On May 25, 2018, the European Union will begin enforcement of the General Data Privacy Regulations (GDPR). The GDPR represents an expansive approach to protecting the privacy rights of European citizens, and has the potential impact businesses across the globe, not just in the European Union. The business community needs to understand the GDPR, who it affects, and how to comply with the law, lest they face costly punishment by the EU.
What is the GDPR?
The GDPR is an administrative regulation enacted by the European Parliament to protect the privacy of Europeans as it applies to data collection. The GDPR came about, according to the Commission Implementing Decision (EU) 2016/1250 (comparable to the legislative history that accompanies the US Code), because of the European Union’s belief in “the fundamental right to respect for private life with regard to the processing of personal data, [and] also a high level of protection of those fundamental rights and freedoms.”
As noted by CIO, the GDPR requires that personally identifiable information is collected and processed in a manner that is lawful, fair, and transparent. Relevant to the recent scandal involving Facebook and Cambridge Analytica, the EU permits the collection of EU citizen data only for explicit, legitimate purposes. The GDPR requires that data collection be narrowly tailored to the collecting party’s specific needs. It also codifies a requirement that businesses — the law carves out exceptions for data collection for non-commercial, law enforcement, and intelligence purposes — ensure that personally identifiable information only be kept as long as needed by the businesses that collect it. Related to this point, the EU expands on the notion of the “right to be forgotten” by requiring dataprocessors and collectors to take steps allowing for the deletion of an EU national’s data upon request. The GDPR codifies a requirement that data be processed and stored in a fashion that is secure, and requires processors and collectors to notify EU nationals within 72 hours if there is a data breach. The GDPR requires the appointment of Data Protection Officers responsible for the maintenance of records concerning how personally identifiable information related to EU nationals is collected, processed, secured and used, much like how Sarbanes-Oxley and other US regulations required public companies to develop ethics and compliance programs.
Why Does the GDPR matter to non-European Businesses?
While this seems innocuous, if not an admirable position to take by the EU, the underlying regulations have caused some consternation in the international community. Partly, this is due to the extreme applicability of the GDPR. The EU has expanded previous regulations (namely EU Directive 95/46/EC) the GDPR to apply to all companies worldwide that process or collect data relating to EU nationals. Thus, if a resident of Kewanee, Illinois (or Lima, Peru) has a craft business that collects personally identifiable information related to the mailing addresses of EU residents in order to ship goods to them, it is equally subject to the GDPR as British Airways or Novo Nordisk.
Being subject to the GDPR is no small matter. The second reason the GDPR is causing unrest in the business community is the aggressive penalties included in the regulation by the EU. Non-compliance with the GDPR can lead to penalties of up to 4% of a company’s global turnover or €20 million ($25 million at the time of writing), whichever is greater.
The business community responded to the Commission enacting the GDPR with concerns that the GDPR reached beyond the scope of the US-EU Privacy Shield regulations and imposing the will of the EU on other sovereign nationals. If the US Government permits enforcement of the EU regulations on US companies (a jurisdictional issue more for legal scholars), compliance with the GDPR will be costly, most of all to small to mid-sized companies that do not already have compliance programs commonly seen in Fortune 500 companies. According to international law firm Paul Hastings LLP, compliance costs for a business are estimated to be $1 million, just for technology improvements. Additional expenses would be incurred, such as those associated with retaining counsel to understand how to comply with the GDPR and hiring employees to maintain regulation compliance. Writing in the Harvard Business Review, Larry Downes noted that the GDPR appeared protectionist, as it was cheaper for businesses to comply if they used European data centers rather than ones outside the EU. Similar concerns have been raised in the Asian-Pacific market.
What should US businesses be doing in anticipation of the May enforcement deadline?
First, businesses should be aware that, regardless of the GDPR, there are already US regulations concerning the preservation of the privacy of customer personally identifiable information. The Federal Trade Commission already enforces numerous laws and regulations pertaining to data privacy and online marketing, including (but not limited to):
- The Children’s Online Privacy Protection Act (COPPA);
- The Federal Trade Commission Act (FTC Act);
- The Health Insurance Portability & Accountability Act (HIPAA);
- The American Recovery and Reinvestment Act of 2009;
- The Health Breach Notification Rule, 16 CFR §318 (2009);
- The Fair Credit Reporting Act: Disposal Rule, 16 CFR §682 (2005);
- The Fair Credit Reporting Act: Identity Theft Rule, 16 CFR §681 (2009); and,
- The Red Flags Rule, 12 CFR §41 (2007).
If US businesses do not already have data privacy compliance plans in place, they need to do so, not just to comply with the GDPR, but also with the US privacy regulations.
With the respect to the GDPR, to summarize the hundreds of pages of regulation here would be overwhelming, both to the writer and to readers. There are some core changes businesses can make to ensure compliance when the law is enacted in May 2018.
- Businesses should conduct an audit under the command and control of a CISSP-certified professional (or other properly trained and certified network security professional) to identify what personally identifiable information they are collecting;
- Businesses should consider how they process that personally identifiable information, for what purpose, and for how long do they keep it;
- Businesses should consider whether the way they process and store data would be considered reasonably secure by a professional (or by a jury), and, if not, what steps they should take to make their data secure;
- Businesses should consider the processes they have in place to address requests under the GDPR’s “right to be forgotten” requirements;
- Businesses should consider the processes they have in place to address data breaches, including whether they can notify EU consumers of breaches within 72 hours; and,
- Businesses should be considering whether their outsourced cloud storage providers (if they have any) are in compliance with the GDPR and FTC regulations.
Beginning May 25, 2018, the EU’s implementation of the GDPR will have the potential to affect businesses worldwide. Compliance with the GDPR represents a significant commitment of capital and labor for businesses, triggered if these businesses engage in practices that affect the data privacy of EU nationals. Businesses should anticipate the implementation of the GDPR by conducting security audits and developing plans to ensure compliance and avoid liability.
Recently, the Federal Trade Commission (FTC) enacted its first enforcement action against businesses using influencer marketing in ways that violate its regulations against deceptive business practices. (The first crackdown occurred in April 2017, when the FTC sent “reminder letters” to influencers and businesses.) Companies realize that, while influencer marketing is an incredibly effective method of small business marketing, it must comply with FTC and global trade regulations.
Wading through the Code of Federal Regulations governing influencer marketing can be challenging at best, and coma-inducing at worst. While this article should not be substituted for the advice of a retained attorney (seriously; get an attorney if you have questions about the law), it does provide some easy-to-understand tips and checklists for complying with FTC regulations in the hopes of making small businesses and other marketers aware that the issue of influencer compliance is not going away.
Everything begins with disclosure
The FTC is primarily focused on instances where a product or service is recommended and the online personality has a business relationship to the product or service. In the current enforcement action, involving two YouTube video gaming personalities, that relationship was a direct ownership interest in the product business, but it is likely that the FTC would see a relationship if the internet personality has a relationship anywhere in the food chain related to a product (i.e., with distributors, marketing consultants, manufacturers, or retailers). (See 16 CFR 255.5.)
When there is some material relationship between the internet personality and product in their content, there needs to be a disclosure of the relationship. For example, when I use an affiliate link to a product on Amazon, I need to disclose (as I do) on this site that I am a participant in the Amazon affiliate program and benefit from purchases associated with my site. Note, too, that the material relationship does not end with getting paid to display and endorse a product. If I recommend a product or take a picture of a product in exchange for a chance to win something for free, that is a material relationship that requires endorsement. No matter the benefit, it is safe to assume that if I benefit from putting a picture of a product on my blog, on Facebook, or on Instagram, I have a disclosure requirement.
How to make a proper disclosure
The FTC intended for the disclosure requirements to be straightforward (whether they succeeded at making the regulations easy to understand is another story entirely). The requirements are based on the following elements
– disclosures of all material relationships;
– disclosures that are unambiguous in both form and content;
– disclosures that are side by side with the influencer content
Disclosures of all material relationships
The FTC asserts that disclosure is required when there is a “material” relationship, and in this case, the use of the term “material” rather than “financial” is significant. Expanding the scope of relationships to any instance in which it is material means that the influencer content is subject to the regulation when there is a personal, familial, romantic, or other similarly meaningful relationship, regardless of whether the influencer gets paid in a traditional “quid pro quo” method.
Thus, if Jane Doe begins posting influencer content on Instagram about the hot new nightclub in her city, and that hot new nightclub happens to be owned by a partnership that includes John Doe, Jane’s brother, then there is a material relationship for which the regulations would be imposed.
Disclosures that are unambiguous in both form and content
The FTC, in its web pages regarding endorsement marketing/influencer marketing, repeatedly reminds influencers (and the marketers and businesses that work with influencers) that they should not rely on the native endorsement tools within an app to adequately indicate whether the content is paid advertising. Instead, it is the obligation of the influencers and the marketing firms directing the influencers to ensure that their disclosures are unambiguous and easy to see.
Disclosures that are side by side with the influencer content
The FTC addresses the question of whether endorser disclosures are adequate if buried in a linked page somewhere, stating:
Do you click every CLICK MORE link? We don’t either. When disclosing a brand relationship, the better approach is to hit ‘em right between the eyes. Furthermore, on image-only platforms, superimpose your disclosure over the picture in a clear font that contrasts sharply with the background.
FTC, Three FTC Actions of Interest to Influencers
Plainly put, the disclosure must be up front, superimposed on the image or video in a way that is legible and meaningful to the consumer.
Influencer marketing is a useful subset of digital marketing, a low-cost option for small businesses or businesses just getting started to get their products and services in front of potential customers. However, small businesses and the marketing firms that represent them need to make sure that, if they are using influencer marketing, their content complies with FTC regulations concerning endorsements.
When the Small Business Association (“the SBA”) considered what entrepreneurs needed to do to thrive in today’s world of massive, publicly-traded corporations, the SBA recommended that they spend seven to eight percent of their gross income on marketing. For many just starting out, this may not be much, but its money that needs to be spent well if the business is to grow. However, how do veteran businesses spend their marketing dollars wisely?
“Knowing how much you have to spend on marketing is critical; even more critical is how you spend it. This means having a plan. Your small business marketing budget should be a component of your marketing plan, outlining the costs of how you are going to achieve your marketing goals within a certain timeframe.”
– Caron Beesley, How to Set a Marketing Budget that Fits your Business Goals and Provides a High Return on Investment, SBA.gov (January 9, 2013).
As the SBA puts it, have a marketing plan, and have a way to track the return on investment received via that marketing plan.
One of the first steps in developing a marketing plan is determining what platforms suit both your brand and your products well. By platforms, I mean those avenues (often referred to as marketing channels) you want to pursue to promote your business. Marketing platforms can include:
– traditional marketing channels (such as print, radio, television, and billboards);
– owned digital marketing channels (such as websites and apps);
– social media marketing channels (such as Facebook, Instagram, Twitter, and others, as will be discussed below);
– earned media marketing channels (such as Yelp and Nextdoor); and,
– what I will call next wave digital marketing channels (such as Augmented Reality – AR – and Virtual Reality – VR).
Selecting the Right Marketing Platform
There is no one right platform for all products and brands. That needs to be said straight from the outset. However, there is a right way to determine what platforms should be used. When considering how to plan out what platform or platforms to use, a business should think about:
– their brand voice;
– the patterns of life of their target audience; and,
– their financial, technical, and time-based resources available for marketing.
What does this mean? It means that a business that is targeting millennial consumers needs to be using different platforms than a business targeting baby boomer consumers. For enterprises that do target millennial consumers, if their brand’s voice is savvy and sophisticated, they should be focused more on elegantly-composed images on Instagram than on developing an active Facebook group that shares amusing memes.
For small businesses, regardless of their audience and voice, they need to be realistic about those limitations – whether technical, financial or time-based – that will impact their marketing strategy. If business owners do not have the skills to shoot and edit high-quality video (even if with their smartphone), then they should consider whether their approach to marketing should be more focused on text, still photos, and candid live streaming.
When I work with small to mid-sized businesses, I typically begin with helping them claim their businesses on various platforms. (Which platforms? That would be industry-specific, particularly depending on whether these businesses are B2B or B2C enterprises. In general, though, I am talking about Facebook, Instagram, Twitter, Google and Google Local, LinkedIn, and Yelp although niche platforms may apply.) For B2C (business-to-consumer) enterprises, this usually means they will claim their business on Yelp. A short time later, they often receive an email or call from a Yelp sales representative pitching advertising packages on Yelp. Often, my clients will then ask whether advertising on Yelp is worth it. This article addresses that commonly asked question about advertising on Yelp based its relative cost and what litigation concerning advertising on Yelp tells us about its service. The bottom line up front is that I do not recommend that small to mid-sized businesses advertise on Yelp, but I do recommend they claim their business on the service, and have a policy in place for spotting and responding to negative reviews there.
The Problem of Transparency in Cost and Performance On Yelp
Yelp does not publish its rates on its website for advertising, and is not very informative about how it determines its rates. A December 19, 2017 call to Yelp’s advertising department revealed that most customers pay $300.00 to $400.00 per month for advertising based on a pay-per-click model that Yelp described as similar to the one used by Google Adwords. When asked if the cost-per-click rates were available for review, Yelp advised that this was internal information and could not be provided to potential customers. In contrast, Google Adwords provides transparency to customers regarding the cost-per-click rate (CPC) for any given keyword.
In plain English, with Google Adwords, businesses know what they can expect to pay and what they could get in return (based on past performance) before they invest in Google search engine marketing. With Yelp, advertising is hidden in a black box of an internal pricing structure. This criticism of Yelp is nothing new. Others have reported Yelp being unwilling to fully inform current or potential customers as to how their pricing model works (see, e.g., The Yelp Advertising Exposé, Yelp’s Cost Per Click Program – My Experience, and Advertising On Yelp: What You Should Consider.
Transparency (PDF) has become a key component in reforming corporate ethics after the scandals leading to Sarbanes-Oxley, and generally speaking, it is likely that transparency will become problematic for the search industry, which seems hellbent to preserve the secrecy of the algorithms governing search ranking (as an aside, could one imagine libraries doing the same thing?). Yelp’s lack of transparency may make one believe that the business is engaged in nefarious conduct. In fact, this has led to repeated litigation involving Yelp’s business practices, as detailed below.
Litigation involving Yelp
In 2014, Yelp shareholders engaged in a class action securities lawsuit before the District Court for the Northern District of California against the company for its conduct surrounding known fake reviews on its site. In 2015, the Northern District dismissed the suit. See Curry v. Yelp, Inc., Case No. 14-cv–03547-JST (2015). However, as noted by Forbes, this dismissal may be due more to the legal strategy of using securities law to target Yelp’s practices than it is due to the validity of Yelp’s conduct.
Also in 2014, the Federal Trade Commission engaged in an enforcement action against Yelp for violating the Children’s Online Privacy Protection Act. Yelp settled with the Federal Government, paying $540,000 in civil penalties.
In 2016, Yelp appealed a California decision in which it was ordered to remove defamatory content from its website. Yelp asserted in its appeal to the Supreme Court of the State of California that forcing Yelp to remove defamatory content violated its First Amendment rights and that the lower courts’ decisions violated the Communications Decency Act. See Hassell v. Bird, 247 Cal.App.4th 1336 (2016); Communications Decency Act of 1996, 47 USC 230 (the California Supreme Court has not yet issued its ruling). While, as a writer, I am generally in favor of expansive First Amendment rights, my experience as a lawyer has been that defamation has never been protected speech.
Best Practices for Dealing with Yelp
Given the repeated allegations of misconduct against Yelp, some of which has been substantiated, and some which has been dismissed, along with Yelp’s lack of transparency regarding its paid advertising, I believe it unwise to pay for advertising on the site. As reported by Hubspot, only 26% of consumers use branded apps – such as Yelp – to search for local businesses. As mobile devices are becoming the dominant tools for local search, small to mid-sized businesses are better served by focusing on the 74% of consumers that use search engines and Facebook to search for local businesses. In short, they are better served by focusing on the lower cost Google Adwords and social media marketing.
Should small to mid-sized businesses ignore Yelp, then? In a word: no. The site still appears in Google searches, and it represents a valuable way to get logistical data – addresses, hours of operation, telephone numbers, and websites – in front of potential customers. Additionally, businesses simply cannot ignore the potential for unanswered negative reviews on platforms like Yelp. Instead, businesses should have policies to ensure (1) their information on Yelp and other platforms is correct, and (2) that they respond professionally to negative consumer feedback on those platforms.