Before the Facebook data scandal was uncovered a few weeks ago, most Americans did not realize how and where their data was being used. The outrage from this scandal dictates that everyone in the lead generation world must stop and take a look at what they are doing and how potential legislation might affect them.
On May 25, 2018, GDPR is going live. The General Data Protection Regulation is an EU law that covers all of its citizens’ data.
The easiest path for Washington, and most of the large Facebook/Google type companies that pay big bucks to lobbyists will be to pass something as close to GDPR as possible to replicate these protections for US citizens. If they can operate their businesses under one guideline, I am sure they will be happy to do that.
With the Facebook scandal still on Congress’s mind, the biggest GDPR issue American companies might face is the fact that Washington may want to enact a similar law. Soon. Maybe the marketing world will get lucky and nothing new like the Facebook scandal or the Equifax hack (or any of the other large-scale data breaches from the past few years) will happen in the next few months. If it does though, I think enough people in Washington will want to do “something” and that will affect anyone dealing with consumer data in any way. I am not just talking about the icky, smoking, smoldering data that most are already fearful of like health, credit card or finance data. I mean anything. Name. Email. Phone. IP Address.
Yeah, everything.
If you are an American company and are dealing with EU consumer data in any way, the GDPR also applies to you. How, and when, EU officials in Brussels come after violating companies in the US is unclear. The fines are enormous so most likely they would start at home and then focus on large companies with a European presence. Maybe a small US company can fly under the radar indefinitely, but maybe not.
I want to point out a few paraphrased highlights of GDPR so if you operate a lead or marketing company, you can think about how they might affect you. If you are a boberdoo customer, we have added several features in our 5.8 release to cover some of these items.
1. Consumers have a right to see their data that you have, request that the data be updated or ask that it be deleted.
What You Can Do
In the boberdoo system, we have renamed the menu item for Global Lead Search to Lead Search/Delete. You can now search for leads by email or phone and then purge their details from your system permanently. You can also export the consumer’s data via the Leads page if they request their data be exported.
2. You cannot bury unfair terms or hide information from the consumers about what you are going to do with their data.
What You Should Do
Your disclosures need to be short and clear. Whatever you are doing with that consumer’s information, you better make it clear and easy to read. 20 pages of legalese in a 2” x 2” box is not going to work anymore.
3. If a consumer is giving you their information, they are giving it to you for a reason. They expect you to use their information for that reason, ONLY for that reason, and to ONLY keep their information for as long as you absolutely need it.
How You Should Handle This
If your terms state that you are going to send the consumer’s personal information to up to three different service providers then that is what you should do. No more. Reprocessing the lead seven days later to get another sale? Nope, can’t do that unless they agreed to it. Adding that lead to an aged list that you sell to any call center that wants it? Did the consumer expect that to happen? I doubt it, so I believe you cannot do that.
Are you keeping that consumer’s personal information in your database forever? Bad idea. This one we know will be hard for lead companies to swallow but once they do, we believe everyone will realize they really do not need to keep that personal information around very long to operate their lead generation business. The fewer people that have access to the consumer’s information and the shorter you keep that information, the better.
4. You must prove that the consumer agreed to give you their information for the reasons you are using it.
What You Can Do
Many of you have probably been getting newsletters asking you to re-verifiy your opt-in for “GDPR” reasons. Most likely they are using a screen capture application on the opt-in form so they can prove it was you that subscribed to their email list. Solutions like TrustedForm, often used for TCPA compliance, will most likely be used for GDPR compliance.
We have built a series of data deletion features into our new release. For those that want to keep their data forever, we have built a secure export that will take the data out of boberdoo and store it securely in your own Amazon AWS account.
Learn More About Secure Export
We suggest real time data deletion when possible and that is what we will be enforcing for EU lead types. With real-time deletion, if you would like to keep your full data we will first run the secure export and then delete the fields. Which fields get deleted in real time can be configured for three waves. For EU lead types, all Personally Identifiable Information (PII) will be deleted in real time.
For non-EU lead types (as of this writing), fields get categorized into three classifications: sensitive fields, cleanup fields and everything else. After a lead is submitted, boberdoo can define how many hours or days to wait until each of these classifications is removed. We are working on an upcoming boberdoo U webinar to cover some examples of this feature and we have some more information here as well.
There is a lot more to GDPR. If you deal with EU leads, you have to understand all of it. If you do not deal with EU leads, I hope you consider reading through some more articles about it. Sooner or later we will see something like this in the US. We suggest you start taking a real look at how you are operating your lead business and handling consumer data now as some of those practices may have to cease whether you like it or not.
Brad Seiler, owner boberdoo.com