How the GDPR Affects Content Marketing
The European Union’s General Data Protection Regulation (GDPR) is finally enforceable law now. So what does that mean for you? In this episode of Expert Marketing Matters, Chris and Mark discuss the requirements of the GDPR, its implications for American marketing organizations, and debate whether it’s fair for international laws to impose costly regulations on everyone worldwide.
What You’ll Learn
- What the GDPR is, and what it isn’t
- The difference between a privacy policy and a privacy notice, and what your privacy notices need to cover
- Who is a controller, and who is a processor
- How your website forms will need to change
- and much, much more…
You can listen to the episode using the player embedded above, or you can read a full transcript below.
Episode Transcript
Chris: This is Expert Marketing Matters, a podcast about generating ideal new business opportunities and creating your future.
Chris: Welcome to Expert Marketing Matters. I’m Chris Butler.
Mark: And I’m very angry.
Chris: (laughs)
Mark: (laughs)
Chris: That’s his new name.
Mark: Also, also Mark O’Brien. (laughs)
Chris: (laughs) Ah, Mark is very angry because, uh-
Mark: (laughs)
Chris: For the last couple of months-
Mark: [inaudible 00:00:56]
Chris: …we’ve been, um, trying to figure out what our response is to something called the GDPR. Um, if you’re listening to this and don’t know what that is, that is the General Data Protection Regulation enacted by the EU, um, and it’s, uh, it’s pressing on us because we’re coming up on a deadline for compliance to it and, actually, really what that deadline means is that after that date, people can pursue litigation, uh, against violations if they want. There’s no gestapo running around the internet trying to figure out who is violating this, so it’s not that big of a deadline, but it means we’ve actually had two years to get our act together on this and, uh, there’s been a bit of an eleventh hour hustle to figure it out, um, and Mark’s angry because (laughs)-
Mark: (laughs)
Chris: …because, um, uh, we- we have to respond to this in some way, um, and he doesn’t like that.
Mark: Well, okay-
Chris: (laughs)
Mark: …uh, I- I’m- I’m angry for a few reasons-
Chris: (laughs)
Mark: …and, we thought it would be a good idea to have this podcast just to use, um, my fury as a way of working through the really important issues about GDPR, which I’m quite certain, most, um, marketers aren’t very well informed on because it is really complicated and I think most people out there, most, you know, small to mid-size businesses running expert firms, th-they don’t know what they’re about to have to do. They…I think they’re quite clueless in regard to the changes that will be enforced upon them.
Chris: That’s right.
Mark: Okay, and, and so I’m speaking as, uh, one of them. One of these people (laughs) who-who, uh, is going to have to make a really significant investment because the EU has decided to do things differently. Right? I- And we, uh, don’t have an office in the EU. We don’t have any employees in the EU. We have a few clients, but we don’t market at all intentionally to the EU.
Chris: Correct.
Mark: And our- our employee, uh, our client base is 99% in North America. Right, um, but, we have to…we-we’ve, we’ve spent a quite significant amount of time and money to figure out what we have to do now. Right?
Chris: Yeah, and, and, I think in that regard, you actually have a significant, um, point and a, and a good reason to be annoyed with this because, um, like all laws, we are responsible and beholden to them even if we don’t understand them or are aware of them. That’s true in the United States. That’s true globally. Um, you can break a law without realizing it and you’re still culpable and the problem with that…I think the reason that everyone feels, un…like that’s unjust when they’re in the center of it is because it’s like, well, I probably…in the best conditions, I wouldn’t have broken that law if I had known the ins and outs of it. Um, that’s not always true, but let’s just say that we’re all good people and it is. And in this case, you’re right, we’ve had to spend a huge amount of time and resources just figuring out whether or not we might break this law by accident.
Mark: Right, and I-
Chris: But that’s true to what we do, we are, we’re, we’re marketers who, uh, for whom data about other people is critical.
Mark: Right. Right, and we- we’re also leading other marketers-
Chris: Correct.
Mark: …and, and that’s important. Um, o-one point about…your last point about adherence to the law is that, um, uh, in working through Newfangled’s business, and I can’t think of any of our clients who are, again, like us, operating primarily in North America which almost all of them are, um, that have ever once had to think about, much less react to, an international law in regard to their business.
Chris: That’s probably true, um-
Mark: I can’t think of a single one that I’ve ever [inaudible 00:04:26]-
Chris: That’s probably true, um, yeah, tha-that’s probably true, um, I, yeah, nothing comes to mind directly. Although sales tax and transactional law in regard to, um, uh, payment card, uh, industry is international, um-
Mark: If you’re doing commerce, yeah-
Chris: Yeah.
Mark: …but again, most of our clients are selling their thoughts not products.
Chris: Right, that was, that was more relevant to us a decade ago. Um, so before we go down-
Mark: (laughs)
Chris: …this road again, I think, um, I, I don’t want to talk too much about the detail of the GDPR. We actually have a blog post on the site that was written by Holly Fawn that you can look at, but, before you look at that and before you f-finish listening to this, we need to put a disclaimer out there that we are going to talk about some detail in regard to this law. Talk about some of our conclusions, some of the things that we are going to do and have done, uh, thanks to some, uh, legal counsel that we’ve received, but we are not offering counsel through this.
Mark: No.
Chris: Um, you shouldn’t listen to this and do what we’re doing just because we are doing it that way and use that as your excuse later on. This is not, uh, uh, that, th, this is not the context for that. Um, we’re happy to share the information we know, um, but the GDPR is very complicated. It’s also very, uh, ambiguous in places and so there’s a lot of interpretation to be done, and so, we have put our best foot forward and we’ll talk about some of those details here. We won’t cover all of them, so don’t…this is not a what is GDPR episode.
Mark: Right. Yup, yup.
Chris: Um, if you’re looking for that just Google it. There’s a great Wikipedia article on GDPR, um-
Mark: Now, that being said, what’s real interesting is that we have had four individuals inside of Newfangled, four of our leaders here, um, and, uh, four of the most senior people here, ah, spending a significant amount of time and energy on this for the past what f-four months, would you say now, roughly?
Chris: Um, that would be the longest stretch, yeah.
Mark: [inaudible 00:06:06], yeah.
Chris: I mean, th-the, again, the majority of the time that’s been spent has probably been spent in the last two to three weeks.
Mark: But we’ve been talking about it for months now.
Chris: Correct, yes.
Mark: Yeah, yeah. That’s…it’s, it’s, it’s been an issue starting this year, uh-
Chris: Oh yeah, yeah, it’s…and I mean, uh, and that-
Mark: [crosstalk 00:06:18] go back to the beginning of ’18-
Chris: …that’s where, we don’t need to debate the point of, this is expensive and annoying, and, and from a running a business standpoint, a nuisance and feels unfair.
Mark: But what I’m saying-
Chris: Yeah.
Mark: …is that, we’ve had…(silence)…no.
Chris: That’s true, that is true.
Mark: [crosstalk 00:06:35] how complex this is. We, we’ve made…(silence)-
Chris: That’s right. So, actually, let me, let me set the stage on that for, for a moment. First, first of all, um, there are two terms that we might mention here and there related to the GDPR. One is controller and the other is processor. A controller is somebody that requests data. So, that would be us in this case. That would also be our clients. Um, if you’ve got a form on your site, you’re a controller. Um, a, controllers now have requirements thanks to the GDPR in terms of what you have to do to receive that data. Um, specifically a notice of what you do with that data. It needs to be quite explicit. So, the privacy policies that most of us on the internet have had for the last ten years are woefully inadequate according to this law. Um, actually, as it turns out, there are domestic laws that also render them woefully inadequate that nobody knows about. Um, also, therefore, shows you what the kind of enforcement is going to be of this.
Chris: The second is processor, and a processor is an organization that processes data on behalf of a controller. So, if you share data with a third party, like a marketing automation suite or a, uh, CRM, they are a processor, and, so, therefore, you need to know what their privacy policy is and you need to put that in your notice. So, the documentation component of this is, is quite, uh, extensive. If you’ve ever seen a really annoying, long, legalese contract, where you’re like, 95% of this stuff couldn’t possibly be relevant to me, and yet, why is it here? If you ever bought an Apple product-
Mark: Right.
Chris: …and you read all that, that’s the kind of detail that we’re talking about.
Mark: Well, and, and something that sort of blew the top off the conversation yesterday-
Chris: (laughs)
Mark: …was exactly this.
Chris: Mm-hmm (affirmative).
Mark: So, just so you all know, you listening, what this seems to mean, okay. Basically, now, on your site, if anybody from the EU wants to download something, w-wants to fill out a form in order to download a white paper, so, any gated asset, white papers, webinars, case studies, whatever may be, they are, you’re gonna basically have to just give that to them. It’s no longer legal under the GDPR to require any information from a user in order to grant access to content. So, th-the very nature of gated content as it relates to any incoming traffic from the EU, is gone.
Chris: That’s sort of true.
Mark: (laughs)
Chris: [crosstalk 00:09:03] Yeah…
Mark: This is the point of the debate (laughs).
Chris: Well, a-actually, it’s not the point of the debate. It, it um, what the nature of what you’re saying is true, it’s just, um, from a legal standpoint, you have to be careful with what we’re saying there. What we’re not saying there is, if you sell information, or if you sell access to information, for instance, let’s say you have a podcast and you’re selling a plus club and I pay $8 a month to gain that stuff, that’s still fine, because-
Mark: Yeah, but very few clients are ever doing that.
Chris: …right, right, but, but that’s important because when we talk about access to information, what we are talking about is, it is no longer okay to transact information for access purely.
Mark: Right, so, if you have a white paper-
Chris: If you have a, va…so, so, the nature of gated content as a marketing, uh, uh, tactic is in jeopardy and, and like you Mark, I actually find that quite troubling.
Mark: Sure.
Chris: Um, when, uh, and this is actually the last thing that we uncovered in terms of our interpretation, and, you know, um, part of Mark’s frustration is something we all share, which is that the, this law, is very wide in its scope and yet very general in its terms and so, um, the, the clause of this law that actually applies to gated content, um, what it actually says is that you can’t, uh, transact information for access to a website.
Mark: It’s that one sentence, right?
Chris: Correct.
Mark: Yup, yup. Yup.
Chris: And, um, so we had assumed throughout the majority of this process, oh, well right-
Mark: Website…
Chris: …we’re not, we’re not locking anyone out of the website, right? We didn’t think that applied to discrete pieces of content where, of course, like, what’s the problem, if they’re willing fully giv…i-i-if we’re saying hey, you can have this content if you just tell us your title, or what kind of company you work for and they say, that’s fine. It seems like a, a worthy exchange of value, that sounds great. I, I was shocked to discover that, um, our legal counsel had been counseled themselves to interpret it in this way. Um, and they, um-
Mark: It’s, it’s webpage really…
Chris: Correct.
Mark: Yeah.
Chris: …and, and we thought, the team of us interfacing with the legal counsel, that, okay, well, they just don’t get what gated content is. They’re not marketers, they’re, they don’t get it. No, they get it.
Mark: (laughs)
Chris: They’ve been extensively trained on this and they totally understand the marketing application. Something to keep in mind is that the GDPR applies to lots of context in which data is transacted beyond just marketing. But, marketing as an industry is the one being hit h-hardest on this because it’s the first time that a regulation like this has existed that applies so directly to marketers. Regulations like this have apply, have existed for a long time applying to online accounts of different kinds, e-commerce of different kinds, that kind of stuff, and so that’s why the lawyers knew exactly what this was about and we were shocked to discover, yeah, gated contents in jeopardy.
Mark: Right, no, if, for any traffic coming in from the EU.
Chris: Right.
Mark: So, we’re not saying, is, gated contents over for the internet, right. Um, it, but for traffic coming from the EU, it, it could be-
Chris: Right.
Mark: …based on the letter of the law, it, it technically is.
Chris: Yup.
Mark: Um, now let’s talk about, not gated content, let’s talk about a simple blog sign up. If someone’s coming from the EU and they want to sign up for your blog, what steps are they going to have to go through? What steps are, are our listeners, as business owners and people running marketing websites, what, what changes are they going to need to make to their website, basically now, to be in compliance with the GDPR, um, for someone that just wants to not download anything, just sign up to receive emails?
Chris: Yeah, well, actually, um, so, when you and I were talking about this, uh, discussion, you know, th-the nature of the thing was, why are we, you know, uh, uh, we’re objecting to being forced into these actions by an outside party, and, and, yeah, we are. Um, and the question is, well, what are we actually being forced to do and how much? So, you don’t have to do anything about GDPR, um, past a certain minimum, right. If, if you’re not marketing to or speaking to anyone in the EU, then you can do the bare minimum, but, actually, nobody can do nothing in this scenario.
Chris: Um, as long as you have an inter…a website on the internet where so- where there’s a form and someone in the EU could submit it, you are obliged. This is very similar to HIPAA in the sense that, with HIPAA requirements, you’re obliged to the, to the uh, security of data, even if you don’t know it’s there, even if someone willingly gives it to you. Um, so in this case, to answer your question, um, someone might say, well, you know what, in this case, I don’t care about the EU. I’m not marketing to people there, um, who cares. That’s fine. At the minimum, you need to disclose.
Chris: So, there’s uh, a privacy notice, right. That’s a little bit beyond privacy policy. Pri- privacy notice has to get into detail about what data is being collected and what is being done with it, what your rights to it are, and your rights are to access, erasure, and portability. You need to be able to get your content whenever you want. You need to be able to have it deleted, right, to be forgotten, and you need to be able to take all that data and put it in another place if you want to, any individual, and all that needs to be in the notice.
Chris: So, you, the marketer listening, even if you don’t want to market to people in the EU, something as sim-, um, benign as a sign up form, you still need to have an a- a- ability, ability for someone to read that privacy notice in detail. And, it has to be done in such a way as to ensure that they read it.
Mark: Right.
Chris: It can’t be optional to read it.
Mark: Right, not the ability to, but it be enforced.
Chris: So, what that would mean practically is, en- envision a form where it’s first name, last name, email. You need to have a check box on it that says, I’ve, uh, I’ve agreed to this privacy notice, but you can’t check it until you’ve actually read the notice, or seen it, so it needs to be built in such a way as to force them to look at that information before they can submit the form.
Mark: Right.
Chris: That’s the bare minimum.
Mark: That’s the bare minimum, yes. So, so, just to recap on what Chris just said, because this is, this is a very big deal. In order for somebody, now this is not the gated content, this is just regular old email sign up, right, that they’re intentionally opting in to. So, someone from the EU comes and they want to sign up for your newsletter, let’s say, or blog that is, whatever it is. They fill out the first name, last name, and email and then there’s a box that says, I have read and understand and, uh, uh, agree, uh, to, you know, uh, being part of this, the privacy notice, basically, and they, when they click, when they click that, the, another screen shows up over the screen and just like with an Apple product, you have to scroll through the entire thing, which is pages and pages long because of all the details that has to be in there. And by the way, you have to come up with all that too.
Chris: Yeah-
Mark: Okay-
Chris: …and, which is not trivial.
Mark: …which is not at all trivial. And then at the bottom of it, you- that user has to click, yeah, I really mean it, I agree with this or close the window to show that they went through the whole thing just like you do, have to do with the Apple product, right-
Chris: Mm-hmm (affirmative)
Mark: …and then, they can submit the form. (laughs)
Chris: Right, and, and, just, just so we’re clear, in terms of, if you’re listening and you’re saying, I really don’t care about the EU, I don’t want to do any of this stuff, the only e- exit ramp you have from this is to really mean that and what you would do in that scenario is that, on any form on your site, the first thing that someone could choose would have to be to identify their location, and then if they ide- if they identified that they are located in an EU country, they would not be able to do anything more, you’d have to show a notice that says, due to, uh, GDPR requirements and our position on that, we have to, uh, we’re not able to allow you to submit this form. That would be one route you could take.
Mark: Right, just to-
Chris: I- I- I wouldn’t recommend it.
Mark: …and, and just to be clear on that, that when that per- when you give that option, when you take that stand, you’re saying that no one from the EU will ever be allowed to submit any form on your site for any reason-
Chris: Right, that’s right.
Mark: …not the contact us form, not the learn from us, not the white paper, none of it, if you take that route.
Chris: That’s right. Even, even, uh, actually, just so people understand the, the annoyance of this, even a comment would be a problem, because, um, included in what, eh, what the GDPR considers personal information, personal identifying information, it runs the gamut from your name all the way to the IP address that’s associated with you in that interaction. So, technically, if you posted a comment on a website, even if you had an anonymized name, your IP address is considered personal, and if you know you left that comment there, you are now entitled to your rights under the GDPR and so, that is the case. Any transaction of data on your site is covered by this. And, so, if you, if you, if you want to dodge it completely, you still have to do something on your site, and that is, to elevate id- location to being the first question and that would fork somebody’s experience, and you could lock it down after that if that’s what you want to do. Again, I don’t recommend that because I think there’s a more graceful way of doing this. It still requires development time, it still requires work.
Mark: O- o-, I mean, one of my points, this isn’t the case for us, but there are a lot of smaller firms out there that simply won’t be able to afford to adhere to this.
Chris: Yup.
Mark: They don’t, they don’t have a choice. They’re not going to spend the, the thousands of dollars they need to spend in order to comply with this.
Chris: And that’s, that’s always going to be true. I, I think, um, the last time I looked at this, it’s some, somewhere on the- somewhere above 95% of people, um, participating in e-commerce on the internet are in violation of PCI requirements.
Mark: Sure, and that’s, you know, e-commerce is one thing, when you say, okay, my business is based on financial transactions online, well, okay, you made that decision-
Chris: Yeah.
Mark: …you, when you made that decision, you’re, you’re adhering to certain, you know, ah, obligations-
Chris: Yeah.
Mark: …right, as, as someone who’s actually taking money from people online.
Chris: But it backs up your point. They’re looking at it and saying, I can’t afford to deal with this properly. Um, I don’t think they’re justified in saying that, but they’re doing it anyway, and how enforceable has it been? Well, it, e-commerce law has been in place for the better part of 25 years, and, yeah.
Mark: Right. Yeah. But, but, this is so much different. This is someone who just has a business, who just wants a form on their website and the will no longer be ale to have a form on their website cause they can’t afford to comply with GDPR, which is a set of laws enacted by a different country. (laughs)
Chris: A different group of countries.
Mark: Yeah, different, so- sorry, different, a different group of countries, a different collection, right. I- it, it, by a country outside of our own, right. And, and that’s just astonishing to me that the EU is going to be able to effectively hobble so many small businesses across the rest of the world.
Chris: Yeah.
Mark: Now, we’re mostly concerning, you know, the people we speak to all the time, and there are lots of people who sign up for our content, and, and engage with us in various ways who can’t afford to hire us, but they learn from us, and, and they really care deeply about the marketing. It might be a one or two person shop, and, you know, mid-market or smaller, and they’re going to be significantly affected by this because they will no longer have any conversion points on their site.
Chris: Right, um, if they chose to ignore it completely. Um, I think, I, what I expect will happen here, is that, uh, this is going to be an, an e- evolution past this immediate deadline. Um, basically, what we’ve been told by our legal counsel is that, as soon as you start wading into the waters of the GDPR, your, uh, requirements to them basically increase in the sense that, if you want to do nothing, you’re actually legally better off than having done something and done that something incomplete, in an incomplete manner or done it wrong. Um, that being- so, they’re advice to us was just ignore the EU completely and, again, in that scenario, even that wouldn’t mean we could do nothing. It would just mean we’d be doing the bare minimum. But, I do think that it’s worth starting to move in this direction because legally speaking, um, there’s no structure in place right now to start litigations on a, on a global scale on this.
Chris: Um, if you’re Facebook, that’s different, um, but if you’re Newfangled.com, uh, it’s, it’s, it’s years and years off if, if, if ever. But, um, what I want to say about this though, is that, I think we are going to see an, eva- evolution in the sense that immediately people are going to say, look, if you’ve made a good faith effort to start complying with this then that’s better than nothing. Um, but I think this is going to trickle down. I’m already seeing that happen. There’s a law, uh, that is on the books for vote in November in California, which is called the Cal- California Consumer Privacy Act, and it’s very similar to the GDPR in the sense that it’s being enacted by a provincial entity, right-
Mark: Mm-hmm (affirmative)
Chris: …California. Um, and it would subject everyone out- outside of California in the world to certain data compliance, um, in so far as California residents are concerned.
Mark: Well, well, now, now, and this is, this applies to GDPR as well, not California residents per se, or EU residents, but people accessing sites from the state of.
Chris: Corr…well, although I think that California’s Consumer Privacy Act might be a little more specific about that being California residents. Um, the thing about GDP- the GDPR that’s a little ambigenous, and, and we really struggled with this with our legal counsel is, i- in their interpretation, and, and, general interpretation at this point is that it applies to anyone in the EU at any time. So, hey, your buddy who works for Microsoft, who you’ve been talking and marketing to for a long time, he goes on a business trip to the EU, all of a sudden, those things apply to him while he’s there-
Mark: While he’s there, but, if someone who lives in London comes and visits Manhattan, then that no longer applies to them because they’re, they’re physically residing in Manhattan at that time.
Chris: That’s correct. And, and that’s a serious flaw of this law because we all know that data doesn’t work that way. Data doesn’t know boundaries. And so, there’s some, something self refuting about this law in the sense that it’s drafted with the idea that, oh, the way that data transact, is transacted now is now non-national. It has nothing to do with boundaries, um, political boundaries, and so, we’re trying to grapple with that and yet we’ve created a law that is entirely based upon location, um, and location at the time. But, but, what, the reason I mention that is because this is the way culture is going.
Chris: People do care about individual privacies and individual transaction of data and I think that this is, um, a swing of the pendulum, in the sense that I, I think that the GDPR, um, there’s aspects of it that are coming from a good place that I as an individual can get behind, but it’s also overreach in many ways and unfortunately, we don’t have the power to reject that overreach and, and, that, that was sort of where this came from, is like you wanted to respond in a certain way and I was like, I think that…
Mark: Well, and, and I’m still, I- I- that, I- I- I’m still considering that (laughs) as a topic for discussion at our next [inaudible 00:22:04] meeting.
Chris: (laughs)
Mark: Um, but, um, it, it, for anyone who- whose listening to this who is a client of Newfangled, we have put together, uh, a quite elegant solution that will keep you in compliance as we know it, and so, you know, we’ve spent now 20 plus thousand dollars researching this, and, and building technology to help to, to, to be in compliance with this, and, um, we have a solution that we can offer to our clients that, to the best of our knowledge, will keep them in compliance and, and is as elegant as it gets and the main part of it is that the first thing we’re doing is figuring out if their coming in from the EU or not. So, for anyone coming in from North America, or any, any destination outside of the EU, they would see the same website they would see any day.
Chris: That’s right, yeah.
Mark: Right. Which is, which is nice.
Chris: Our conclusion on that is, is though, that that person needs to volunteer that, that location information. This is another area where it’s somewhat confounding the way that this is being interpreted because, uh, legal counsel advised us to use, uh, the, the best way you can assure yourself of that person’s location is by using IP tracking. However, IP addresses are considered personal information, so once you’ve detected that IP-
Mark: You can’t do it.
Chris: …you’ve taken that data, you’ve done it prior to them consenting-
Mark: You’re already in breach…
Chris: …right, so, you’re, you’re, by trying to, to not breach, you’re breaching and the only way you absolutely know where they are is by violating this law and everyone realizes that is a significant flaw of this law. Again, there’s going to be loop holes to this law like there are any other. Um, I think what’s the real thrust here is that all of a sudden, we are now subject to something that makes it more difficult to do something that I think we’ve all been trying to do to the best of our ability in a way that honors one another. I mean, and, and that’s something that I think, um, you know, you and I have disagreed in a nuanced way about what we should do about this and I think we’re coming to consensus because ultimately, it’s more than just Newfangled for us, it’s also our clients and what they might want to do, and it’s also setting ourselves up for what we know will be an advancing trend. Um, and I think that’s important. It also allows us at least retain some ability to connect with people who happen to be in, in the EU at the time, and that is more concerning to me than those people who live there permanently.
Mark: Sure.
Chris: Um, but, what I wanted to say is that, uh, there are laws now that most people don’t now about that they’re probably in violation of. For instance, um, there’s the Online Privacy Act, right, that was also enacted by California, and that requires operators of sites like ours, to, uh, have a conspicuously posted privacy policy that isn’t just like, hey, we might use your data for this, like our privacy policy has been in the past, but it’s very GDPR like in the sense that you have to identify every category of data collected, every category of transaction, all types of third party processing, identify all tracking methods, and guess when that law was put into place?
Mark: 2006?
Chris: 2004.
Mark: Uh-huh (laughs)
Chris: Almost 15 years and-
Mark: I wonder if, like, California.gov even complies with that law. I bet they don’t.
Chris: I, I believe, actually, they probably do.
Mark: You think they do?
Chris: Um, yeah, I mean, uh, you know, government websites have been extremely, um, thorough in their privacy policies and plat- in the past and also restricted in what kind of tracking they can do. Now, the big, the big loop hole here is that provincial government and, and the NSA are, NSA is not subject to any of this stuff. The GDPR stipulates, this Consumer Privacy Act of California stipulates this, Online Privacy Act, all of them basically say, if you’re a government entity that for national security purposes needs to track data, this does not apply to you.
Mark: Ah…(laughs)
Chris: Um, there are other stipulations that have to do with like, you know, safety, health, things like that, where, you know, you know, there’s other requirements, but, for people like us, that don’t have that kind of reach, yeah, um, we’re subject to it, so I, I, I, yeah, I mean, just to close on this, it is complicated, it is frustrating. I think you’re justified in being frustrated.
Mark: I, I think, most people who actually listened to what we just said over the past 20 minutes are going to be shocked.
Chris: You’re probably right, and, um, unfortunately, uh, the, the biggest problem here, I think, is not anything we’ve really talked about, except at the very beginning, which is that, if you pass a law that applies to this many people, whose job is it to let people know about that law? Whose job is it to educate the people who are all of a sudden going to be subject to that law? Like. Imagine all of a sudden, hypothetically, if next month, every rule of the road was going to be changed and you could be pulled over for things that are totally legal today. Um, or, the ability to get a license was based on regulations that you didn’t know about and had to be tested on. Whose job would it be to let you, Mark O’Brien, know about those rules? I would say it’s the governments job-
Mark: Sure.
Chris: …but in this case, what government entity are we talking bout? How do they get this information to people in the United States, forget, I mean, in, people in Malaysia, they’re subject to this too. How do they get that?
Mark: Yeah, are they footing the bill for this education? No, they’re not.
Chris: No, of course not.
Mark: And, and again, the, the, the point that irks me the most, is that it’s law outside of this country.
Chris: Yeah, although, I mean, this is a thing that I, I just wasn’t with you on-
Mark: (laughs)
Chris: …in that, there are many laws that apply to us, whether they’re out of our state, out of our city, out of our country, that we are still subject to. Like, if you, if you go to Fra…, or if you go to Singapore, here’s a good, good example, you remember this from when we were kids, the kid who did graffiti in Singapore and was caned? You know, like-
Mark: But he went to Singapore.
Chris: That’s right. Right.
Mark: Right. This…(laughs)
Chris: Aha, we probably have to stop, but, but this is, this is something that I think is important because we are going to the EU in a sense-
Mark: They’re, no, they’re coming to us.
Chris: What? Are they?
Mark: Yes-
Chris: Are they coming-
Mark: Yes, this is, this is all about traffic from the EU coming to our website. They’re coming, voluntarily, we’re not forcing them to come, we’re not rerouting them to our website, they’re coming to our website, a business in the United States.
Chris: It is, it’s a non-, it’s a transaction of data that supersedes, um, location. It’s a temporal. It’s, it’s non-location based, and I think that that’s why it’s legitimate for, um, a governing body to say, look, we want to protect our citizens, knowing that aspects of their experience or their information re going to be transacted outside of our borders, we need to be able to have the regulatory scope to say that we can, we can restrict that in some way or protect that in some way, and so, I think that’s justified.
Mark: But the fact that they’re, the, the bur-, burden of implementing that, and learning about it, to your previous point, is put on businesses outside of the EU and that-
Chris: Yes.
Mark: …we, the rest of the world just has to comply because this set of countries made this decision. I think it’s kind of crazy.
Chris: I, well I agree with that. I think that’s a separate issue. One issue being, should someone be subject to a law outside of their immediate, um, locational jurisdiction? Yeah, I think so, I think that’s fair. There’s lots of precedent for that. But, there’s also lots of precedent for that putting an undue burden on people just basically getting the right information.
Mark: Th- there’s, I don’t think there’s any precedent for in these circumstances. If you, again, if you visit Singapore…
Chris: No, no, I’m agreeing, I’m saying there is a lot of precedent for that feeling unfair. I men, the same thing goes for PCI compliance. The same thing goes for HIPAA compliance. There’s no organization whose job it is to make sure that they go from business to business and make sure that you understand what HIPAA compliance is, in fact, you have to pay for that.
Mark: But with both PCI and HIPAA, you are in the health care industry and you chose that and you know that. With PCI, you are doing, you re taking online transactions. Like, you’re voluntarily swimming in those pools. Here, you know again, I’m thinking about a, a, a very particular business, um, someone I have not spoken to in years, but, she’s a one person firm in Wisconsin.
Chris: Yeah.
Mark: Okay, and like, and she, her website is a main conduit for her business and she’s going to have to, and she’s not going to spend one to two thousand dollars to do this.
Chris: I know, and I would say I have, I have compassion for her-
Mark: I just…
Chris: …but the reality is that she, she-
Mark: There’s so many of those people.
Chris: Yeah, the reality is that she thought she was swimming in the kiddy pool and she’s in the deep, she’s in the ocean. That’s the reality and, and, I take your point, but I think, um, the worlds changing, and it’s, it-
Mark: (laughs)
Chris: Everybody reacts to the pain of change, but I don’t think…it’s one thing to say that this is uncomfortable, or for it to feel unfair, but it’s another thing to make decisions in rejection of that just because we don’t like it. Um, I saw, I don’t, I don’t debate, I don’t, I don’t disagree with your dislike of this. Um-
Mark: Yeah, it’s, it’s, I think, it seems unjust. We don’t need to beat around the, you know-
Chris: Yeah, yeah.
Mark: …because you’ve been beating the dead horse that is around the bush.
Chris: Right. (laughs)
Mark: (laughs)
Chris: This uh, this is deep. Uh, there’s a lot going on. I would encourage anyone listening, if this has shocked you or disturbed you, or if you’re upset, a-, a-, as angry as Mark is, he was beat red right now…
Mark: Yesterday, I was (laughs).
Chris: Um, I, I think you should, you should look into this. Um, I think it would be worth, and if you have legal counsel, if your organization does, I think it would be worth talking to that, those people about that. Um, at least just to make sure that you’re doing the right things. Um, again, we’ve talked about some specific solutions, but we are not, um, we are not legal counsel on this. You’re going to need to look into this on your own.
Mark: But we have put together a solution for our site-
Chris: Yes.
Mark: …that, to the best of our knowledge, is as in compliance as can be. Right-
Chris: Correct.
Mark: …to the best of our knowledge. Um, and if you’re a client of ours, we can help you do the same.
Chris: That’s right.
Mark: Okay, well, I’m still angry, but I, I’m glad I got to voice my concern a little bit.
Chris: He’s chill, he’s chill, he’s chilling out. It’s really, it’s really, everything’s going to be okay.
Mark: (laughs) Okay.
Chris: All right, thanks for listening and we’ll talk to you next time.
Mark: You’re listening to Expert Marketing Matters, a podcast about generating ideal new business opportunities by creating and nurturing digital marketing systems and habits that have a measurable impact on your bottom line. This podcast is brought to you by Newfangled. A digital marketing consultancy focused on empowering experts to do better digital marketing. You can learn more about Newfangled’s digital marketing method at Newfangled.com.