GDPR
Today, we interview Scott Rubenstein, Chief Client Officer, and Mason Jagel, Client Experience Team Lead, on the topic of the General Data Protection Regulation (GDPR).
Episode Transcription
Alexander Kotler: Dear user. As part of our commitment to you, we're emailing you now to inform you of important updates to our privacy policy. We want you to know that it's important to us that you know that we know that how we use your personal data is something that we should be transparent about and that we take very seriously.
Alexander Kotler: After you're finished reading everyone else's privacy policy updates, here's a link to read ours. Have you received one of these emails lately? Are you perhaps, responsible for sending them? Either way, the cause is the enforcement of the General Data Protection Regulation, or GDPR. And that is what we're talking about on this episode of RubyLaw Insights.
Alexander Kotler: GDPR is going into effect. OMG. It's happening. And we're here for some expert POVs so you don't have to RBTL. If you're already GDPR acronymed out, okay. MHOTY. But, if you're SITD or ISO, for info to CYA, then tune in because I am HW, this will leave you ROFL. JK, JK, JK, but hopefully in about fifteen minutes, thank you, I appreciate this, you'll be more informed on the GDPR.
Alexander Kotler: Our guests on RubbyApps Insights are Scott Rubenstein and Mason Jagel of Rubenstein Tech, and we'll be talking about the General Data Protection Regulation, otherwise known as GDPR. Welcome, Scott, welcome, Mason.
Scott Rubenstein: How are you doing today.
Alexander Kotler: Amazing.
Scott Rubenstein: Thank you Alex.
Alexander Kotler: Alright, so before we get started, a caveat our perspectives on the GDPR do not constitute legal advice. Please consult appropriate counsel to determine the best course of action for your business. But let's kick it off by understanding what the GDPR is. Scott?
Scott Rubenstein: The GDPR applies to any business that collects information from any EU based users. And it doesn't matter where that business is necessarily from a physical location, as long as the users are EU based. And so there are a number of guidelines and restrictions on how you can obtain information from users on a website, how you can store information once you obtained it, and what you can do with that information once you've stored it.
Scott Rubenstein: So, for example, a person will come to your website and fill out a form for you to contact them. and how you store that information and then how you contact them are all sort of things that have new guidance on and new regulation, so that's essentially from that standpoint a big part of GDPR and the central central guidance around GDPR.
Alexander Kotler: Mason, do you agree?
Mason Jagel: I agree. There's a lot of . . .
Alexander Kotler: (laughs) Of course you agree.
Mason Jagel: There's a little haziness with some of the details as to what they're going to enforce and how they're going to enforce it, and whether how far reaching this actually goes. So a lot of updates we've been seeing is companies in the EU, outside of the EU, regardless just kind of doing a one size fits all approach.
Alexander Kotler: And just to interject, sorry, for a quick moment. We've said it a couple of times, the EU, we have a global audience here, and so the EU for anyone that's not informed is the European Union.
Mason Jagel: Correct. (laughter) So we've noticed a lot of companies and clients taking a one size fits all approach to kind of cover the bases, just, you know, to you know, cover their own.
Alexander Kotler: CYA.
Mason Jagel: Exactly. And, you know, just in case it starts to be kind of inbuilt outside the EU.
Alexander Kotler: Is this something that is sudden? It feels like Y2K, which predates you, I don't even know if you were born yet Mason, but Y2K was this global phenomenon, which, in the year 2000, computers were going to shut down. The past few days and weeks I started to get a barrage of emails about the GDPR. Have we known about it?
Mason Jagel: Yes, we've known about it for quite some time, and I was born in '86. (laughter) It passed in April 2016. No-one really gave it any thought until you know the past few months or past few weeks or even days, which is why you've been, maybe probably been receiving a barrage of privacy policy change emails from every single website out there that you probably subscribe to in some way.
Alexander Kotler: So there is a fear, or at least an awareness about this regulation and its implementation. What is that fear and what potentially are the penalties?
Scott Rubenstein: There are some severe penalties. I believe it can be up to 25 million euros or something around three or four percent of your annual revenue if you're a company. So it does get high up there in terms of the monetary penalty and cost of doing business. One of the things that is particularly important to think about the GDPR is that in a way it's about doing good business and communicating with customers in, in the right way.
Scott Rubenstein: So for example, when you do obtain information from a customer, you're getting their preferences, and you are able to store that information about a particular person and then communicate to them in a way that they should be communicated to, and not sending them information that they don't want.
Alexander Kotler: So I have a question for you then, because it's sometimes more fun to talk about what you shouldn't do. So what are some really, really bad things, how would you violate the GDPR?
Scott Rubenstein: You violate the GDPR by basically taking your CRM or Customer Relationship Management Tool which has information about everybody that is one of your customers, and instead of curating that and making sure that they've all given consent to be communicated with, you've sent everybody in your database an email about something very specific that they may not want to know about.
Scott Rubenstein: So for example, if you're Target, and I'm a I have a login on Target because I bought a humidifier on Target, and then they send me an email about barbecues. Well, that might not be something that I've opted in to receive. I also may not have consented to receive marketing messages. I may have just wanted to buy a humidifier from Target.com. So if they take my information and use it in ways that I haven't explicitly or expressly consented that would that would potentially not be in compliance with the GDPR.
Alexander Kotler: Mason, how do you feel about humidifiers?
Mason Jagel: (laughs) I recently started using them, so you know, pretty nice.
Alexander Kotler: (laughs) that's great. So Mason, seriously of course, what would be some perhaps best practices, some ways we can think about how to be a better purveyor of marketing messages to our audiences?
Mason Jagel: Always keep your users informed. Probably the big overlying message here. You want to let them know by updating your privacy policy about any forms of tracking with the cookies on the site. Any forms on the site should have an opt out or an opt in option, and the opt in should not be automatically checked. That should be something the user has to read and then manually check themselves, just so they're completely aware of where their information's going, whether you know, they're going to be subscribed to some mailing list -
Scott Rubenstein: And that's a really good point that Mason brings up about cookies. You know, all the, a lot of the amazing things that marketing technology and marketing automation has brought us in the past few years are driven from cookies being able to track user's information.
Scott Rubenstein: So one example is Google Analytics. You know, Google Analytics is one of those things that's essentially on every website. A lot of people have it, not a lot of people know exactly how to, how to wrangle it and get reporting on it but everybody has it. Maybe that's a good idea for, for a next podcast. But that being stated, that is all done by a cookie on your website. There are also cookies, you know, when we talk about marketing automation and ways for websites to track people on their CRM and track when people come from an email and go to the website and behaviors on a website, a lot of that is also tracked using a cookie.
Alexander Kotler: So, our audience is probably pretty well-informed. I'll spare everyone the pun, but let's define what a cookie is, if we can.
Scott Rubenstein: So a cookie is something that, it's a little text file that a website stores on the user's computer, either temporarily for that session, or permanently, which is which is known as a persistent cookie. And it essentially provides a way for that website to recognize you, and then to keep track of whatever your preferences are.
Mason Jagel: Yeah, a great example would be if you ever, I'm sure you have run into a cookie banner at some point while browsing the internet in the past few weeks. After you hit accept, you'll notice it doesn't come back the second time you visit the site, and that's because there is a cookie that is stored on your computer within the browser itself that is telling the browser "don't display this because they've already seen it before."
Scott Rubenstein: And one of the great things is that you know, like Mason mentioned cookie banners, you may have also noticed that you know when you go to websites there are a lot more cookie banners. When you check your email, you may get an email from a lot of the places that you frequent digitally sending you an email about privacy policy and then updating their privacy. These are all things that from the marketing standpoint for marketers, it's a difficulty trying to get the company up to speed with the GDPR and things that you're tasked with. But from a general sentiment, it's really great that websites and businesses in general are now complying with these new data privacy laws, because it really comes from a standpoint of protecting the user.
Scott Rubenstein: You know, we've heard a lot of sort of things going on about how Facebook collects data and how Google collects data, and the EU is a little wary about how they do that and how they then resell that data. And so a lot of these measures are to give consumers that insight so that they can be better like Mason said, informed about what they're doing on the web and that they're not being taken advantage of for not knowing any difference.
Alexander Kotler: We talked a little earlier about some of the tactical that can be included around forms. This sounds like a topic that's primarily for the marketing portion of an organization, or a communications function, I'm sure it's more far reaching than that. But what are some of the questions that people in roles affected by GDPR should be asking themselves?
Scott Rubenstein: So a big piece of it is about consent. So who in my database has consented to receive marketing messages, and how can I figure that out? And for a lot of folks, there is no mechanism in their current CRM for achieving that consent, so some folks are going out and trying to achieve that consent proactively before they send new information to users, so they're sending a blast to all users and asking them to opt in and to provide that express consent.
Scott Rubenstein: Another thing that marketing teams are doing are is combing their CRM and for people that don't have an email, or that no-one's contacted in years, they're playing it super safe and just deleting them from their CRM, with the idea that they really don't want to be dinged by any sort of government agency.
Scott Rubenstein: One of the things that makes the GDPR a lot different from previous data protection regulations is that whereas previous regulations the onus was on an individual to sort of take action against the business for using your information or communicating to you in an unlawful manner, GDPR has a governing body that's position is to regulate -
Mason Jagel: And enforce.
Scott Rubenstein: And enforce the law, and, you know, deliver these penalties to businesses that may not be in compliance. If you think about the barrier to an individual taking action to a business as opposed to a government with the resources at the ready to take action towards a business, they're more readily able to do that.
Scott Rubenstein: A key is that since no businesses have been made an example of yet, we don't know to what extent the law will be carried out. We just know that there are some best practices quickly emerging and these are some recommendations and suggestions that we can provide.
Alexander Kotler: Anything else that people should be at least thinking about doing before they even take action?
Mason Jagel: I'd agree that the curation of your current list should be managed, be it reaching out to every single person and having them actually opt in to any sort of newsletter or email blast that you might be sending them and then -
Alexander Kotler: I want to ask you a question on that.
Mason Jagel: Yeah.
Alexander Kotler: Because we're receiving all these notes now. And right now, I feel as though there's a lot of fatigue that people are going to get really fast. So taking that proactive approach, why would I as a marketer want to risk people immediately unsubscribing because they're associating my brand and my message with all of the other similar messages that they're receiving now. Why wouldn't they just opt out of all of them, and then we have to lose?
Mason Jagel: I mean it's -
Alexander Kotler: Fix it Mason, fix it! (laughter)
Mason Jagel: It's unfortunately one of those rules that are part of the GDPR, is people have to opt in. One of the positives to this is there will be people that will opt in, because there are people on that on your list that are interested in the information that you're producing. That they want more content, that they're hungry for it. And the conversion rates are going to skyrocket because of this. So your list might shrink, but the amount of people actually reading the email after opening it, and even clicking through to a certain page that you linked to, that interaction is probably going to increase significantly, just because you are keeping the quality people. It's not just one massive list that has thousands of people that are like "eh, I don't really care."
Alexander Kotler: You're swapping a diluted, voluminous list for one that's more concentrated, more inclined to have greater engagement.
Mason Jagel: Correct.
Scott Rubenstein: Some of the things that I've heard just by talking with marketing teams across multiple industries is that a lot of their email providers charge per email.so one of the, one of the incentives of GDPR and paring your list back is that instead of having to send 70,000 emails and paying for each email, you'll now be sending 7,000 emails and paying for less emails, and also getting much more of a bang for your buck, in terms of as Mason said, user engagement and conversion rates on opens and click through rates, et cetera.
Alexander Kotler: What are your forecasts for how long this period of uncertainty let's say around the enforcement of GDPR will last before we see someone made an example of?
Scott Rubenstein: I think there's still going to be some grace period between now and when the first you know, sort of major news story comes out about a business. I think businesses that are actively trying to update their privacy policies, actively putting things into place in their organization to try and comply with GDPR, I think as long a those things are documented and there are things that have been done, I think that the government would be more likely to not necessarily go for them, but it's really a wait and see approach.
Alexander Kotler: Scott, you offered us another topic for a future RubyLaw Insights podcast, we will have to just wait and see what it will be. (laughs)
Alexander Kotler: But gentlemen, thank you both, Mason, Scott, for your insights, your input. This has been another awesome session of RubyLaw Insights. Thanks.
Scott Rubenstein: Thank you.
Mason Jagel: Thank you.
Alexander Kotler: RubyLaw Insights is recorded at Studio 55, and is hosted by Alexander Kotler. For more insights and detail on RubyLaw and enterprise software developed by RubyLaw, visit RubyLaw.com. Until next time, have an awesome everyday.