• by Wayne Friedman , Staff Writer, April 24, 2018

Stronger personal data protection laws are on their way, with some especially focused for email marketers.

Speaking at MediaPos's'st Email Insider Marketing Summit, Gary Kibel, partner, Davis & Gilbert, said General Data Protection Regulation, which will start in earnest (in terms of enforcement) on May 25, can be dense and complex. For example, the law has some 99 articles and 173 recitals, the latter explaining the meaning of the law.

“There are entire week-long conferences on GDPR if you are so inclined to sit through that torture,” Kibel says.

The GDPR law will have reach to the U.S. Kibel says: “It has an extra territorial scope. It applies to ‘controllers’ and ‘processors’ not established in the [European] Union if you are processing the data, if you are targeting [consumers], if you are selling goods to them.”

A “controller” is the data owner, who has the right to determine how it is going to be used. The "processor" is a service provider -- they are doing what the controller says. This may be a hosting company, or a email service provider. It could be an other vendor -- someone that doesn’t have the right to use data for their own independent purposes.

One key area comes from difference in definitions of personal data -- in Europe versus the U.S -- such as “anonymous” data.

“People in the U.S. always say “I anonymize the data.'" But in the U.S., Kibel says, “if you are savvy, you know that [anonymous data] can be re-identified. We can do to a third-party matching company and I can match the tracking cookie and find the email address.”

In the EU, there’s a major difference. “There can be no connection back to the original source, to the individual.” Kibel says in the EU “anonymous is purely anonymous. It is gone. You will never get back to that individual. So be careful as you use that term in disclosures.”

In a recent personal example, Kibel talked about picking up some hamburgers at a local New York restaurant. A coupon was sent to him sometime later by mail.

“It arrives in the month of my birth,” say Kibel. “And I’m thinking, ‘how did they know my birthday?’ I just bought burgers. How did they figure out my birthday? How did I pay?”

He paid by credit card. “They were matching the data with someone else who had birthday information. Hopefully, they only got the month, not the day and the year. I’m a privacy lawyer. There were no disclosure to me; no consent from me.”

Kibel offered this advice to marketers: “Whatever you do, don’t be creepy.”