What would a European privacy law aimed at protecting customer data mean to an American financial advisor? Nothing, right?
Not so fast jumping to conclusions, say compliance experts.
In 2016, the European Union set down the General Data Protection Regulation, or GDPR, which regulates the ways that companies store the private information of people who use their services. It goes into effect tomorrow, May 25. Many people in the U.S. likely suspect that this only affects companies in Europe, specifically the way they store information like names, addresses and e-mail addresses.
But the law also affects websites and correspondence—cookies and pop-up ads. This means any U.S. firms with tracking cookies on their sites that have ensnared a European have theoretically become their brother’s keeper—or at least the keeper of their brother’s data, as far as EU law is concerned. If you store names, phone numbers, e-mail in a way that personally identifies somebody, the new regulation could apply to you, and the law promises hefty fines for those who don’t fall into line—20 million euros or 4 percent of annual income.
Graig Norden, the founder and president of Freewheel Marketing, a financial services marketing technology consultant, says that this is especially going to change the game for those using spam e-mail marketing lists. “That’s a huge no-no now,” says Norden. “It’s even more problematic [under GDPR] because it’s easier for users to find out what list they are on and ask you to delete them permanently. There are more rigid rules to adhere to, so it’s not something people should be ignoring.”
The rule concerns the “processing” of personal data belonging to “natural persons” in the European Union. The processing activities means collection, recording and storage, as well as disclosure by transmission, of data related to “the offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union.”
Because the deadline is Friday, for a lot of people this is going to mean a lot of quick damage control. Already, a blizzard of e-mails have likely hit your in-boxes from companies updating their privacy policies and telling you what they are storing, how and why. Many firms are going to want to kill off their cookies and disable tracking analytics. Others are going to want to change their pop-ups asking people to join mailing lists. You can’t just invite somebody onto a list for one thing and then put them on a list for something else, writes Zach McDonald, the editorial director of Mineral Interactive, writing on Michael Kitces’s “Nerd’s Eye View” website.
How does the EU enforce this regulation on American small businesses? That’s a good question, says McDonald in an interview with Financial Advisor, and he says that Mineral has been in talks with lawyers and marketers trying to figure out how that would play out.
Still, “If you’re definitely marketing to EU data subjects,” he said in the interview, “you definitely need to comply, and the regulations are within their rights within the law to come after you because you are working with or intending to work with people under their purview.”
Privacy policies have to be in plain language. The regulation says that the data should also not be kept longer than necessary and that a time limit should be set for erasing it.