It’s impossible not to notice: any agency that holds customer data (at at any scale beyond the most local) and especially online marketers are in a crisis of seemingly inconsistent permissions and notification emails. We’re all getting emails to double opt-in to email lists we don’t remember signing up for in the first place.
Even though these regulations were approved two years ago, some companies outside of the EU are scrambling, such as the major US newspaper the Los Angeles Times, which has blocked all its content to European viewers.
Let’s get this all straightened out:
So, what is GDPR?
GDPR, or General Data Protection Regulation, is the new European Union law protecting the personal data of EU residents. While GDPR is a European regulation, it impacts anyone dealing with data of EU residents, wherever the company is in the world. The law has some teeth behind it, and can mean big fines for companies found to be mishandling user data.
What exactly does GDPR regulate?
GDPR regulates almost all personal data, including indirect identifiers (like names, but also IP addresses) and includes special protections against the storage of “sensitive personal data,” like religious identity. The law also dictates consent to make it much more transparent. This is probably the reason for much of the accessible language flooding your inbox. As Nabeena Mali clarifies:
… the GDPR refines the principle of consent, requiring:
- The explicit consent of individuals.
- The elimination of blanket consent, consent by default, and consent as a condition of sale, service, or general terms and conditions.
- The ability for individuals to easily withdraw consent.
In general, consumers and users now have many more stated rights regarding the use and erasure of their data, and companies have to be clear and accountable with their processes and intentions about data collection. Consent needs to be recorded, and this is why so many companies are now emailing to ask users to resubscribe and resubmit their data. Another important element compels companies to notify users of data breaches.
You can read much more about GDPR in general here, and we’ll be following up this blog post soon with our take on how this impacts the tech and blockchain space.