Yes, U.S. Advisors—You Need To Pay Attention To The Euro Data Privacy Law

What would a European privacy law aimed at protecting customer data mean to an American financial advisor? Nothing, right?

Not so fast jumping to conclusions, say compliance experts.

In 2016, the European Union set down the General Data Protection Regulation, or GDPR, which regulates the ways that companies store the private information of people who use their services. It goes into effect tomorrow, May 25. Many people in the U.S. likely suspect that this only affects companies in Europe, specifically the way they store information like names, addresses and e-mail addresses.

But the law also affects websites and correspondence—cookies and pop-up ads. This means any U.S. firms with tracking cookies on their sites that have ensnared a European have theoretically become their brother’s keeper—or at least the keeper of their brother’s data, as far as EU law is concerned. If you store names, phone numbers, e-mail in a way that personally identifies somebody, the new regulation could apply to you, and the law promises hefty fines for those who don’t fall into line—20 million euros or 4 percent of annual income.

Graig Norden, the founder and president of Freewheel Marketing, a financial services marketing technology consultant, says that this is especially going to change the game for those using spam e-mail marketing lists. “That’s a huge no-no now,” says Norden. “It’s even more problematic [under GDPR] because it’s easier for users to find out what list they are on and ask you to delete them permanently. There are more rigid rules to adhere to, so it’s not something people should be ignoring.”

The rule concerns the “processing” of personal data belonging to “natural persons” in the European Union. The processing activities means collection, recording and storage, as well as disclosure by transmission, of data related to “the offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union.”

Because the deadline is Friday, for a lot of people this is going to mean a lot of quick damage control. Already, a blizzard of e-mails have likely hit your in-boxes from companies updating their privacy policies and telling you what they are storing, how and why. Many firms are going to want to kill off their cookies and disable tracking analytics. Others are going to want to change their pop-ups asking people to join mailing lists. You can’t just invite somebody onto a list for one thing and then put them on a list for something else, writes Zach McDonald, the editorial director of Mineral Interactive, writing on Michael Kitces’s “Nerd’s Eye View” website.

How does the EU enforce this regulation on American small businesses? That’s a good question, says McDonald in an interview with Financial Advisor, and he says that Mineral has been in talks with lawyers and marketers trying to figure out how that would play out.

Still, “If you’re definitely marketing to EU data subjects,” he said in the interview, “you definitely need to comply, and the regulations are within their rights within the law to come after you because you are working with or intending to work with people under their purview.”

Privacy policies have to be in plain language. The regulation says that the data should also not be kept longer than necessary and that a time limit should be set for erasing it.

It could be that you want to disable the collection of IP addresses for those who visit your site. Or disable cookies so clients don’t place information on the site that they might want you to expunge later. Otherwise you might need a banner explaining that you are indeed using cookies and that the users can opt out of them. Banners also link users to your privacy policies—which tell users how you are using data they have submitted. If you are using a service provider (such as Squarespace) you must check to see what their privacy policies are as well.

Of course, advisors might reasonably ask: How much identity can you glean from an IP address, really? Some addresses, after all, are mapped to lakes in the middle of Kansas. McDonald says it’s a good question, but says even those IP addresses allow snoops to weed out information on people.

“There are third party softwares out there that can attach that IP address to more information as that IP address returns to your site,” McDonald said in the interview with Financial Advisor. “What is this visitor particularly interested in? Eventually if that person with that IP address happens upon a form and gives you a little bit of information, answers some survey information, there are third-party tools that can connect you to more and more information.”

Under the new regulation, you must also be able to notify your EU clients if there has been a data breach. And you must have a method in place for getting rid of somebody’s private information permanently if they contact you and ask you to.

Under the regulation, people also have the right to know what kind of data you are collecting on them and let them know they can opt out. You must also let them know if you are transferring their data, and who it's being sent to outside the EU.

“You might be thinking,” McDonald wrote on Nerd’s Eye View, “that all this data tracking and security isn’t ultimately your problem as you’re a financial advisor, not directly collecting and storing online client information on your own servers or in your own office. It’s all stored on third-party data servers, and it’s the problem of that vendor to maintain the security of the data on their servers. That may be true, but the GDPR still sees it as your responsibility, because you’re the one requesting/collecting the information.”

Will some advisors overreact and simply block European customers? That would be a mistake, says Mark Trousdale, chief marketing officer at InvestCloud, a software design and engineering company. GDPR doesn’t mean you can’t collect information on people, he says. It just means knowing about the data you collect on individuals. So firms simply need a strategy for compliance.

“Anecdotally, I've heard firms talk about backing out of Europe,” says Trousdale (though he stresses they are not his company’s clients). “But for firms without a data strategy, it may seem easier to simply overreact. Again, I think this is shortsighted, not to mention, it's missing the point of GDPR for firms that collect data on individuals, which is that robust data management is a good thing that should be implemented immediately.”