The General Data Protection Regulation (GDPR) will be going into effect on May 25, 2018 having been approved by European Union Parliament 2 years prior. Companies who are found to be out of compliance will be subject to hefty fines up to 4% of annual revenue or 20 million Euros, whichever is greater.
US companies who offer goods or services to or monitor the data of European residents (data subjects), must be compliant regardless of their location. Many academic medical centers and hospitals have marketing efforts to attract international patients, such as dedicated landing pages or content; if this sounds like you, then read on.Privacy By DesignAt the core of these requirements is that EU citizens have the right to keep all of their personal data private and must explicitly agree to share this data in advance. Marketers (data controllers) must have a right to receive this data, disclose what they are doing with this data as well as providing a mechanism for removal of this data by request.We’re HIPAA Compliant – Am I Good?While the regulations are close to what is required under HIPAA and the HIPAA Marketing Rule, GDPR goes farther with respect to the explicit opt-in requirements. The HIPAA Marketing Rule has generally been interpreted to allow healthcare marketers to remarket their brand to website visitors, typically via the use of cookies. Websites may disclose the fact that cookies are being used for advertising purposes; cookies leverage the visitor’s IP address which is considered personal data under both HIPAA and GDPR. However, under GDPR, the EU visitor must explicitly opt-in to accept cookies prior to their delivery/use, and the marketer must record this acceptance. As it now stands, on May 26th if you use a remarketing cookie (e.g. for display, paid search, Facebook), and have not first received and recorded the explicit opt-in from a EU visitor, then you are in non-compliance. Another example is the use of request appointment or contact us forms which will most certainly contain personal data. Both HIPAA and GDPR require that these forms are encrypted when they are being sent and where they are received and stored, but with GDPR the EU visitor must have opted-in to their consent of providing this data prior to submitting the form.What about website analytics?Google has announced that their Google Analytics product will be GDPR compliant by May 25th and recently notified all Google Analytics Administrators of important product changes that may impact GA data. Google has introduced data retention controls that allow marketers to manage how long their user and event data associated with cookies, user-identifiers (e.g. User ID and advertising identifiers such as DoubleClick cookies, Android’s Advertising ID, Apple’s Identifier for Advertisers) is held on Google’s servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data.Google Analytics Administrators should review these data retention settings and modify as needed.“Before May 25, Google Analytics will also introduce a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase).”1While Google Analytics does use IP addresses for geo-location analysis, Google does not provide the specific visitor IP within any GA reports. The EU regulators have indicated that when using cookies to simply count website visits or to enhance the visit such as keeping track of items in a shopping cart, then explicit consent is not needed. However, if remarketing activities are employed, then explicit consent is required prior to the use of remarketing cookies. As Google’s terms of service stipulates that marketers cannot record personal information within Google Analytics (e.g. capturing email addresses, first and last names in page urls, custom dimensions, etc), if you are not violating these Terms of Service, then generally your analytics should be fine.What should I do?This post should not be considered to be a legal opinion or guidance, rather is meant to create awareness of GDPR, especially for US marketers who may have thought that GDPR was only for companies based within the EU, or may not have even heard of GDPR. With this in mind, you should contact your privacy officer as a first step. (See here for the final version of the regulation released on April 6, 2016.)
Next steps may involve an audit of your website for remarketing cookies, forms, website privacy statement, etc. You most likely will want to contact your digital marketing agency/web developer to explore what is needed to bring forms and remarketing into compliance as needed.
- Source: Google