President Trump: Save us from the GDPR horror show
Third Door Media CEO Chris Elwell explains the onerous costs of complying with the European privacy regulation and calls upon the President to protect American businesses from its effects.
Donald Trump was elected president based in part on his commitment to slash regulations on American business. And he’s kept that promise, as he points out frequently.
Given that focus, how could he have missed the General Data Protection Regulation (GDPR), the European Union’s overzealous attempt to protect the privacy of its citizens?
This regulation, which goes into effect at the end of May, applies to European Economic Area residents, no matter where they live, and it would impose onerous fines upon companies not complying. Sovereignty and “America First” are nowhere to be found in GDPR discussions.
We recently hired a well-known digital privacy expert to help us comply with GDPR. Here are some of the jaw-dropping things we learned.
Double opt-in is the gold standard, but not the way to abide by GDPR
Since we started publishing Search Engine Land in 2006, we’ve observed a strict double opt-in policy for our newsletter subscribers. Double opt-in has always been the gold standard of permission, assuring that we send newsletters to people who want to hear from us and that they can unsubscribe easily.
Fill out this form, which appears on most pages, and you get an email asking if you really want to subscribe.
Only after replying to that email are you added to a list.
But that’s not good enough for GDPR. By processing the information necessary to generate the email that’s sent for confirmation, we are not in compliance. Consent is not granted sufficiently by asking readers to enter their email address and hit the “subscribe” button.
The advice? Add to each and every newsletter subscription form a link to our Privacy Policy and a box that readers would need to check, right next to the “subscribe” button.
You need to ask for permission over and over again
We operate two event series, MarTech and Search Marketing Expo. As part of registration, we ask this question:
As you can see, the box isn’t a required field, nor is it prechecked, observing industry best practices.
Again, that’s not nearly good enough for GDPR, at least by our expert’s interpretation. In order to comply, we would have to include check boxes for each exhibitor individually and get the registrant’s permission to share their information with each.
There are 100 exhibitors in the MarTech conference coming up later this month. That would mean listing them all on the page and asking our guests to consider and grant permission to each of them individually. Needless to say, that’s a suboptimal user experience.
You need to identify EU citizens… wherever they are
GDPR applies to EU citizens regardless where in the world they may be. Checking IP addresses is inadequate for determining EU citizenship. A Parisian may be using a computer in São Paulo to request to be signed up for a newsletter from a publisher in San Francisco.
Even asking for a person’s location may not provide protection. After all, plenty of EU citizens are living in other parts of the world and would appropriately list their location of residence as outside the EU.
No break for small businesses
The US has a tradition of providing regulatory relief for small businesses. No such luck with GDPR. The provisions for limiting the scope of GDPR for businesses under 250 employees was scotched at the eleventh hour.
I estimate that Third Door Media has invested more than 200 hours in our efforts to comply with GDPR, and the truth is that all we’ve accomplished so far is creating a roadmap for compliance.
And now for the truly absurd: business cards
Think GDPR applies just to online privacy? Wrong. It applies in the physical world as well.
Here’s an example. Say you’re at a conference in Beijing and a potential business contact from Munich hands you a business card. By the letter of the regulation, if you’re going to do anything with the information (“processes,” in GDPR-speak) on the card, you need to contact the person who gave you the card, tell her you’ll be entering her personal information into your CRM and give her the option to be purged from your systems.
Of course, common sense dictates that no one will do this or ever be prosecuted for it, but “common sense” and “GDPR” seem to be mutually exclusive.
May 25 is looming. Will anyone stop the clock?
There’s little doubt that the regulators who drafted GDPR had good intentions. Respecting the privacy of individuals is morally right and good business, too. Asking for permission before “borrowing” something is a lesson that should be learned in childhood and apply to business.
But that doesn’t mean that GDPR is good regulation. And with less than two months until it is imposed on the rest of the world, there’s little time to re-examine all 99 articles of the regulation.
Given that reality, President Trump, you should be evaluating GDPR and preventing its application to US companies.
Opinions expressed in this article are those of the guest author and not necessarily MarTech Today. Staff authors are listed here.
About The Author
