, and we were subject to the payment card industry regulation – PCI compliance – and the penalties there were significant. We elected to go down that road because we felt like, Wow, if we were held accountable, it would be the world ending for our business. The immediate fines alone… But the bottom line is I think it’s somewhere in the neighborhood of 95 or more percent of e-commerce online is not compliant with PCI, and has never been.
Mark O’Brien: That being said, though, there’s a reason we’ve invested tens of thousands of dollars into this now. We’re taking this very seriously and we think our clients should too.
Chris Butler: Well, culturally-speaking, I think treating data seriously is very much in the… It’s not going to get any easier ever. I think requirements are going to be more stringent. There is going to be more oversight. There’s more technology in existence now to track people who are not complying. There’s more people looking for this. There’s going to be like watch-dog organizations that don’t exist yet at some point. So, we’re making investment in the stability of the future, for sure.
Mark O’Brien: Right, so it’s partially about GDPR, it’s also what’s coming up in California and elsewhere. Okay, I think we should probably get to the Q & A.
Chris Butler: Yeah, let’s just share one more thing. If you can advance to this slide. So, I mentioned that we can do some things about connecting the dots later on. We have a system that we built called the Inside Engine, that allows our people who do system development to really get some insight into people who might be a fit, and that’s the whole purpose of this… Of course, not to just gather data for data’s sake.
That means that at some point in the future, those transactions where there was an anonymized conversion (a data-less conversion) connected to somebody who does reveal themselves in a safe way according to the GDPR later, it would be visible in this context, where we can see somebody’s session history and understand that they got 15 white papers in the EU and we didn’t know them. But now that they’ve expressed interest, we really know what they know and what they don’t know, and what they’re poised to be interested in. That is helpful. That’s the whole reason we do that, and we built this system so we could make a meaningful connection between content experience, somebody’s fit, and the activity that somebody doing business development would be doing to nurture that opportunity. So, that’s why we’ve decided to let somebody be passed through on the GDPR side. Sorry, the EU side.
Holly Fong: Yeah, another thing that we didn’t really touch on, but is a really important piece of this… We actually haven’t even built this part out yet… Is that the plug-in will allow for you to delete an individual’s data if they were to request that you purge their data, because their information isn’t necessarily just stored in a form submission and in your marketing animation tool, and in your CRM. It can be a number of places on the site that that information is stored. So, whether using our plug-in or another option, it’s important that you have a way to delete that data everywhere in the site.
Mark O’Brien: Okay, let’s get to a few questions here?
Chris Butler: Yeah.
Mark O’Brien: There are lots of them and if anyone listening has any questions they’d like to ask, just put it in the Q & A panel now. I will try to get to it, although we’re already pretty full.
A couple questions that are somewhat similar:
Toby asks “How do you recommend we handle existing context to comply with GDPR, so people you already have data on that we know are EU residents… What do we do about that?”
Holly Fong: I’d recommend definitely doing an audit of your database to identify everyone who is in the EU, or people that you don’t know where they’re located. It’s a good idea to either delete that data before the 25th, or what you can do is try to run a re-permissioning campaign, which would basically send them an email asking them to re-subscribe, making sure it’s explicit what they’re subscribing to, additionally making sure they’re clear on your privacy notice and what you’re doing with their data.
Chris Butler: Yeah, just to add to that, it’s similar to HIPAA compliance, if you’ve ever had experience with that. Claims to ignorance don’t get you out of the accountability here, so if you have data on someone in EU and don’t know it, they still have a right to everything the GDPR stipulates and you’re still obliged to it. That’s why it’s important to audit your data and make sure you know everything you need to know about the people in your context database, so that you don’t mistakenly non-comply.
Mark O’Brien: Okay, great. This is an interesting question that I know came up internally as we were going through this:
Justin asks, “Is there an important distinction between calling it a privacy policy versus a privacy notice?”
Chris Butler: Yeah, so the public disclosure of all the data you collect, how you’re processing it, all that stuff… That’s a notice. There is a meaningful difference. A policy might extend to all kinds of other procedures, personnel, things that you do internally that you don’t necessarily have to publicize. The public notice is what is relevant and germain to the individual who has rights under the GDPR to data and how it’s managed.
Mark O’Brien: Anything else to add to that?
Lindsey Barlow: I don’t think so.
Mark O’Brien: Okay. Let’s see.
Renu asks a question that is a very good one: “To make our privacy policy GDPR compliant, would you recommend getting legal counsel to look over the policy?”
Chris Butler: Yes. We drafted a very extensive one and got notes from our legal counsel and they were extensive.
Holly Fong: Yeah, if you’re looking for a starting point, one thing I would point out is you can use a site like Terms Feed to get started. It is a good idea definitely to get that passed by legal counsel as well when you’re done, but if you’re looking for a starting point.
Mark O’Brien: What was that? Terms Feed?
Holly Fong: Yes.
Mark O’Brien: Okay, great. This is a great question I’m sure a lot of people are asking and I’d like to answer:
Rochelle asks, “For forms with email communications opt-in,” like we had down there, “can the box be pre-checked to encourage more opt-ins?”
Chris Butler: *buzzer sound* We all shook our heads.
Mark O’Brien: Definitely not. Basically any question you might have that is in that vein, the answer’s going to be NO. The answer is not the answer you want it to be in pretty much all cases.
Chris Butler: The problem with trying to comply with regulation before there’s any precedent for defending yourself under that regulation, is that there’s no loopholes. With most laws, there are loopholes because loopholes come from precedent interpretation, being able to demonstrate that, demonstrate how other people have interpreted things that are ambiguous, and none of that exists in this context, so you’re best proactive defense is the most conservative one.
Holly Fong: I would also say that’s one that I highly doubt they would retract, because they really want that explicit acceptance of the privacy notice, of subscription.
Lindsey Barlow: Yeah, it has to be positive, so it can’t be implied or opt-out.
Mark O’Brien: Emma asked a great question that came up during our internal debates as we’re working through this.
Emma asks, “What is to stop a U.S. resident from claiming they’re from the EU to access content behind a content gate without giving up their information?”
Chris Butler: Nothing. If they caught on, they could certainly do that. Mark brought that up because when we were debating our approach, which was this pass-through approach, yeah, someone could accidentally do that and be like, Hey, I can get through here! That’s interesting. No, we could go back and vet that data and say this person’s IP address is clearly in the United States and we could change that. Of course, we’re not going to do that kind of work. We felt the chances of doing that since we elevate the United States to the first option are very low. I could see that happening if we alphabetized countries and somebody accidentally chose Albania or something like that, something before the United States, because the United States is a “U,” which is why we scooted United States to the top and made it the default.
Mark O’Brien: But we’re watching. Very intently watching this, and we might very well change it.
Chris Butler: I alluded to the fact that we’re working with a client that we’ve worked with for many years, whom we respect greatly, who’s likely to do the opposite thing, which is once someone discloses they’re from the EU, they get nothing. And that’s a viable option. If you don’t have a need to develop business in the EU, then perhaps that’s the way you want to go. We’ve just elected to not do that because we want to have as much data as we can to make more particular decisions later down the road.
Holly Fong: It’s also probably good to point out that the way the forms will work on our site, if they filled out a form previously, their information is going to be pre-filled, so they’d have to go back and retroactively change that information. Which would probably be more work than just filling out the next field and submitting the form.
Mark O’Brien: Okay, David has a very good question. “Should we require this explicit consent from all site users going forward, meaning the whole privacy policy rigamarole? Is it for all site users or not?”
Chris Butler: It doesn’t have to be. We were initially going to do that, when we thought that was all that was required. We thought, You know the culture’s moving this direction, perhaps it would be better to just put this forward and that way everyone in the United States would know that Newfangled is an organization that cares about privacy and cares about the integrity of the data that’s being collected. We just have opted to not do that, given the counsel we’ve gotten. There are two points: One, the explicit opt-in nature is onerous enough that if it’s not necessary, why do it? The second issue is that… The legal counsel we’ve gotten is that attempting to comply with this puts you in a place of responsibility that’s greater than not attempting at all. So, once you open the Pandora’s box of applying GDPR-like requirements to people it’s not applicable to, then it muddies the waters. Having a hard line between where you do this and where you don’t, how you do it and how you don’t, is according to them, a safer legal avenue.
Mark O’Brien: Jasmine asked a clarifying question that may have already been answered but she asked in very specific terms… “Anyone from the EU is already subscribed to the newsletter. Do they have to re-subscribe?”
Holly Fong: Yeah, because what they’re re-subscribing to isn’t necessarily just continuing to receive emails from you, but it’s also agreeing to the fact that you have their data, and that they understand what you’re doing with their data.
Chris Butler: Right. Prior to now I would have imagined 100% of people listening and ourselves didn’t have a privacy notice that explicitly described what data’s being collected and what we’re doing with that data. That’s what’s necessary here. It’s not just agreeing to receive emails. It is explicitly agreeing to the nature of the transaction of data.
Holly Fong: David asks, “If they choose a country that is in the EU,” so by the form, “can we just not allow them to sign up? Can we just block them?” And the answer is YES, we could. We’ve chosen not to, but we might change our mind.
There’s a little confusion around the PDF thing with the gated content, and Tim and Patrick ask a similar question, which is, “Just to make sure I’m understanding correctly, can you simply just email a PDF instead of redirecting to the white paper host on your website?”
Chris Butler: Yeah, you could do that, right? What does that really help though? What does it get you?
Lindsey Barlow: You could. It’s tough because if you change the logic of your site specifically to get around this regulation, I don’t think it’s going to be looked on very favorably. There’s also an argument to be made that there’s part of this law that says there has to be a reason to process the data, and you can’t reasonably give them access in any other way that wouldn’t require you to process their data. So, there’s a pretty good argument to be made that you could just put that PDF on your site. You don’t need to email it to them. You could just upload it to your site.
Holly Fong: I would also say, if you have a way in place where people can access that data by submitting that form on your site, to then take it away and change everything like you were saying so you are emailing that PDF… Like you were saying, it probably wouldn’t be looked upon very favorably, because they would say you didn’t need that information because you did it that way previously.
Mark O’Brien: Although, just to play Devil’s Advocate here… If we had a client that had never done gated content, and wanted to use a tool like Act-ON to house those assets, store the PDF there and all their gated content was in PDF form because they wanted to be design-y about it and control it in a way that the site wouldn’t allow, I would say that they could continue doing that. For a couple of reasons… Lindsay’s point is that they could house it on the site there, they don’t have to use Act-ON as the place to hold that data.
That argument would be Act-ON housing that data gives me more data as a marketer later on, which puts you in a bad place from the GDPR standpoint, but I would say an equally good point is I don’t want to incur the bandwidth transactional hit of moving these very large PDFs from my site. I don’t want to store them on my site. I want to use a third party. Just from a pure practicality and infrastructure standpoint, at which point, I would think that person would be in a great place to have a legitimate interest claim to that data. Say, I need their email to give them this PDF. It’s the only place it exists, and I shouldn’t have to bear the burden of storing it on my site if this third party is offering to do it for me.
Holly Fong: Agreed. I think if you keep it set up that way, and then you have a reason to ask for that information, and you don’t need to change anything… But if you don’t have it set up that way, it wouldn’t change your site.
Lindsay Barlow: This is the thorniest issue for sure. There’s so many different opinions about it online as well. And we’ve batted around so many different ideas for how we could approach it, where we could feel good about it. Again, it gets back to your point. Yeah, you could make a legitimate interest case, and we could do that. We could spend ten hours doing the balance test to see if our interests exceed the interests of the individual, and it very well might. But we don’t have the time to do that.
Chris Butler: When precedent is set for interpretation of this law, in the ways that are relevant to us and anyone listening, it’s going to be on the basis of what legitimate interest is. That’s ultimately going to be the thing that sets precedent for this. We just don’t want to be the guinea pigs. It may be that someday we can do more than we’re doing now, because that precedent is set and we say where our gut was taking us six years ago is where we can go now. But, again, you have to weight the risk.
Mark O’Brien: Right. One last question from Tim: “What if you have a database of contacts, but you’re not sending email blasts, but you’re doing one-to-one prospecting? Is that allowed or not?”
Holly Fong: From their email accounts?
Mark O’Brien: Yeah, if I were to email somebody in France…
Chris Butler: Well, those people still have the right to know what you’re doing with their data and what data they have. So, even if you don’t intend to send them marketing emails, they need to consent to you having that data and understand the nature of what you’re doing with the data. How much data you have, their right to disclosure, to access, to deletion, to portability, those types of things, is still there. You need to do what Holly recommended, which is an audit of your database, and you need to get back in touch.
Mark O’Brien: Would simply emailing them be a violation of the GDPR?
Lindsey Barlow: I think it would depend on what data you were using to email them and where you got it. If for instance you could access their email address by just looking on their company website, it’s publicly accessible, but if you’ve got eight other data points about them that they never consented for you hold or anything like that, and you’re using those in that email, it’s probably an issue.
Mark O’Brien: Okay, great. So, for clients of ours who are interested in getting more help with this, we’re very happy to help, and we have lots of different tools we’ve developed obviously, and we have lots of advice we can give. So, just get in touch with your digital marketing strategist, if you’d like to continue the conversation. Otherwise, good luck! It’s pretty wild! And as was mentioned, speaking with a lawyer who knows what they’re talking about on these matters would probably be a smart idea.
Chris Butler: Welcome to the 21st century! I will say the regulation that is on the docket to pass in November in California… Numerous large data-based companies that have been funding lobbying efforts to shut it down have started to pull out. Facebook was spending hundreds of thousands of dollars to lobby against that particular law. They’ve ceased that spending. If you want to know what that means, it means they expect this thing to pass and they’re not going to throw money at a wasted effort. So, this is only going to get harder and more complicated. You might as well cut your teeth on this one now.
Mark O’Brien: Sounds great. Thanks everybody. We really appreciate it and hope you have a great Tuesday afternoon. Bye.