I want to start off by saying this is not legal advice, this is just providing information to allow you to make an informed decision on how to handle new GDPR policies that take effect May 25th.
The European Union has implemented a new law called GDPR. This regulates how personal data of European Union Citizens can be collected, used, and processed by your businesses. While it’s being implemented by the European Union, it applies not only to organizations based in the EU but also to those that have customers and contacts in the EU. So it’s going to have an impact on businesses all around the world.
The ultimate goal is to reduce spam and clearly define how companies will use personal data to transmit information in a fair and transparent way. It takes away the purchase of random lists of emails for marketing purposes.
Keep in mind we are talking about email marketing and spam. If you are providing a service that they requested and part of that service is information regarding that service, that is different than sending newsletters and specials.
The #1 question before I even continue is: What about this email list I have built over years of business in the vacation rental industry?
Ultimately, you have to prove that you got consent in a transparent and clear way. The definitions of this law are interpreted in many ways. I have spoken to lawyers who have differing opinions on the answer to this question.
As a property management company, you have to ask yourself several questions. Keeping in mind that ultimately, there is a 4% or up to 20 million dollars in fine, depending on the incident.
The list here goes on and on. As a property management company in Park City, we have clients from all over the world. We will be forced to make a decision as a company on how to handle this new law. There are a few things you can do.
You have probably been receiving random emails that either inform you or ask you to opt back in to their mailing list.
It is up to you how to handle this new law. Number 1 is the safest and recommended way to handle this law. However, this is a law for citizens of the European Union. Options 2,3,4 have been strategies that I have seen from large companies in other industries to smaller companies.
I know companies that will choose to go down the road of #5 because of their client base. I wish I could tell you what to do, but that is a decision you need to make on your own. I have spoken to legal advisors that say the law is too open to interpretation and you can do #2, I have spoken to legal advisors that have told me #1 is the only thing you can do.
As you move forward, we are about to release a new feature in the WordPress Plugin that will help with compliance. Did you know that you are required to have information to any personal data that you collect that explains how that information could/would be used? Imagine a small question mark rollover next to every field on your website that explains why your collecting a name during checkout or as part of a form.
One last question, are you following the ePrivacy law that appies to cookies and how you handle cookies on your website? This will be released with the latest Streamline WordPress Plugin, but if you have your own website, you can do a few things to be proactive.
If you have not visited this site before, notice the cookie warning that comes up at the bottom. I am sure you have started to see this popup all over the place with messages. You can use this site to see if you are cookie compliant,.
— BE CAREFUL, this website is about as close to spam as you can get but at least it gives you that information.
You can also read below about the ePrivacy law, which is different than GDPR. Please visit this website to learn more.
The rest of this document is going to provide you with different opinions that I have found around the web and links to documentation that I found to be very useful (aka, completely confusing). This article is mainly focused around GDPR law.
There are many components to GRDPR. We will be discussing information that is important to you as a property manager and also provide insight into how Streamline will be dealing with GDPR. One thing to understand is that at this time, GDPR is very open to interpretation and a lot of the requirements are not black or white.
Let’s start with what is considered personal data. This includes a person’s full name, email, physical traits, political views, religious views and their IP. When you have this information, you are considered to be holding personal data. If you are using cookies to identify personal information on your website, you should already be disclosing this to your visitors. This will be added to our plugin and you should make sure you follow suit with cookie policies.
This will apply to any company that provides a service to an individual in the European Union. Often times, you can identify a user from the European Union based on the IP address, but that will just ensure you that you must comply with GDPR policies in that situation and it does not guarantee that the user is a European Citizen. They could use an IP that indicates they are in the US but still be a European Union citizen.
The most concerning aspect of the law is that you could be fined up to 4% of your revenue, up to 20 million dollars.
Where does Streamline and other vendors come into play?
If you are storing this personal information in our servers, you want to make sure that your vendors are GDPR compliant. There are some key protocols that Streamline is introducing to be compliant.
A few policies that we will be putting in place May 25th:
As we implement additional security standards moving forward, it will just re-inforce our commitment to GDPR compliance and overall security of your data. We are introducing double authentication and our password strength requirement which will require all users to have a strong password to every user in the system. Right now, clients have the option to turn on these services.
What about you?
As mentioned earlier, GDPR is open to interpretation. I will be giving you ideas and suggestions and you will need to make your own decisions on how you want to implement those options.
Everything below will apply to European Union Citizens but I assume eventually this policy will spread to the US.
Right to be informed : Your users can ask you how their data is stored and used. When you get such an inquiry, you have 13 business days to respond.
Right of access : This is their right to see what personal data you have in your system.
Right of rectification : This is their right to edit their information.
Right to be forgotten : This legislation requires keeping data for a period of time and it differs within every jurisdiction. We have decided on 13 days to follow the timeframe for the right to be informed.
Right to restrict processing : Your guests do not have to give you personal data if they don’t want to.
Right of portability : If a company has your personal information, they can request for a transferable file and request that you stop using that data.
Right to object : This includes not receiving marketing material. Giving people an unsubscribe feature in all communicate is critical.
These are some of the basic components of the GDPR law. Now, this is where it starts to get interesting.
If you are using a Bulkmail System, make sure it is GDPR compliant.
Remember, opting in to receive a newsletter CANNOT be pre-selected. It must be opt-in.
Below are some approaches I have seen over the past few weeks. One of the techniques that I have seen was a more informative approach. It was basically informing their newsletter list that they are enforcing this new policy and they could read all about it and be removed from their mailing list.
You are receiving this email in light of recent changes to data-privacy laws.
The new General Data protection regulation (GDPR) puts you in charge of your personal data. This means:
You’ll have your vacation details and personal information stored in one place
You can manage what information is sent to you
You can retrieve all your data – at any time
The updated Data Policy gives you a clear explanation of how we treat your data. You will find more information in your account.
Use your account to manage communication settings and receive relevant tips, information and updates on your reservation.
Most of us don’t have the ability to do this, however, if you are able to email out a landing page where you can send someone to a landing page that is specific to them, show them the data policy, you have given people who opted in before the ability to opt-out and have informed them of any new laws. MailChimp and Constant Contact should provide you with such a solution. Streamline will be providing a general solution for this to your guests.
If you don’t have a process like this, you could send out an email, provide the same information and ask them to call in to be forgotten. I have actually seen people take that approach.
ANOTHER APPROACH (EDITED VERSION)
As a prior guest of Property Management Company A, we wanted to express our commitment to protecting personal data in compliance with all applicable laws, rules, and regulations. This communication specifically addresses the European Union General Data Protection Regulation (“GDPR”), which will take effect on May 25, 2018. This new data protection law will replace the 1995 Data Protection Directive (Directive 95/46/EC).
In order to protect the personal data of EEA citizens under GDPR, we have made changes to our data policy that will be taking effect on May 25, 2018. These changes, if applicable, will further define our relationship and can be found here:
These changes include:
Please familiarize yourself with our data policy. You do not need to sign this agreement to continue receiving our services. If you continue to use our services on or after May 25, 2018, you are agreeing to be bound by our data policy.
If you have any questions, please contact us.
Thank you for your continued partnership and trust.
People are getting very creative with how they clean their lists. Some clients have used tools that predict where an email is from.
https://infotracer.com/ (Click on @Email Search Tab)
The problem with these solutions is going to be the accuracy of the response. Often times, the location of the email will be defined solely by the url in the email.
At the end of the day, you have to make an educated decision on how to move forward to be in compliance with GDPR. This is similar to the DO NOT CALL list that was developed in the US. I still get soliciting calls all the time even though I am not supposed to be on that list.
Here are some commonly asked questions:
How can I prove consent?
You can try to use double opt-in.
You can capture an image of your signup form to prove you accurately described your marketing activities. Google has tools that can take and save screenshots of a page (scary)!
How can I use features in my email marketing solution to help comply with the GDPR?
Do I need to get consent from my existing contacts?
If you collected consent from existing contacts in a way that complies with the GDPR, you may not need to collect consent from those contacts again.
Otherwise, you’ll need to collect GDPR-friendly consent from the contacts you already have. Send a consent email to everyone on your list that includes a link to update their settings.
Use a descriptive subject line to let your contacts know that an action is required.
If my contacts don’t consent, should I stop communicating with them?
You need to have a legal basis, like consent, to process an EU data subject’s personal data. I recommend you seek legal counsel at this point.
After May 25 2018, communicate with contacts who have expressly opted-in to your marketing. You may find it helpful to bulk unsubscribe all contacts who have not opted to receive any marketing from you.
Do I need to use double opt-in?
We recommend you enable double opt-in with your bulk mail provider if you are subject to the GDPR.
Double opt-in includes an extra confirmation step that verifies each email address. This confirmation provides additional evidence of consent.
What if I transfer data from a site or e-commerce store to my email marketing software account?
You are responsible for determining whether other third-party applications, including connected sites and e-commerce stores, meet GDPR requirements.
If you rely on consent to process subscribers’ personal data, double check whether the consent that you previously obtained meets the GDPR’s standards. For example, check third-party integrations to be sure they don’t automatically add people to your list without an opt-in checkbox that clearly states how you’ll use that person’s data.
Do I need to sign a Streamline Data Processing Agreement?
You will need to sign off on May 25th identifying what approach you will be taking moving forward.
How can I improve my opt-in process?
When setting up your opt-in forms, use checkboxes accompanied by affirmative phrases that make it clear to users what they’re signing up for. This allows users to signup through performing the positive action of checking a box that affirms which types of data processing they accept.
The GDPR forbids the use of “pre-checked” boxes, for which users must uncheck if they don’t want to subscribe, and awkward language designed to confuse subscribers (i.e. “Please check if you don’t want to be subscribed to our newsletter”).
What if we use personal data for other purposes than email marketing?
There should be a separate checkbox for each of the different types of processing for which you plan to use their personal information. For example, if you send a newsletter, promotional emails, and automated emails based on their reservations, you have to get permission for these types of processing separately.
You can no longer lump together multiple different opt-ins into one affirmative statement (e.g. “I agree to receive the monthly newsletter, weekly promotional emails, and automated emails based on my behavior and interests”). They must be separate and explicitly stated so the user has a choice.
Can I restrict the data I collect?
Every piece of personal data that you collect must be essential for the service that is being offered. If it is not clearly essential, like giving an email address to sign up for an online newsletter, you must explain why it is necessary.
If you want to collect additional personal details from subscribers at the time of signup, such as first and last name or gender preference, you need to explain why (e.g. “We are collecting these details to give you a more personalized experience with our promotional emails.”).
Do I really have to get consent from people AGAIN?
This is a tough one and open to interpretation. Do you have a data policy that is clear and transparent already? There are cases where people just throw consent to receive email newsletters in with a giant book (Like this blog). While there is always going to be a risk in not following exactly what is being requested by GDPR, you need to make a judgement call on how good your opt-in policy has been thus far. If you have only had an opt-out policy, it is going to become challenging to justify not cleaning your list.
What about phone calls?
What implies obtaining consent?
This is not as bad as it seems. Although these restrictions may seem like they’ll hurt your business, it’s actually good for your email deliverability and customer relationships. It will reduce getting bad reviews and complaints about your company. The important thing here is how you are going to approach the requirements of this law on May 25th.
That’s because these steps will ensure that people are signing up for the right reason: they want to receive your marketing emails. This will create more engagement for your campaigns, leading to better deliverability, and happier customers because they’re getting what they want.
Below are some online articles that I found to be very helpful.
In addition, I have posted a MailChimp Document that was very helpful.
There is also a great presentation from theopma.org and Shutts & Bowen LLP
This provides different opinions and interpretations
GDPR details for WordPress users
–Please do not copy and paste privacy policies!