The new General Data Protection Regulation (GDPR) regulations go into effect May 25, 2018… and the penalties for non-compliance are steep.
This is a huge deal for the entire online sphere, since it “applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location” (emphasis added).
And that makes sense.
After all, the purpose of the GDPR is “to protect all EU citizens from privacy and data breaches in an increasingly data-driven world” (source)… no matter where this data is stored.
The GDPR data protection goes far beyond basic SSL certificates and credit card numbers.
This means that every system you’re using, from membership platform to marketing automation tool or CRM, needs to be in full compliance before the end of May.
As you check to ensure your business is ready to go, here are a few things to consider from the membership and online course side of things.
This information is NOT legal advice or a legal explanation of the new GDPR guidelines. It is meant to be a practical look at some of the areas where personal data is collected and processed for online courses and membership site models. For legal advice, please consult a lawyer.
Did you know? Every Type of Data Matters
The new regulations include all types of data you may collect or process in your business, from first names and email addresses to obvious things like credit card numbers.
Some of the more common data processed when selling online courses or selling memberships include:
- Email address
- Credit card number
- Billing address
- Mailing address
- IP Address
- Phone number
All of these (and more) fall under the data protection requirements of the GDPR… so if you’re not familiar with what information is stored where, now is the time to become familiar with your tech tools.
After looking through the new guidelines, there are a few other areas that stand out in the online courses and membership world.
1. The Ability To Opt Out on a Granular Level
If a client subscribes to your monthly membership program, how many lists do you automatically add them to?
The weekly newsletter? Product updates? Marketing promotions? Billing reminders?
With GDPR, you’re not only obliged to clearly inform your client which “lists” you’re adding them to, but you’re also required to make it easy for them to opt out on a granular level… one list at a time.
In GDPR language, this is known as the “Right to object“.
If you’ve been lumping all your contacts into a single list… it’s definitely time to clean house and make sure this granular opt-out process is possible.
2. Be Clear With Your Privacy Terms
What do you do with your subscribers’ information when they sign up for access to a free course?
Do you use their email addresses for retargeting ads? Put them into a pre-sale funnel for your paid products?
The GPDR requires that any opt-in “[c]onsent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language […]” (source)
In other words: if you’ve been using sneaky email capture methods, it’s time to be more transparent.
Be honest about what you’re going to do with their information… and then give them the opportunity to say no.
I was personally curious to see how many marketers are currently complying with this method… so I opted into 15 different email lists over the past couple days. Out of 15 opt-ins, only 2 used a double opt-in to indicate that I would be added to their marketing newsletter list.
The rest did not ask. But I received marketing emails from all of them.
As of May 25, that’s not gonna fly.
To help our clients comply with the GDPR regulations, we’ve created a checkbox for you to add to your order forms built with AccessAlly. Use this checkbox to receive any express permission required from your clients.
A similar checkbox feature was also added to PopupAlly Pro, just in time for these laws to go into effect.
With PopupAlly Pro you can also store the checkbox “state” into your email marketing platform. So you can keep track of who checked the box and who didn’t.
3. Is Your Software Compliant?
“I don’t keep my users’ data… my CRM does!”
Yep, and both of you are liable. (50% of a 20 million dollar fine is still a lotta dolla.)
Take the time to become familiar with how your clients’ information is processed and stored. Find out if encryption is used for sensitive data – or if you should be moving to a different, more secure system.
If you have a membership site or online course, a few tools to check for compliance are:
- Your website server
- CRM / Marketing Automation System
- Payment Processor (Stripe or PayPal)
- Website Plugins
We’ve been taking special precaution to help our clients become more GDPR compliant, by making it easier to give the user access to their password without having to store it in an unencrypted field in the CRM. Learn how here.
4. Clean Up Your CRM Email Lists
You have until May 25, 2018 to become compliant… which means that the cleanup process starts now.
If you’ve been engaging in shady practices (maybe you automatically subscribed someone to your marketing sequences without telling them after they opted in for a PDF?), don’t panic.
You have three basic choices:
- Delete your entire mailing list and start from scratch
- Segregate EU email addresses from non-EU addresses, and go from there
- Run a re-engagement sequence to the entire list, asking them to re-opt-in and get those permissions, and keep the wording on file in case there’s an audit.
The route you take is totally up to you, your marketing team, and a lawyer.
Remember that the GDPR requires proof of opt-in consent.
5. When in doubt, consult legal advice
Nothing can take the place of good, solid legal advice from a legal expert.
If you’re confused about the terms of the GDPR and what it means for your business, be proactive about discussing it with a lawyer.
In America, we’re just beginning to catch a glimpse of the far-reaching consequences of privacy and data breaches, from the Equifax breach of last year (that keeps getting worse!) to Facebook making headlines.
This gives a better understanding of the urgency for regulations that protect the end consumer.
Sure, the marketing side of us might love using bots and tracking cookies to show up in front of our audience as many times as possible… and get them to hand over their email address. “Whatever it takes?!”
But all of us are consumers and can understand the outrage of hidden, obscure legalese that takes advantage of tech vulnerability.
The GDPR is one giant indication that enough is enough. It’s literally laying the law down on sneaky email collection practices (“just gimme your email address so I can send you this one PDF… wink wink“) and sneaky uses of personal data.
Sell your online courses and memberships without the sneak… and your customers will thank you for it.