The European Union’s General Data Protection Act, rolled out earlier this year, is a big step forward in consumer privacy protection. The United States enacted similar regulations through the CAN-SPAM Act in 2003. Both actions created new laws regulating marketing and consumer data. Companies of all sizes, including small businesses, need to keep these laws in mind when developing their online marketing strategy going forward.
The European Union’s General Data Protection Act (GDPR)
The GDPR laws became official on May 25, 2018; however, a generous grace period allows companies to obtain the required consent and bring their business into compliance. Fines will not be issued as long as a good-faith effort is being made to attain compliance. Once fully implemented non-compliant companies can face fines as large as 20 million euros or 4% of the company’s gross annual income, whichever amount is higher. Detailed information related to compliance requirements can be acquired by visiting the GDPR website.
- Permission for storage and use of a consumer’s data must be explicitly granted, and records of consent kept on file
- Consumers must be able to have their data removed from use at any time. Instructions to request removal must be made available to consumers
- Consumers must be informed exactly what personal data is stored in the company’s records and how it will be used
- Consumers must be informed of any data breach within 72 hours of discovery
- Consumer consent must be explicitly granted before using the customer’s e-mail address for any purpose
- E-mail addresses that were collected previously must have the proper permissions on record or permission must be obtained before they may be used for future messages
The United States’ CAN-SPAM Act
The United States CAN-SPAM Act of 2003 regulates the use of consumer data in much the same way as the GDPR but focuses primarily on e-mail marketing and deterring egregious abuses like spam and phishing scams.
Non-compliance with these guidelines can get costly fast, with each e-mail in violation of the CAN-SPAM Act subject to penalties up to $41,484. The key regulations are listed here so you can run a quick check-up assessment of your company’s compliance.
- Make sure your e-mails to consumers are clearly and accurately labeled with proper “from,” “to,” and “reply to” information
- Subject lines must accurately reflect the e-mail’s core content
- Every e-mail must feature the current postal address of the sender’s business
- An easy opt-out option must be included in every message, and opt-out requests must be honored within ten days of receipt
- Businesses may not charge a fee for data removal, and may not require personal information from the consumer to honor the request
- Customer data, including e-mail address, may not be sold to a third-party without consent
US companies with customers in the EU must ensure their company is in compliance with both sets of laws. Even if your company does not market outside the US, it may still be wise to assess your company’s compliance status with the regulations of both the GDPR and the CAN-SPAM acts to ensure your company has solid legal standing today and is prepared for a global market in the future.