The EU’s General Data Protection Regulation (GDPR) goes into effect May 25, 2018. That’s only six months away, but I’m surprised by how many publishers don’t know about GDPR, don’t think it affects them, or they think they’re compliant, but they’re not.
We’d much rather focus on the fun part of publishing: creating great content, building our audience, and growing revenue. But legal compliance is now a core requirement of doing business online and GDPR takes online privacy to an entirely new level.
GDPR is built on the concept of “privacy by design” and goes way beyond both the U.S. CANSPAM and the Canadian Anti-Spam Law (CASL). It requires publishers to get affirmative consent from someone prior to collecting ANY data about them. It also requires that you keep a record of such consent and give the individual the ability to revoke consent at any time, and to access, correct, or completely erase ALL data you have about them.
And, unlike most previous privacy regulation, GDPR extends beyond personally identifiable information (PII) such as email, name, demographics, purchases, etc. It also includes non-personally identifiable information such as anonymous cookies, IP, or digital fingerprinting. In the eyes of GDPR, there is no difference between PII and non-PII data … it’s all personal data.
Penalties for non-compliance can be severe … up to 4% of a company’s annual revenue.