Hello,
I want to start off by saying this is not legal advice, this is just providing information to allow you to make an informed decision on how to handle new GDPR policies that take effect May 25th.
The European Union has implemented a new law called GDPR. This regulates how personal data of European Union Citizens can be collected, used, and processed by your businesses. While it’s being implemented by the European Union, it applies not only to organizations based in the EU but also to those that have customers and contacts in the EU. So it’s going to have an impact on businesses all around the world.
The ultimate goal is to reduce spam and clearly define how companies will use personal data to transmit information in a fair and transparent way. It takes away the purchase of random lists of emails for marketing purposes.
Keep in mind we are talking about email marketing and spam. If you are providing a service that they requested and part of that service is information regarding that service, that is different than sending newsletters and specials.
The #1 question before I even continue is: What about this email list I have built over years of business in the vacation rental industry?
Ultimately, you have to prove that you got consent in a transparent and clear way. The definitions of this law are interpreted in many ways. I have spoken to lawyers who have differing opinions on the answer to this question.
As a property management company, you have to ask yourself several questions. Keeping in mind that ultimately, there is a 4% or up to 20 million dollars in fine, depending on the incident.
- How did you collect the email? When you collected the email, did you provide a transparent and clear way of collecting the information?
- If so, do you have a way to prove this?
- Is the individual from your mailing list a citizen of the European Union? This is not where they live today, it is their origin of citizenship.
- In your reservation communication emails with clients, did you disclose anywhere that they would be getting future specials or discount emails? While this is not a great defense, it is just something in your favor.
- Did you have an explicit checkbox in your checkout flow that says, Click here to receive newsletter and marketing material.
- Did you disclose at every field in your website the intent of what you will do with their personal information?
- Name, Email, Address, Phone
The list here goes on and on. As a property management company in Park City, we have clients from all over the world. We will be forced to make a decision as a company on how to handle this new law. There are a few things you can do.
- Email all of your contacts and ask them to opt-in to your email newsletter and clearly show your privacy and data policy.
- Email all of your contacts and let them know that you have changed your privacy and data policy and to please review.
- Streamline is going to provide something that allows you to email all of your guests and allow them to update their personal data profile (The data will be masked), provide them with their current status and allow them to opt-out of future emails. If you take this route, their IP, location, timestamp, privacy policy/data policy at the time they clicked to view the email will be logged.
- Go through your email marketing list and remove anyone that has a European address.
- Ignore this new law completely.
You have probably been receiving random emails that either inform you or ask you to opt back in to their mailing list.
It is up to you how to handle this new law. Number 1 is the safest and recommended way to handle this law. However, this is a law for citizens of the European Union. Options 2,3,4 have been strategies that I have seen from large companies in other industries to smaller companies.
I know companies that will choose to go down the road of #5 because of their client base. I wish I could tell you what to do, but that is a decision you need to make on your own. I have spoken to legal advisors that say the law is too open to interpretation and you can do #2, I have spoken to legal advisors that have told me #1 is the only thing you can do.
One word of advice, if you do decide to take option 1, make it count. Make sure that however you are having people opt in to receive your newsletter, you log their IP, location, privacy policy/data policy at the time and a time stamp.
As you move forward, we are about to release a new feature in the WordPress Plugin that will help with compliance. Did you know that you are required to have information to any personal data that you collect that explains how that information could/would be used? Imagine a small question mark rollover next to every field on your website that explains why your collecting a name during checkout or as part of a form.
Our plugin will also pass through the IP, location at the time of agreement, privacy policy/data policy at the time of agreement and a time stamp. The Privacy policy/data policy will be one checkbox that is required. Then, there will be a second checkbox to opt-in for future email newsletter and discounts.
Feel free to visit streamlinevrs.com and look at our privacy policy/data policy for some ideas. This is not implying that our privacy policy/data policy is perfect but as of right now, that is what we are going to be moving forward with.
One last question, are you following the ePrivacy law that appies to cookies and how you handle cookies on your website? This will be released with the latest Streamline WordPress Plugin, but if you have your own website, you can do a few things to be proactive.
If you have not visited this site before, notice the cookie warning that comes up at the bottom. I am sure you have started to see this popup all over the place with messages. You can use this site to see if you are cookie compliant,.
https://www.cookiebot.com/en/gdpr-cookies/
— BE CAREFUL, this website is about as close to spam as you can get but at least it gives you that information.
You can also read below about the ePrivacy law, which is different than GDPR. Please visit this website to learn more.
https://www.eprivacy.eu/en/about-us/news-press/news-detail/article/what-does-the-eprivacy-regulation-mean-for-the-online-industry/
The rest of this document is going to provide you with different opinions that I have found around the web and links to documentation that I found to be very useful (aka, completely confusing). This article is mainly focused around GDPR law.
There are many components to GRDPR. We will be discussing information that is important to you as a property manager and also provide insight into how Streamline will be dealing with GDPR. One thing to understand is that at this time, GDPR is very open to interpretation and a lot of the requirements are not black or white.
Let’s start with what is considered personal data. This includes a person’s full name, email, physical traits, political views, religious views and their IP. When you have this information, you are considered to be holding personal data. If you are using cookies to identify personal information on your website, you should already be disclosing this to your visitors. This will be added to our plugin and you should make sure you follow suit with cookie policies.
This will apply to any company that provides a service to an individual in the European Union. Often times, you can identify a user from the European Union based on the IP address, but that will just ensure you that you must comply with GDPR policies in that situation and it does not guarantee that the user is a European Citizen. They could use an IP that indicates they are in the US but still be a European Union citizen.
The most concerning aspect of the law is that you could be fined up to 4% of your revenue, up to 20 million dollars.
Where does Streamline and other vendors come into play?
If you are storing this personal information in our servers, you want to make sure that your vendors are GDPR compliant. There are some key protocols that Streamline is introducing to be compliant.
- Breach and Security protocols. Any security breach that could negatively impact an individual must be reported within 72 hours.
- European citizens and effectively any user, will have the right to be forgotten. This means, you can no longer contact them. Streamline will make sure that triggered documents and any emails from Streamline would not be delivered to a guest or user where you have clicked a new checkbox that will be available May 25th in a guest profile. In order to keep information on the reservations, we will be replacing the information with fictitious data. However, our email systems will know to avoid emailing that user based on the extension we will have on their fictitious email.
- There is also the need to destruct data from a security standpoint. This goes beyond GDPR and we are putting a policy in place to assist in compliance with GDPR. Please read our new Privacy Policy.
- All functions with personal data must be secure. This is where you will see a transition from using a company code to the requirement of tokenization, IP restriction and access to pre-defined system functions.
- Streamline will be deprecating our BulkMail system May 25th. We will still allow people to build dynamic lists, however, we will no longer support our BulkMail solution. We recommend creating a Constant Contact or Mail Chimp account but most important, make sure they are GDPR compliant before opening your account.
- Our backups reside on AWS volumes and automatically encrypt information.
- How is personal data protected in Streamline. We utilize a private VPN, firewalls and several layers of internal security to ensure data is not accessible outside of our admin and API users are monitored for activity patters.
A few policies that we will be putting in place May 25th:
- If a guest or system user asks to be forgotten and that box is checked, you will have 13 days before Streamline destroys that information from all of its servers. After 13 days, you will not be able to find any personal information on that user. We will replace their name, email, phone, traits and anything else personally identifiable to that user and replace it with generic information.
- Every January, we will be destroying data for companies that are no longer with Streamline prior to June 1. In other words, we will keep data for a maximum of 1 year before destroying that data.
As we implement additional security standards moving forward, it will just re-inforce our commitment to GDPR compliance and overall security of your data. We are introducing double authentication and our password strength requirement which will require all users to have a strong password to every user in the system. Right now, clients have the option to turn on these services.
What about you?
As mentioned earlier, GDPR is open to interpretation. I will be giving you ideas and suggestions and you will need to make your own decisions on how you want to implement those options.
Everything below will apply to European Union Citizens but I assume eventually this policy will spread to the US.
Right to be informed : Your users can ask you how their data is stored and used. When you get such an inquiry, you have 13 business days to respond.
Right of access : This is their right to see what personal data you have in your system.
Right of rectification : This is their right to edit their information.
Right to be forgotten : This legislation requires keeping data for a period of time and it differs within every jurisdiction. We have decided on 13 days to follow the timeframe for the right to be informed.
Right to restrict processing : Your guests do not have to give you personal data if they don’t want to.
Right of portability : If a company has your personal information, they can request for a transferable file and request that you stop using that data.
Right to object : This includes not receiving marketing material. Giving people an unsubscribe feature in all communicate is critical.
These are some of the basic components of the GDPR law. Now, this is where it starts to get interesting.
European Union Citizens must give you consent freely and easily (interpretable). Most of us have a Terms & Conditions and a Privacy Policy on our websites. We add any marketing material information into our Privacy Policy. For the purpose of marketing materials such as newsletter marketing, it should be its own data policy. However, some people choose to integrate it with the Privacy Policy. If you do so, make it clear and transparent. It cannot be hidden in your Privacy Policy. Make sure you disclose what information is being stored, how long and any obligations that they have.
If you are using a Bulkmail System, make sure it is GDPR compliant.
Remember, opting in to receive a newsletter CANNOT be pre-selected. It must be opt-in.
Below are some approaches I have seen over the past few weeks. One of the techniques that I have seen was a more informative approach. It was basically informing their newsletter list that they are enforcing this new policy and they could read all about it and be removed from their mailing list.
EDITED VERSION:
Dear Carlos,
You are receiving this email in light of recent changes to data-privacy laws.
The new General Data protection regulation (GDPR) puts you in charge of your personal data. This means:
You’ll have your vacation details and personal information stored in one place
You can manage what information is sent to you
You can retrieve all your data – at any time
The updated Data Policy gives you a clear explanation of how we treat your data. You will find more information in your account.
Use your account to manage communication settings and receive relevant tips, information and updates on your reservation.
*********
Most of us don’t have the ability to do this, however, if you are able to email out a landing page where you can send someone to a landing page that is specific to them, show them the data policy, you have given people who opted in before the ability to opt-out and have informed them of any new laws. MailChimp and Constant Contact should provide you with such a solution. Streamline will be providing a general solution for this to your guests.
If you don’t have a process like this, you could send out an email, provide the same information and ask them to call in to be forgotten. I have actually seen people take that approach.
**********
ANOTHER APPROACH (EDITED VERSION)
As a prior guest of Property Management Company A, we wanted to express our commitment to protecting personal data in compliance with all applicable laws, rules, and regulations. This communication specifically addresses the European Union General Data Protection Regulation (“GDPR”), which will take effect on May 25, 2018. This new data protection law will replace the 1995 Data Protection Directive (Directive 95/46/EC).
In order to protect the personal data of EEA citizens under GDPR, we have made changes to our data policy that will be taking effect on May 25, 2018. These changes, if applicable, will further define our relationship and can be found here:
www.yoursite.com/yourdatapolicy
These changes include:
- Standard contractual clauses for the transfer of personal data outside of the EEA, as adopted by the European Commission.
- Data processing language that highlights the fact that we are store data.
- Although we are not engaging in any new data collection or processing, the definition of “personal data” has expanded under the GDPR to include information such as cookie IDs. One of the changes you will notice is that we now state that we may process “personal data.”
Please familiarize yourself with our data policy. You do not need to sign this agreement to continue receiving our services. If you continue to use our services on or after May 25, 2018, you are agreeing to be bound by our data policy.
If you have any questions, please contact us.
Thank you for your continued partnership and trust.
********
People are getting very creative with how they clean their lists. Some clients have used tools that predict where an email is from.
https://www.beenverified.com/email-search/
https://infotracer.com/ (Click on @Email Search Tab)
The problem with these solutions is going to be the accuracy of the response. Often times, the location of the email will be defined solely by the url in the email.
*********
At the end of the day, you have to make an educated decision on how to move forward to be in compliance with GDPR. This is similar to the DO NOT CALL list that was developed in the US. I still get soliciting calls all the time even though I am not supposed to be on that list.
FAQ:
Here are some commonly asked questions:
How can I prove consent?
You can try to use double opt-in.
You can capture an image of your signup form to prove you accurately described your marketing activities. Google has tools that can take and save screenshots of a page (scary)!
How can I use features in my email marketing solution to help comply with the GDPR?
- Use GDPR approved signup forms and double opt-in to collect your contacts.
- Ensure the language in your signup form accurately describes your marketing activities.
- Update your website’s privacy statement or policy to state what third party vendor will store their information.
Do I need to get consent from my existing contacts?
If you collected consent from existing contacts in a way that complies with the GDPR, you may not need to collect consent from those contacts again.
Otherwise, you’ll need to collect GDPR-friendly consent from the contacts you already have. Send a consent email to everyone on your list that includes a link to update their settings.
Use a descriptive subject line to let your contacts know that an action is required.
If my contacts don’t consent, should I stop communicating with them?
You need to have a legal basis, like consent, to process an EU data subject’s personal data. I recommend you seek legal counsel at this point.
After May 25 2018, communicate with contacts who have expressly opted-in to your marketing. You may find it helpful to bulk unsubscribe all contacts who have not opted to receive any marketing from you.
Do I need to use double opt-in?
We recommend you enable double opt-in with your bulk mail provider if you are subject to the GDPR.
Double opt-in includes an extra confirmation step that verifies each email address. This confirmation provides additional evidence of consent.
What if I transfer data from a site or e-commerce store to my email marketing software account?
You are responsible for determining whether other third-party applications, including connected sites and e-commerce stores, meet GDPR requirements.
If you rely on consent to process subscribers’ personal data, double check whether the consent that you previously obtained meets the GDPR’s standards. For example, check third-party integrations to be sure they don’t automatically add people to your list without an opt-in checkbox that clearly states how you’ll use that person’s data.
Do I need to sign a Streamline Data Processing Agreement?
You will need to sign off on May 25th identifying what approach you will be taking moving forward.
How can I improve my opt-in process?
When setting up your opt-in forms, use checkboxes accompanied by affirmative phrases that make it clear to users what they’re signing up for. This allows users to signup through performing the positive action of checking a box that affirms which types of data processing they accept.
The GDPR forbids the use of “pre-checked” boxes, for which users must uncheck if they don’t want to subscribe, and awkward language designed to confuse subscribers (i.e. “Please check if you don’t want to be subscribed to our newsletter”).
What if we use personal data for other purposes than email marketing?
There should be a separate checkbox for each of the different types of processing for which you plan to use their personal information. For example, if you send a newsletter, promotional emails, and automated emails based on their reservations, you have to get permission for these types of processing separately.
You can no longer lump together multiple different opt-ins into one affirmative statement (e.g. “I agree to receive the monthly newsletter, weekly promotional emails, and automated emails based on my behavior and interests”). They must be separate and explicitly stated so the user has a choice.
Can I restrict the data I collect?
Every piece of personal data that you collect must be essential for the service that is being offered. If it is not clearly essential, like giving an email address to sign up for an online newsletter, you must explain why it is necessary.
If you want to collect additional personal details from subscribers at the time of signup, such as first and last name or gender preference, you need to explain why (e.g. “We are collecting these details to give you a more personalized experience with our promotional emails.”).
Do I really have to get consent from people AGAIN?
This is a tough one and open to interpretation. Do you have a data policy that is clear and transparent already? There are cases where people just throw consent to receive email newsletters in with a giant book (Like this blog). While there is always going to be a risk in not following exactly what is being requested by GDPR, you need to make a judgement call on how good your opt-in policy has been thus far. If you have only had an opt-out policy, it is going to become challenging to justify not cleaning your list.
What about phone calls?
Essentially, you should have a script that covers your privacy policy and ask the user if they want to receive future information. I would suggest that this becomes something that you integrate into the electronic signatures. This is something that we will start to integrate as another option to get consent for future email marketing.
Unless you are going to record these calls when you discuss your privacy policy/data policy and when you asked for consent to send them email marketing material, anyone can challenge this.
What implies obtaining consent?
- Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent.
- By using this site, you accept cookies’ messages are also not sufficient for the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies.
- This means:
- It must be as easy to withdraw consent as it is to give it. If organizations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first. Cookie laws are separate to GDPR but should still be followed on your websites.
- This link has great information on Cookie requirements through E Privacy Regulation. https://www.eprivacy.eu/en/about-us/news-press/news-detail/article/what-does-the-eprivacy-regulation-mean-for-the-online-industry/
- Soft opt-in consent is another option, according to Cookie Law: “This means giving an opportunity to act before cookies are set on a first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.”
- Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
- It must be as easy to withdraw consent as it is to give it. If organizations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first. Cookie laws are separate to GDPR but should still be followed on your websites.
This is not as bad as it seems. Although these restrictions may seem like they’ll hurt your business, it’s actually good for your email deliverability and customer relationships. It will reduce getting bad reviews and complaints about your company. The important thing here is how you are going to approach the requirements of this law on May 25th.
That’s because these steps will ensure that people are signing up for the right reason: they want to receive your marketing emails. This will create more engagement for your campaigns, leading to better deliverability, and happier customers because they’re getting what they want.
Below are some online articles that I found to be very helpful.
In addition, I have posted a MailChimp Document that was very helpful.
https://www.streamlinevrs.com/mailchimp/gdrp.pdf
There is also a great presentation from theopma.org and Shutts & Bowen LLP
https://www.streamlinevrs.com/opma/opma-gdpr.pptx
GDPR:
https://www.mycustomer.com/marketing/data/gdpr-how-to-know-if-you-should-repermission-customers-for-consent
This provides different opinions and interpretations
https://info.securitymetrics.com/gdpr-101-wp?utm_source=Email&utm_medium=Email
GDRP checklist
https://kinsta.com/blog/gdpr-compliance/
GDPR details for WordPress users
Sample Privacy Policy:
http://retailmarketingacademy.com/privacy-policy/#
https://www.streamlinevrs.com/privacy-policy-2/
Streamline Privacy Policy
https://www.orlandorentavilla.com/more-info/privacy-policy/
Streamline Client Privacy Policy
–Please do not copy and paste privacy policies!
Sample Contact Form with Privacy Policy:
https://www.orlandorentavilla.com/more-info/privacy-policy/