Warning to firms that monitor inboxes and aggregate data about message performance for customers: you could run afoul of the General Data Protection Regulation (GDPR).
“There is a sea change, and a lot of things people have happily done for years will not be acceptable under the GDPR,” says James Castro-Edwards, an attorney with the international law firm Wedlake Bell, and author of General Data Protection Regulation: A Guide to the New Law.
In general, “the GDPR imposes obligations on organizations that possess peoples’ personal data,” Castro-Edwards says. “One of the first is transparency — you have to tell them you’re doing it and what their rights are.” He adds: “If the person “doesn’t have to have contact with that organization and doesn’t know the processing is taking place, there's immediately a problem.”
This causes a problem with use of email panels for monitoring. Those consumers have no direct relationship with the firm doing the monitoring, and don't know it is being done.
Castro-Edwards counsels: “If a U.S. company relies on email panel data, it may well apply to you.”
Then there is website monitoring -- another activity that consumers may not be aware of.
Firms that collect personal data from web platforms may not offer a real choice. The privacy statement “could be at the bottom of the website, and it may be many pages long, in legal technical language,” Castro-Edwards continues. “It says that by using this website, you consent to sharing of data with third parties, and they will sell that data basically to whoever has the money.”
That could lead to trouble."The GDPR requires a very granular level of consent,” Castro-Edwards argues. “If companies are purchasing consumer information for a purpose that these consumers have not explicitly consented to, they are subject to severe penalties, regardless of whether they are a data controller or simply a data processor."
Case in point: A company might say “do you consent to email about products and services?” In the past, some firms might bundle in all possible data uses.
But now a company must ask whether the person consents to hearing about “products in our group of companies, or companies outside our group. You need three separate tick boxes,” he says.
As for firms that sell marketing databases and lists for emai, “that sort of sector is going to suffer,” he says.
At the same time, people that have a database containing millions of people that they use to send email marketing to. “If you don’t have consent, you probably shouldn’t send it,” Castro-Edwards says.
It’s not easy. The GDPR, while mandated across Europe, will be enforced at the national level. “If the business is in the UK but the data subject is in Spain, it could also involve the Spanish data protection authority. Or there might be a German company, and the server is in the UK and it affects data subjects in Spain or France, all those data protection authorities will be involved.”
Are companies rushing to comply? Has Wedlake Bell seen an uptick in GDPR-related business? Castro Edwards answers that “since the New Year, a lot of companies that put this off are now very busy getting their houses in order.”
And are firms now prepared?
“It depends on the company,” Castro-Edwards says. “The big companies in regulated sectors like finance and pharmaceuticals, and the big retail companies, have specialists managing data protection. They’re probably getting close to compliance. Smaller companies have probably not heard of GDPR, and have done nothing, and there’s a number in between. When people become aware of it, they’re rushing around to become compliant.”
Castro-Edwards concludes, “The GDPR is a strict piece of regulation that gives control and choice back to the consumer.”
Need we remind you? It takes effect May 25.