How does GDPR compliance affect B2B digital advertising strategies?
Data privacy has become an increasingly important topic across many industries, which means that it’s especially important for digital marketers to understand the rules and abide by them. In the past, this has been a matter of best practices and common courtesy, but since 2018, increasing regulation has turned it into a practical concern as well. Businesses that aren’t following these practices need to improve their game or risk litigation.
If you aren’t familiar with the Greater Data Protection Regulations (GDPR) passed by the EU last year, you can catch up on our original post in which we outlined the significance of GPDR and the initial steps you can take to protect yourself.
For the rest of this post, we’re going to be talking about some of the more specific situations that apply to clients interested in using SharpSpring to automate their email marketing.
Is SharpSpring GDPR compliant?
Good question. What you should understand about GDPR regulations is that there are three parties at play: Data Subjects, Controllers, and Processors.
Data Subjects are your users, customers, clients, website visitors, etc. They’re the people the GDPR is designed to protect. You yourself are the Controller. You’re the one collecting and handling the information. The Processor is any third party you use to… well, processthe information you gather from the Data Subjects. So to be GDPR compliant, you, the Controller, must follow the rules, as must any Processor you use.
SharpSpring, as a Processor, has done everything on its end to be GDPR compliant. However, that doesn’t mean you, the Controller, are in the clear to use it however you want. While SharpSpring does its best to prompt users to follow GDPR protocols, it’s still possible to abuse the system (intentionally or otherwise). And the easiest way to find yourself on the wrong side of GDPR is with B2C mailing lists.
B2C Businesses and User Consent
The GDPR wasn’t designed to target online marketers. Instead, is most concerned with protecting the interests of private citizens. It’s trying to prevent large corporations from needlessly accumulating loads of sensitive and identifiable information which might then be compromised in a security breach or otherwise abused.
Because of this, marketers have more leeway than you might think, especially if they work primarily with other businesses. However, B2C businesses should continue to be cautious in how the collect and process data.
In particular, if you have email marketing lists, you should continue to gather consent from customers before adding them to your lists. You should also avoid gathering more information than necessary to perform the tasks at hand. Following these guidelines is good business practice, with or without the GDPR.
SharpSpring already has prompts to make sure its agencies aren’t importing purchased lists and blasting thousands of customers at a time with spam email. So long as you’re following these guidelines, you’re probably within the bounds of GDPR.
“Legitimate Interest” and Direct Marketing
One phrase that shows up a lot with regard to GDPR and online marketing is “legitimate interest.” What this means is that, so long as the Controller is using the data they gather to do something that can be reasonably seen as beneficial to the Data Subject, it’s probably OK. There’s a lot of wiggle room there, which is why the GDPR specifically calls out online marking.
In particular, paragraph 47 states that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
That’s great news for SharpSpring users, because it means you are in the clear to, for instance, send someone an email if you think they might be interested in your services without gaining their prior consent, provided you are doing so directly(i.e., not as part of a generalized email blast). This is especially relevant if you’re using downloadable content on your website to generate email leads.
GDPR and the Right to Object
However, there are still a few things you can’tdo, as well as some things you should do anyway to be on the safe side.
For starters, if you do email someone, you still have to provide a clear way for them to opt out. GDPR outlines a “Right to Object” which, under Section 4, Article 21, Paragraph 2 states:
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
So if you start emailing a lead, you will have to be sure to include options for them to unsubscribe or otherwise indicate that they no longer want to hear from you. This is good for you as well: it means you waste less time chasing down uninterested leads.
And, even if someone submits their email address on your site to download your marketing guide, you can’tadd that person’s email to a general marketing newsletter list because that’s not directmarketing. Direct marketing means that you’re emailing them individually, not as part of a list. SharpSpring helps automate the direct marketing process, but that doesn’t make it the same as a mass email campaign.
So, even if you can do all this and be in compliance, you may still want to include a short line of text under any email collection form to let them know what you’re doing with it. Better safe than sorry.
There’s more leeway in GDPR than you might think, but you should still play it safe.
When GDPR first came out, there was a lot of concern about the affect it might have on online marketers. We have always felt that consent-based marketing that puts the user first is the right way to do business, and that put us and our clients in a good position to meet the new criteria.
As it turns out, much of what the GDPR mandates is less applicable to marketers than we originally supposed, but we still recommend businesses take proactive steps in providing users with information about their website and obtaining informed consent.
If it’s good for your users, it’s good for your business as well. You can only succeed by putting your users first.
If you would like read more about the GDPR yourself, the full regulations are available online in twenty-three languages.