Businesses Should Be Ready for the GDPR Coming this May

 

On May 25, 2018, the European Union will begin enforcement of the General Data Privacy Regulations (GDPR).  The GDPR represents an expansive approach to protecting the privacy rights of European citizens, and has the potential impact businesses across the globe, not just in the European Union.  The business community needs to understand the GDPR, who it affects, and how to comply with the law, lest they face costly punishment by the EU.  

What is the GDPR?

The GDPR is an administrative regulation enacted by the European Parliament to protect the privacy of Europeans as it applies to data collection.  The GDPR came about, according to the Commission Implementing Decision (EU) 2016/1250 (comparable to the legislative history that accompanies the US Code), because of the European Union’s belief in “the fundamental right to respect for private life with regard to the processing of personal data, [and] also a high level of protection of those fundamental rights and freedoms.”  

 

Non-compliance with the GDPR's privacy rules can lead to penalties of up to 4% of a company’s global turnover or €20 million ($25 million at the time of writing), whichever is greater.
Non-compliance with the GDPR’s privacy rules can lead to penalties of up to 4% of a company’s global turnover or €20 million ($25 million at the time of writing), whichever is greater.

As noted by CIO, the GDPR requires that personally identifiable information is collected and processed in a manner that is lawful, fair, and transparent.  Relevant to the recent scandal involving Facebook and Cambridge Analytica, the EU permits the collection of EU citizen data only for explicit, legitimate purposes.  The GDPR requires that data collection be narrowly tailored to the collecting party’s specific needs.  It also codifies a requirement that businesses — the law carves out exceptions for data collection for non-commercial, law enforcement, and intelligence purposes — ensure that personally identifiable information only be kept as long as needed by the businesses that collect it.  Related to this point, the EU expands on the notion of the “right to be forgotten” by requiring dataprocessors and collectors to take steps allowing for the deletion of an EU national’s data upon request.  The GDPR codifies a requirement that data be processed and stored in a fashion that is secure, and requires processors and collectors to notify EU nationals within 72 hours if there is a data breach.  The GDPR requires the appointment of Data Protection Officers responsible for the maintenance of records concerning how personally identifiable information related to EU nationals is collected, processed, secured and used, much like how Sarbanes-Oxley and other US regulations required public companies to develop ethics and compliance programs.

 

Why Does the GDPR matter to non-European Businesses?

While this seems innocuous, if not an admirable position to take by the EU, the underlying regulations have caused some consternation in the international community.  Partly, this is due to the extreme applicability of the GDPR.  The EU has expanded previous regulations (namely EU Directive 95/46/EC) the GDPR to apply to all companies worldwide that process or collect data relating to EU nationals.  Thus, if a resident of Kewanee, Illinois (or Lima, Peru) has a craft business that collects personally identifiable information related to the mailing addresses of EU residents in order to ship goods to them, it is equally subject to the GDPR as British Airways or Novo Nordisk.  

Being subject to the GDPR is no small matter.  The second reason the GDPR is causing unrest in the business community is the aggressive penalties included in the regulation by the EU.  Non-compliance with the GDPR can lead to penalties of up to 4% of a company’s global turnover or €20 million ($25 million at the time of writing), whichever is greater.  

The business community responded to the Commission enacting the GDPR with concerns that the GDPR reached beyond the scope of the US-EU Privacy Shield regulations and imposing the will of the EU on other sovereign nationals.  If the US Government permits enforcement of the EU regulations on US companies (a jurisdictional issue more for legal scholars), compliance with the GDPR will be costly, most of all to small to mid-sized companies that do not already have compliance programs commonly seen in Fortune 500 companies.  According to international law firm Paul Hastings LLP, compliance costs for a business are estimated to be $1 million, just for technology improvements.  Additional expenses would be incurred, such as those associated with retaining counsel to understand how to comply with the GDPR and hiring employees to maintain regulation compliance.  Writing in the Harvard Business Review, Larry Downes noted that the GDPR appeared protectionist, as it was cheaper for businesses to comply if they used European data centers rather than ones outside the EU.  Similar concerns have been raised in the Asian-Pacific market.  

What should US businesses be doing in anticipation of the May enforcement deadline?

First, businesses should be aware that, regardless of the GDPR, there are already US regulations concerning the preservation of the privacy of customer personally identifiable information.  The Federal Trade Commission already enforces numerous laws and regulations pertaining to data privacy and online marketing, including (but not limited to):

If US businesses do not already have data privacy compliance plans in place, they need to do so, not just to comply with the GDPR, but also with the US privacy regulations.  

With the respect to the GDPR, to summarize the hundreds of pages of regulation here would be overwhelming, both to the writer and to readers.  There are some core changes businesses can make to ensure compliance when the law is enacted in May 2018.  

  • Businesses should conduct an audit under the command and control of a CISSP-certified professional (or other properly trained and certified network security professional) to identify what personally identifiable information they are collecting; 
  • Businesses should consider how they process that personally identifiable information, for what purpose, and for how long do they keep it; 
  • Businesses should consider whether the way they process and store data would be considered reasonably secure by a professional (or by a jury), and, if not, what steps they should take to make their data secure; 
  • Businesses should consider the processes they have in place to address requests under the GDPR’s “right to be forgotten” requirements; 
  • Businesses should consider the processes they have in place to address data breaches, including whether they can notify EU consumers of breaches within 72 hours; and,
  • Businesses should be considering whether their outsourced cloud storage providers (if they have any) are in compliance with the GDPR and FTC regulations.  

Conclusion

Beginning May 25, 2018, the EU’s implementation of the GDPR will have the potential to affect businesses worldwide.  Compliance with the GDPR represents a significant commitment of capital and labor for businesses, triggered if these businesses engage in practices that affect the data privacy of EU nationals.  Businesses should anticipate the implementation of the GDPR by conducting security audits and developing plans to ensure compliance and avoid liability.

SaveSave

SaveSave

SaveSave

SaveSave

How to comply with FTC regulations regarding influencer marketing

Recently, the Federal Trade Commission (FTC) enacted its first enforcement action against businesses using influencer marketing in ways that violate its regulations against deceptive business practices. (The first crackdown occurred in April 2017, when the FTC sent “reminder letters” to influencers and businesses.) Companies realize that, while influencer marketing is an incredibly effective method of small business marketing, it must comply with FTC and global trade regulations.

Wading through the Code of Federal Regulations governing influencer marketing can be challenging at best, and coma-inducing at worst. While this article should not be substituted for the advice of a retained attorney (seriously; get an attorney if you have questions about the law), it does provide some easy-to-understand tips and checklists for complying with FTC regulations in the hopes of making small businesses and other marketers aware that the issue of influencer compliance is not going away.

Everything begins with disclosure

The FTC asserts that disclosure is required when there is a “material” relationship
The FTC asserts that disclosure is required when there is a “material” relationship (photo by Timothy Barlin)

The FTC is primarily focused on instances where a product or service is recommended and the online personality has a business relationship to the product or service. In the current enforcement action, involving two YouTube video gaming personalities, that relationship was a direct ownership interest in the product business, but it is likely that the FTC would see a relationship if the internet personality has a relationship anywhere in the food chain related to a product (i.e., with distributors, marketing consultants, manufacturers, or retailers). (See 16 CFR 255.5.)

When there is some material relationship between the internet personality and product in their content, there needs to be a disclosure of the relationship. For example, when I use an affiliate link to a product on Amazon, I need to disclose (as I do) on this site that I am a participant in the Amazon affiliate program and benefit from purchases associated with my site. Note, too, that the material relationship does not end with getting paid to display and endorse a product. If I recommend a product or take a picture of a product in exchange for a chance to win something for free, that is a material relationship that requires endorsement. No matter the benefit, it is safe to assume that if I benefit from putting a picture of a product on my blog, on Facebook, or on Instagram, I have a disclosure requirement.

How to make a proper disclosure

The FTC intended for the disclosure requirements to be straightforward (whether they succeeded at making the regulations easy to understand is another story entirely). The requirements are based on the following elements
– disclosures of all material relationships;
– disclosures that are unambiguous in both form and content;
– disclosures that are side by side with the influencer content

Disclosures of all material relationships

The FTC asserts that disclosure is required when there is a “material” relationship, and in this case, the use of the term “material” rather than “financial” is significant. Expanding the scope of relationships to any instance in which it is material means that the influencer content is subject to the regulation when there is a personal, familial, romantic, or other similarly meaningful relationship, regardless of whether the influencer gets paid in a traditional “quid pro quo” method.

Thus, if Jane Doe begins posting influencer content on Instagram about the hot new nightclub in her city, and that hot new nightclub happens to be owned by a partnership that includes John Doe, Jane’s brother, then there is a material relationship for which the regulations would be imposed.

Disclosures that are unambiguous in both form and content

The FTC, in its web pages regarding endorsement marketing/influencer marketing, repeatedly reminds influencers (and the marketers and businesses that work with influencers) that they should not rely on the native endorsement tools within an app to adequately indicate whether the content is paid advertising. Instead, it is the obligation of the influencers and the marketing firms directing the influencers to ensure that their disclosures are unambiguous and easy to see.

Disclosures that are side by side with the influencer content

The FTC addresses the question of whether endorser disclosures are adequate if buried in a linked page somewhere, stating:

Do you click every CLICK MORE link? We don’t either. When disclosing a brand relationship, the better approach is to hit ‘em right between the eyes. Furthermore, on image-only platforms, superimpose your disclosure over the picture in a clear font that contrasts sharply with the background.
FTC, Three FTC Actions of Interest to Influencers

Plainly put, the disclosure must be up front, superimposed on the image or video in a way that is legible and meaningful to the consumer.

Conclusion

Influencer marketing is a useful subset of digital marketing, a low-cost option for small businesses or businesses just getting started to get their products and services in front of potential customers. However, small businesses and the marketing firms that represent them need to make sure that, if they are using influencer marketing, their content complies with FTC regulations concerning endorsements.

SaveSave

Why I don’t recommend advertising on Yelp

should I pay for advertising on yelpWhen I work with small to mid-sized businesses, I typically begin with helping them claim their businesses on various platforms. (Which platforms? That would be industry-specific, particularly depending on whether these businesses are B2B or B2C enterprises. In general, though, I am talking about Facebook, Instagram, Twitter, Google and Google Local, LinkedIn, and Yelp although niche platforms may apply.) For B2C (business-to-consumer) enterprises, this usually means they will claim their business on Yelp. A short time later, they often receive an email or call from a Yelp sales representative pitching advertising packages on Yelp. Often, my clients will then ask whether advertising on Yelp is worth it. This article addresses that commonly asked question about advertising on Yelp based its relative cost and what litigation concerning advertising on Yelp tells us about its service. The bottom line up front is that I do not recommend that small to mid-sized businesses advertise on Yelp, but I do recommend they claim their business on the service, and have a policy in place for spotting and responding to negative reviews there.

The Problem of Transparency in Cost and Performance On Yelp

Yelp does not publish its rates on its website for advertising, and is not very informative about how it determines its rates. A December 19, 2017 call to Yelp’s advertising department revealed that most customers pay $300.00 to $400.00 per month for advertising based on a pay-per-click model that Yelp described as similar to the one used by Google Adwords. When asked if the cost-per-click rates were available for review, Yelp advised that this was internal information and could not be provided to potential customers. In contrast, Google Adwords provides transparency to customers regarding the cost-per-click rate (CPC) for any given keyword.

google adwords example
Transparency in advertising price on Google

In plain English, with Google Adwords, businesses know what they can expect to pay and what they could get in return (based on past performance) before they invest in Google search engine marketing. With Yelp, advertising is hidden in a black box of an internal pricing structure. This criticism of Yelp is nothing new. Others have reported Yelp being unwilling to fully inform current or potential customers as to how their pricing model works (see, e.g., The Yelp Advertising Exposé, Yelp’s Cost Per Click Program – My Experience, and Advertising On Yelp: What You Should Consider.

Transparency (PDF) has become a key component in reforming corporate ethics after the scandals leading to Sarbanes-Oxley, and generally speaking, it is likely that transparency will become problematic for the search industry, which seems hellbent to preserve the secrecy of the algorithms governing search ranking (as an aside, could one imagine libraries doing the same thing?). Yelp’s lack of transparency may make one believe that the business is engaged in nefarious conduct. In fact, this has led to repeated litigation involving Yelp’s business practices, as detailed below.

Litigation involving Yelp

In 2014, Yelp shareholders engaged in a class action securities lawsuit before the District Court for the Northern District of California against the company for its conduct surrounding known fake reviews on its site. In 2015, the Northern District dismissed the suit. See Curry v. Yelp, Inc., Case No. 14-cv–03547-JST (2015). However, as noted by Forbes, this dismissal may be due more to the legal strategy of using securities law to target Yelp’s practices than it is due to the validity of Yelp’s conduct.

Also in 2014, the Federal Trade Commission engaged in an enforcement action against Yelp for violating the Children’s Online Privacy Protection Act. Yelp settled with the Federal Government, paying $540,000 in civil penalties.

In 2016, Yelp appealed a California decision in which it was ordered to remove defamatory content from its website. Yelp asserted in its appeal to the Supreme Court of the State of California that forcing Yelp to remove defamatory content violated its First Amendment rights and that the lower courts’ decisions violated the Communications Decency Act. See Hassell v. Bird, 247 Cal.App.4th 1336 (2016); Communications Decency Act of 1996, 47 USC 230 (the California Supreme Court has not yet issued its ruling). While, as a writer, I am generally in favor of expansive First Amendment rights, my experience as a lawyer has been that defamation has never been protected speech.

Best Practices for Dealing with Yelp

Given the repeated allegations of misconduct against Yelp, some of which has been substantiated, and some which has been dismissed, along with Yelp’s lack of transparency regarding its paid advertising, I believe it unwise to pay for advertising on the site. As reported by Hubspot, only 26% of consumers use branded apps – such as Yelp – to search for local businesses. As mobile devices are becoming the dominant tools for local search, small to mid-sized businesses are better served by focusing on the 74% of consumers that use search engines and Facebook to search for local businesses. In short, they are better served by focusing on the lower cost Google Adwords and social media marketing.

Should small to mid-sized businesses ignore Yelp, then? In a word: no. The site still appears in Google searches, and it represents a valuable way to get logistical data – addresses, hours of operation, telephone numbers, and websites – in front of potential customers. Additionally, businesses simply cannot ignore the potential for unanswered negative reviews on platforms like Yelp. Instead, businesses should have policies to ensure (1) their information on Yelp and other platforms is correct, and (2) that they respond professionally to negative consumer feedback on those platforms.

SaveSave

SaveSave

SaveSave

SaveSave