GDPR: An Advisory And Tips On Compliance

The right to be forgotten in data subject access, anonymous data, data processing agreements and other processes are very different in the U.S. compared with the European Union. As the General Data Protection Regulation (GDPR) enforcement deadline nears, Gary Kibel, partner at Davis & Gilbert LLP, suggests email marketers pay close attention to the laws. 

Most marketing strategies these days are based on privacy and the collection of consumer data. Data and privacy drive businesses. The European Union’s GDPR and the E-Privacy Directive are now the main focus in Europe.

In the U.S., privacy, in general, is regulated by the Federal Trade Commission. Privacy law is governed by one concept in the U.S. -- unfair or deceptive acts, which have been declared unlawful, said Kibel, addressing email marketers at the MediaPost Email Insider Summit in Captiva, Florida on Tuesday. The laws governing children as well as healthcare and other sectors in the U.S. and the EU are different.



Kibel spent about 30 minutes comparing and contrasting U.S. and European laws, key provisions in GDPR, and pending U.S. legislation that will change the way email advertisers design campaigns, and discussed personal information such as a person’s name, email address, and tracking cookies in browsers.

In the U.S., some data is only considered personal information for those who are under 13 years of age. In the EU, it’s all considered personal data.

The GDPR has 99 articles that govern privacy. While the law is in effect now, enforcement begins May 25, 2018. And the penalties for not respecting personal privacy are huge. “There will be some serious teeth if you mess up if the regulators choose to come after you,’ he said.

The GDPR also applies to companies not established in the EU when companies process EU citizen data, such as email service providers and companies that target ads and sell goods.

Consent is now required -- for example, serving up a note in an email asking the consumer to check a box for the brand to use the data that will transfer to their platform once the person clicks through the email to the website.  

Personal anonymous data also differs when comparing the EU to the U.S. In the EU, there can be no connection between the person and the data. In the U.S., marketers know they can match the data back to the person through a third-party matching cookie and re-identify the person, he said.

Kibel warned email marketers to be cautious in how they use the description of anonymized data -- specifically when working with data from consumers in the EU -- and provided tips for email marketers.

Much of what Kibel spoke about is also applicable to search marketers. The video of Kibel’s presentation can be found here.


Next story loading loading..