What Does GDPR Mean for U.S. Companies?

The General Data Privacy Regulation or GDPR is a hot topic in our private community. It goes into affect in the U.S. on May 25th. It’s a complicated privacy law to understand and is applicable to everyone worldwide.

In today’s episode, we talk about what the law covers. We cover if you should care, what your liability is, and what could happen if you don’t comply with this law.

You’ll learn:

  • Who this law affects the most (and the least)
  • A high-level look at how this could affect your business
  • The five approaches you can take for dealing with it

Subscribe: iTunes | Stitcher

(With your host Andrew Youderian of eCommerceFuel.com and John DiGiacomo of RevisionLegal.com)

Andrew: Welcome to The eCommerceFuel Podcast, the show dedicated to helping high six and seven-figure entrepreneurs build amazing online companies and incredible lives. I’m your host and fellow eCommerce entrepreneur, Andrew Youderian.

Hey guys, it’s Andrew here, and welcome to The eCommerceFuel Podcast. Thanks for tuning in to the show with me today. And today on the program, I’m talking about something that you’ve almost certainly heard about, and you’re probably sick of hearing about, so I apologize for the topic.

But I’m guessing a lot of people aren’t quite sure how to deal with it, or they’re not quite sure what the liabilities are if they don’t do anything about it, and that’s the GDPR, the General Data Privacy Regulation from the E.U., going into effect here, May 25th. And a beast of a privacy law that is ostensibly, at least according to the Europeans who drafted it, applicable to everyone worldwide.

There’s a lot there, and in today’s episode, I wanna talk about quickly what the law covers. I wanna talk about if you’re a merchant, particularly outside of the E.U., if you should care, what your liability is, and, you know, potentially what could happen if you don’t comply with this law. And to that effect, I’m bringing on John Di Giacomo from Revision Legal to really talk about that from an enforcement standpoint and understand your risk.

I’m gonna talk about what I’m seeing other merchants do in reality of, you know, I’ve chatted with half a dozen or more merchants over the last couple of weeks to get a sense of how they’re reacting, you know, the extent to which they’re implementing this especially outside the E.U.

I know we’re also gonna cover a kind of a tiered approach to dealing with it depending on your risk appetite, and the different levels you could go to, to comply with this law, all the way from blowing it off to, you know, complying completely, and to the implications for that.

So, that’s what we’re covering in the episode. Again, not necessarily the most exciting episode, but pretty important, and I think this is gonna change, you know, it’s gonna change the way that we market around e-commerce businesses. So, if it’s not the most glamorous, sexiest topic in the world, hopefully, it’s the least useful for you going forward.

So, before we dive in, quickly, I wanna give a big “Thank you” and shout out to our two sponsors who probably, to make sure I don’t get in trouble with them, should say that the views in this podcast are not their views, so if I say anything that gets myself or you into trouble, 100% on me. This is not their views, they just happen to be crazy enough to sponsor the show.

The first one is Liquid Web, who offers world-class hosting for WooCommerce stores. So, if you’re on WooCommerce, or if you’re thinking about getting on WooCommerce, there’s no better placed to host your cart. These guys have built a entire hosted environment for Woo from the ground up to make it run incredibly quickly, to keep your upgrades and your extension upgrades up-to-date seamlessly without you having to worry about it, and also engineered just to allow it to scale and run efficiently.

So if eCommerce is important to you, I’m guessing it is because you’re listening and you’re on WooCommerce, you owe it to yourself to check these guys out. You can learn more about their offering at ecommercefuel.com/liquidweb.

And then secondly, the team over at Klaviyo who makes email marketing incredibly easy, powerful, and automated. And, you know, I think about all the people I know that run seven and eight-figure businesses, and I would say the hands down choice for those merchants is Klaviyo. They do a better job of segmenting and allowing you to segment your customers, build out automated email campaigns that make you money on autopilot based on what your customers have purchased, what they do, than anyone else.

So, if you’re not using them, you’re leaving money on the table. You can get started with them with a free trial to check it out risk-free at ecommercefuel.com/klaviyo.

A Few Disclaimers

All right, so a couple of disclaimers here before we get into this. First, this is a beast of a bill. I’m not a lawyer, you know, I tried to do my best to dig into this and really understand it. But the things I’m gonna talk about here are thoughts on my side, and they’re not legal advice so please, before you make any filing decisions, chat with a lawyer on these issues.

Secondly, I feel like I need to disclose I am not an unbiased reporter on this. This is not a New York Times article coming from an objective standpoint. I do not like this bill. You know, I like the concept at a high level, of not spamming people, of giving people the right to a certain reasonable sense of privacy. And I’m also in favor of being a law abiding citizen. Some of my friends give me crap because I pay taxes on my cash back from my credit card.

So, like, I am not advocating being a law breaker, or trying to dodge this, just, you know, on the sake alone to try to get out of being a good citizen or a law abiding citizen, but the two things that bother me about this bill is one, it was passed in Europe by Europe legislators, and, you know, they are applying it to merchants, and blogs, and, you know, anyone online around the world.

And to me, I find that, you know, at minimum, annoying. I’m not saying the U.S., my home country, is guilt-free on this front, but still, it bothers me. So, that bugs me.

The other thing is if this is a really hard thing to implement completely if you’re gonna go trying to be 100% compliant for small businesses. It’s difficult for large businesses, you know, eight-figure businesses with in-house legal teams and all sorts of data officers. This is really tough for somebody who’s even doing a couple of a million dollars in sales.

And I think it’s a great example of where there was some well-meaning legislation, but it is incredibly difficult to apply in the way it was meant for businesses without being very, very burdensome. So, that’s my two disclaimers there.

So, that being said, let’s dive into this. So, why should you care about this law? Well, the first one is the fines. You can, potentially, be fined up to 4% of your global revenues or 20 million euros, whichever is higher. The fines and the enforcement is coming into effect beginning in May 25th, so it’s coming quickly.

Who does the law apply to? It applies to anyone who is tracking data of people who are residing within an E.U. nation. So, if someone in Germany visits your blog and you’re a U.S. resident, it applies to you. Someone in, you know, if someone in France visits your store that you run from Argentina, it applies to you. You’re supposed to abide by all the rules.

So, what does it cover? There’s a lot of things that it covers, but the biggest one I would say, the one that probably has the largest impact, especially in the way that we market, is this idea of getting consent from a visitor, or from a customer, every time you wanna communicate with them, and getting opt-in consent for every different type of communication you wanna have, particularly via email, is where, you know, really probably the strongest implication is here.

And all of the correspondents have to be opt-in, manually opt-in. You can’t have people opt out like you used to in the past. You have to really get people to opt-in to every type of communication. So, instead of saying, you know, what you have to do, I’m gonna give you some examples of things that will impact in the way that we currently do things.

If you have a checkbox on your order, you know, “Finalize Your Order” page that is checked by default, so for my newsletter, you know, when you place this order, you can no longer do that under the law. You have to have it be an opt-in, so you have to have that check mark. The unchecked customer has to manually check it to, you know, to indicate their consent to get opted into the newsletter.

If you have a lead magnet for your ecommerce store, you can no longer add people to your general newsletter, or general email list without getting an additional consent from them in addition to asking for that lead magnet that they are opting in to your list. So, maybe it’s an extra check mark at the bottom of the opt-in that says, “Would you also like to sign up for my newsletter?” and it has to be unchecked.

You also can’t run incentives or contests to get people to give you your email, sort of an example like Wheelio where you run contests and offer discounts to get an email address where if you just say, “Hey, get 20% off your first order. Sign up for my newsletter.” You can’t do that anymore.

And you also can’t hold back things because people don’t agree to join your newsletter. So going back to the lead magnet example, you can’t say, “Oh, hey the only way I’m gonna let you get the lead magnet is if you also agree to sign up for my newsletter.” That is not allowed either.

On top of all this, you have to be able to prove that you got consent from all of the people signing up for these things. You have to prove that people opted in to your newsletter in order to be able to comply, if somebody from the E.U. or the administrative side of their things, enforcement side, asks for it.

So, that’s probably the thing that I would say has probably the largest implications. There’s a lot of other rules, including the right to be forgotten. So people, you know, your customers, or visitors, can ask you to purge all of the information you have on them. The right to access all the data being held about a customer, people can ask for that.

Cookies, the right to, you know, customers…well, you as a store owner need to disclose the cookies that are being used, and have a customer opt-in and say, “Hey, yes, I’m willing to have all of these cookies, including stuff like, you know, Google Analytics, Facebook tracking pixels, all these kind of things. Requirement to report a breach to authorities, a data breach, within 72.

Your responsibility to ensure that all of your SAS companies, or contractors, or people that you are passing information to our GDP are compliant.

Data Portability, the responsibility on you, an obligation to be able to give all the data you have to a customer in a very, you know, kind of a nice, clean format to them so they can move it to another provider, and, you know, for larger companies, even implications for having a dedicated data protection officer.

So there’s a lot there, and I’m not gonna cover all of this in this podcast, because there’s just so much there.

But what I wanna talk about is a couple of things now. I’m gonna bring in John right now, and I wanna talk about the E.U.’s enforcement, and potentially what the liability are, or the, you know, how likely it could be that, you know, let’s say a merchant outside the E.U. could be targeted and fined for this, talk about, you know, as well, what I’m seeing from other merchants how they’re preparing for this or not preparing for this, and then talk about, you know, kind of a sliding scale that you could use along with action steps, to get ready for this, depending on your risk tolerance, and how much time and energy you wanted to dedicate to being compliant.

So, with that, let’s go ahead and pull in John.

John, I’ve invited you on to do something I know all lawyers love doing, and that’s making public wide sweeping comments on new ambiguous law and legislation, so, thank you, for being on to do this.

Our Legal Eagle Returns

John: Yeah, thank you. I’m happy to be here, and I’m happy to address this entirely overburdensome and complex subject with you. So, thanks.

Andrew: Yeah, of course. And, you know, we’re coming off just a little intro that that I did about, just an introduction for the bill, what it covers, some of the things that particularly with consent it covers, maybe some of the more nuanced things. Anything in there that you think at a high level that I missed or should be mentioned before we dive in enforcement?

John: No, I don’t think there’s anything that you missed, but one of the things that I think is very important and a lot of people are not considering, is the record keeping component of the GDPR requirement. A lot of people are focusing on the consent component, but really, the thing that scares me the most for clients and for e-commerce merchants, is the record keeping. So, I would just stress that if you were gonna focus on something, that would be the area that I would focus on.

The Record Keeping Component

Andrew: An intro to record keeping, you mean record keeping in terms of…it’s probably, we probably could maybe even do a whole episode of that, but in terms of proving that you have consent from people, in terms of proving you’ve removed their data if they’ve requested it be totally flushed from your system, things like that?

John: Yeah, there’s really kind of a couple of categories that I see. One is, you have to keep a record of the purpose of data processing, why you’ve collected and are processing that data. You have to understand and keep record of the categories of the data and the data subjects that you’re collecting personal information from.

There are record keeping requirements for categories of recipients, so if you’re transferring that data to one of your vendors, you should keep a record of that.

Time limits, so the date that the information was first collected, and then if it will be destroyed, when it will be destroyed and when it was destroyed. And then kind of documentation about how you are safeguarding that data.

So, I see those are the key components of GDPR, and really, those are the things that I would focus on for best practices, if for example, your listeners are saying, “What do I do? I’m not gonna comply, where do I start?” That’s the area that I would focus in on, because I believe that’s the area of most risk. So, that’s the only thing that I would add to the intro, and I would have talked about in the intro.

How This Is Being Enforced

Andrew: Okay, great. We’re gonna get into kind of a tiered approach maybe to, you know, depending on risk tolerance, complying to it, and also talk about what you and I have seen with other merchants, how they’re responding. But before we get into that, how does enforcement work?

I mean, of course, and again, this is for kind of non-E.U. merchants or website owners, but what kind of…I mean, let’s use it from the U.S. perspective, because it’s gonna be different in every country, but what kind of enforcement mechanism does the E.U. have to be able to go after someone let’s say in, you know, in Michigan who’s not complying with this?

John: Sure. So, there’s a couple of ways that the E.U. can enforce the GDPR requirements. And there are some kind of really interesting contradictory things that may, if you intend to comply, subject you to even more enforcement, so it’s a really interesting problem. So, I will start with high level.

The GDPR provides a right to lodge a complaint with the Data Protection Authority. So, if you’re an individual and you believe that your personal information has been used inappropriately, or there’s been some other violation of GDPR, you can lodge a complaint.

There is also a right to a judicial revenue. So, you can file suit within the European Union to enforce your rights under the GDPR. That right is against both the data controller and the processor. All of those remedies are joint and several liability, and what that means is that the right to obtain monetary damages can be enforced against both parties equally. So, for example, if it’s Google’s fault but you are using Google for the purposes of providing your services, both you and Google are held jointly responsible, and severally are responsible for whatever the action is.

So, the big question is, how do these guys get to me? I think there are a few ways. The first way is if you have an office in the European Union, obviously, you’re at risk, because somebody could file suit, or a Data Protection Authority could issue fines against you within Europe.

The second is if you have any assets within the European Union. Assets could be things like payment accounts, so for example, if you are using PayPal and you’re using the Luxembourg version of PayPal, which is where PayPal is located, or Amazon is also located in Luxembourg, and you have money stored there, that might be at risk as a result of a GDPR violation. So, if there are assets that could be levied upon within the European Union, that could be a problem.

Outside of that, it’s kind of difficult to see how the GDPR will be enforced against U.S. companies. One of the key ways that it could be done is in order to comply with the GDPR, the United States has entered into what’s called “The Privacy Shield.” The privacy shield is this agreement, because a few years ago the U.S. was not considered to be safeguarding Europeans’ privacy enough, whereby a company can self-certify with the Department of Commerce that it meets the E.U.’s requirements.

As a component of participating in the privacy shield, you agreed to arbitration. Arbitration, individual arbitration, is adequate remedy, they believe, for enforcing the violation of privacy rights within the European Union. So, what happens is if you choose to opt into the privacy shield, you enter into this arbitration agreement. That arbitration agreement is enforceable across borders under a treaty which is called The New York Convention.

Ultimately, if you choose to comply with the GDPR, you may actually be setting yourself up to subject yourself to enforcement. So, there is weird thing that I don’t think anyone is really paying much attention to. So, you almost get into this Hobson’s choice where you say, “Why should I comply? That’s a terrible idea, now they’re just gets enforced against me.”

So, it remains to be seen how in practicality this will play out, but that’s kind of the thing that I’m looking at right now. Is just from an analytical perspective, those are the areas I believe, will be areas of enforcement.

Andrew: It’s like if you’re in jail, giving bullets to the guy who’s guarding you when he doesn’t have any.

John: Yeah, right.

Can The E.U. Come After You?

Andrew: Interesting. So, it sounds like on the enforcement side, you know, assets in Europe are an issue if you are a bigger company and you, I’m guessing, you know, most seven maybe even, you know, I’m guessing even most eight-figure store owners listening to this as our core audience, are probably not gonna sign the privacy shield or have not, you know, and enter into that, enter into an arbitration agreement which makes them subject to actions by the E.U.

Outside of those things, let’s say someone, you know, they don’t have a lot of assets in the E.U. and they haven’t done that, and they’re stateside, is there any real risk that the E.U. could come after them and fine them, you know, levy a fine that could be enforcibly collected?

John: The answer is, as a lawyer, I really don’t know. There’s 100 ways where a European resident, or a European government, could potentially assert a claim within a U.S. court on the basis of a violation of European law. But this area of law is very complex. Typically, what it comes down to is an analysis of whether or not, due process was allowed within, you know, equivalent standards of due process were allowed within the European Union, whether similar courts within the European Union would force the law in the same way that a U.S. court would.

So, there are a lot of hurdles to get from here to there. The likelihood of a small e-commerce store seeing, a small e-commerce store with no European presence, not a signatory to the privacy shield agreement, seeing enforcement within the United States is probably pretty low. What I think would happen is you would see that against Facebook, Google, maybe even Amazon, someone larger, before it would ever get down to the individual store owner.

Privacy Laws and Monitoring

Andrew: You talked about kind of some of the privacy laws already in place in Europe, which are a little bit stricter than the U.S. When they’ve rolled those out in the past, and when they’ve ruled out past privacy information laws like this, do you have a sense of how aggressively they’ve been monitored and enforced, either in the U.S. or the E.U.?

John: So, this is the key reason why the GDPR exists. In 1995, the European Union introduced the Data Protection Directive, which was far ahead of its time. It was really the first wide-reaching body of law that protected the rights of individuals when it comes to privacy and data protection rights. No one paid attention to it. No one cared. It was a directive, not a regulation, which means that, basically, the E.U. could issue a directive and then the member states have to implement it.

So, what that meant is that unlike a regulation which provides strict rules, the member states could choose to view the concepts of the directive, and then build their own statutes in the way that they believed met those goals. And they did that. Some had really kind of strict data protection law, like Germany, others had less strict.

So, what happened was that there was a kind of a patchwork of law within European Union that made economic life difficult for a lot of people, and also no one really cared about it, especially United States, we just kind of thumbed our nosed at it and the European Union didn’t like that.

So, arising out of that, we got the GDPR. That’s why the penalties associated with the GDPR are as harsh as they are, because I believe that the European Union intends to use this as a way to rein in these American companies operating out of Silicon Valley that kind of thumb their nose at the E.U. Data Protection Directive.

And I think that the E.U. is now going to begin a more vigorous enforcement process, and I think we’ll probably start seeing that with companies like Facebook and Amazon.

Even Trolls Need To Watch Out

Andrew: Interesting. You had mentioned in, I mean, it was in one of the forum posts, that potentially, or maybe this was somebody else, that potentially, you could have trolls in the E.U. who could…not people who legitimately felt like they had their rights violated under the law, but people who are trying to either troll competitors or troll other people, could come after you in an aggressive manner. Can you talk a little bit more about, you know, how that could look, or potentially, how that would work?

John: Yeah. So, there’s really two ways, again, remedy-wise, it could be, if you’re a participant in the privacy shield, there’s a direct method of arbitration. So, that could be very painful for a company that has millions of users, or let’s just say, thousands of users.

If they’re not adequately keeping records, there are entrepreneurial attorneys who could see potential fees shifting within that arbitration as a way to make money, and so they could certainly identify companies that might be targets, and then file multiple arbitration proceedings against them based on the violation of rights of European citizens.

Now, outside of the arbitration proceeding, there are other ways as well you could certainly find attorneys filing suit. Europe’s a little bit different, though, so I think outside of the arbitration proceeding, we will not see as many trolls as we typically do in areas like copyright law, or trademark law, or even patent law, simply because European fee shifting laws are far different than the United States.

In the United States, everybody pays their own attorney’s fees, and a less there is a statute that shifts those fees in favor of a prevailing party, you’re gonna pay your attorney. In Europe, it’s actually a little bit different. In a lot of jurisdictions, fees shift where you have to pay the other party’s fees, you know, there’s a lot more risk for kind of specious litigation.

So, I think the way that people will troll is they will probably take advantage of the arbitration proceedings. I think that you may see some trolling with respect to record keeping requirements, so for example, not keeping record of consent, not keeping record of data processing. You may see some people who are using, for example, opt-out requirements to troll because people don’t opt out quickly enough, or that not fully opt out, or the data is not fully deleted.

But I think it will be far less than we’re typically used to, simply because of the way that the European legal structure is.

Andrew: Well, that’s nice. That’s the one encouraging piece of news in this whole discussion.

John: Right.

What Store Owners Should Realistically Do

Andrew: In terms of a, you know, kind of a reality check where we’re talking a lot of theoretical stuff, you know, and at the very top, talked about all the things that people are supposed to abide by in the law. A couple of weeks out, or even, you know, getting close to a week here on when it’s actually gonna be, enforcement’s gonna be potentially realistic, what are you seeing store owners and just clients do in general?

And I’ll kind of lead with this. I mean, I have chatted with half a dozen, you know, seven-figure store owners or larger, over the last, you know, the last week or two, and, I mean, to be frank, almost everyone, at least in the U.S., that I’ve chatted with, has taken a very lousy affair attitude on this, maybe doing a thing here and there, but I’d say for the most part, just ignoring it. A couple of people didn’t even know what I was talking about.

So, it seems like on that front, you know, pragmatically, people just aren’t taking, you know, aren’t taking it seriously. There is even one company I chatted with who owned a business, business owner, who, you know, who had assets in the E.U., you know, a good-sized team. And even, you know, they were doing a few things, but definitely we’re not taking a, you know, not doing a full court press to try to get compliant on it. So, that’s kind of what I’ve seen. I’d be curious to know what you’ve seen as well.

John: I’ve seen the same thing. So, we have a wide client base. For example, we have a large private company that we are not handling the GDPR component of it, we only handle kind of a minimal role in their legal world. But I’ve talked to their general counsel on many occasions about it, and I asked, you know, “What are you guys doing?” and he said, “I don’t know. I think we’re getting there.” And that’s kind of an the attitude for the companies that I have seen headquartered in the United States, but with offices in the European Union and elsewhere.

You know, larger companies with larger European presences are going to do more to comply. For example, we have a software company friend and client that has a primary office in Germany and then an office side of the E.U. in Eastern Europe, and then one in the United States. They’re taking it very seriously.

So they’ve undertaken a big project to make sure that their U.S. operations are segmented from their European operations. If there are cross border data transfers, that they have contracts in place that are GDPR compliant. But the sense that I’m getting from them is that they’re not gonna be compliant by the drop-dead date either.

And then there are some of our clients who are just saying, “Well, who cares? I have no interest in this whatsoever.” I can tell you our law firm, we’re trying to be compliant, and frankly, I don’t think we’re gonna be compliant by the drop-dead date. I’m doing everything that I can to make sure that we are, because I feel like we need to practice what we preach, and also because I’m just kind of interested in seeing how difficult it is for us to do it ourselves.

And it’s pretty difficult, because we have tons of vendors. We’ve got a CRM vendor that isn’t interested, not even interested in the issue. So it’s not like I’m gonna have a contract with that CRM vendor and all of a sudden it’s gonna be GDPR compliant and I’m gonna be able to forced them. You know, they tell me, “Whatever, we’re not thinking about it.”

And then, you know, obviously, we use other servers that we don’t have vendor agreements with that are compliant. And then the only area where we can really keep, or have some control over our compliance is in our own WordPress site. So, now I’m just working on the one thing in an attempt to comply, and I’m just hoping that that’s enough, but it’s a very difficult problem to solve.

Make An Effort To Comply

Andrew: Yeah, and I wonder too how far that would go. I mean, if worse, you know, push came to shove and unfortunately, somehow there was, they actually start going after people in the U.S. on this, or anyone in general. I mentioned early on, and again, this is all speculation so don’t, you know, don’t bet the farm on this by any means.

But I would imagine having an effort, if you could show in good faith that you made an effort to do your best on different aspects that were within your control or didn’t, you know, cost you more than what you had in the bank account of your company, I imagine that would, at a minimum, get you a little bit of good faith, or at least, a little bit of time to get into…I imagine that would be helpful in dealing with people who are coming after you.

John: Yeah, I think a lot of people hear about the penalties, which are really crazy, I think a smaller entity is it’s 10 million euro up to 2% of worldwide turnover, and then larger, it’s 20 million euro, up to 4%. Those are big penalties. But the thing that people often forget to mention, and lawyers love to scare people into hiring them to do things, is that those penalties are worse case scenarios.

The GDPR has a kind of proportionate language built into it, where they will analyze those types of things. They will say, “How willful, how negligent were you in failing to comply?” If you were trying to comply, if you were doing the best that you could, I think that you would get some leeway there.

And really, what we’re kind of telling clients is now is a good time to rethink the way that you are handling personal data, and maybe it’s time to start implementing privacy by design practices within your business. I think if you made the choice now to do that and you moved forward with that perspective in mind, you would be in a much better position than 90% of the world.

Unintended Consequences for European Businesses

Andrew: What are your thoughts on unintended consequences here, maybe particularly for business in Europe? You know, one thing that we’ve talked about in the forum is people just saying like, “Hey, you know, I’m not gonna be compliant, little scared about this. I’m just gonna throw up a script that blocks all E.U. members from, you know, coming to my site and doing business with me, because they make up a very small percentage of my business.”

It will be interesting to see, and I’m sure it depends, too, on the level of enforcement coming out of the gates here, but it will be interesting to see if there’s an unintended backlash of services not going to Europe, pulling out from Europe, or, you know, companies not just setting up offices over there.

John: Yeah, I am very interested to see what will happen. Maybe they’ll just create another tech shelter and everybody will move back, I don’t know. It’s a weird situation, because, you know, Europe is really…So, I’m a Luxembourg citizen, so I’ve spent some time in Luxembourg, and I’ve also, I teach in the summer in Croatia, so I spend a lot of time talking to European residents about these issues. I actually teach about these issues in Europe.

There’s a sense of, well, why are we not capitalists anymore? And I certainly understand that perspective. I think what we’ll find is that there will be some sense of stability that will arise after some initial onslaught of the litigation, and eventually, we’ll get to a point where it’s very clear in certain what the European Union member states require. As of right now, this looks like a pretty onerous law, so I can’t imagine it not having a massive economic effect.

John’s Enthusiasm for Complying

Andrew: And I have to ask, feel free to a say, “No comment” on this, but the fact that you’re a Luxemburg citizen, does that tie in at all to your level of enthusiasm for being compliant?

John: No, actually I’m a Luxembourg citizen only because I had an opportunity to do it. So, when I saw like we had a lineage and then there was this window open because people fled the country, that’s why said I’m gonna choose to do this.

My enthusiasm for complying with it is simply just like academic enthusiasm, that’ it. You know, it makes marketing hard. In our law practice, if I had to get people to opt into a legal newsletter, I don’t know how I would do that. It’s just like, who wants to read a legal newsletter? But we’re pushing information to people that is relevant and needed. A lot of times, they don’t really know that they need it until they have it, so I’m a little concerned that if we were fully compliant, that it would completely eliminate some markets for us.

So, yeah, I’m interested in compliance, but I, like I said, I think it’s from an academic perspective. I’m very concerned about it from a real business perspective.

The Intent of the Law

Andrew: Yeah, and I kind of mentioned this at the top a little bit. If you boil it down to the intent behind the law, the intent is, if you really wanna sum it up in layman’s terms, it’s stop spamming people and, you know, abusing their information and contact details, right? Which I think both of us can get on board with. You know, I don’t spam people on my list, you don’t spam people on your list.

So at the at the root of it, it’s a great…you know, I like the idea and the philosophy behind it, but the level to which I think this bill is taking it, is just, it’s just bonkers, at least, especially for someone who’s trying to implement with a small team.

John: Yeah. So, this is the example that I used. There was a recent change in Section 230 of the Communications Decency Act, which, I don’t know if you know anything about this, but Section 230 says that a service provider cannot be held liable for the content of its users. And the reason why the change occurred was because of sex trafficking, so there is a statute in place that was intended to stop that behavior.

Well, a result of that statute was that Craigslist shut down certain sections of its website, and a lot of the sections might have been really used by a lot of people, and that’s kind of what I’m wondering will happen with the GDPR, is like maybe you went a little too far and you’re gonna lose some functionality, and maybe they’ll be some pushback. A lot of times, industries self-regulate. For example, if you were doing spammy practices, Google’s gonna ding you.

They’re gonna…We have an incentive to make sure that Google doesn’t ding us because they rule the world.

So, I don’t know. It’ll be interesting to see whether there’s some pushback and whether there’s some movement towards private market regulation, or some sense of private market regulation. I kind of hope that the trade groups get together and they kind of figure out how they’re gonna respond to this thing.

A Plan of Action To Consider Taking

Andrew: You know, John, I’d love to walk through kind of a five cued approach to, if you’re in the U.S., outside the U.S., or maybe even in Europe, kind of a plan of action for compliant based on your risk tolerance going from, you know, all the way to doing nothing, all the way to completely compliant.

So, using kind of high level broad strokes, again, we don’t have time to dig into all this, but might give people a sense of, you know, kind of just the rough actions that they could potentially take depending on where they wanna be. So, if it’s okay with you, I’m just gonna run through these, and then maybe get your thoughts on each one before we keep going. So, the first one is the riskiest, and it’s the one that we’re calling “GDPR What?” and it’s just to simply ignore the bill, which is what’s happening a lot.

Of course, you know, it’s the riskiest. You’re technically breaking the law, especially if you’re in the E.U., and you are at a chance of being fined. That’s kind of the riskiest one, but again, one that is not uncommon out there. So, any thoughts on that approach before we go to number two here?

Cases For Non-Compliance?

John: If you’re going to accept the approach, what I would do is, I hope you’re under seven figures. That would be my answer. And also within the United States, and have no European Union office. But I think, obviously, very risky approach.

The Brexit Approach

Andrew: The second approach is called “The Brexit” approach, so, simply stop emailing and serving all of your E.U. members. I kind of alluded to that earlier in the conversation, John, but there’s tools out there where you can just block E.U. members from accessing your site. You know, you can do that. And the second part of that too, would be to get into your email list, this is pretty important, and get a sub-segment of all of your E.U. members, the members of the E.U. who you have their contact details for.

And you need to either, at least the way I understand it, by the deadline, you need to get consent, re-consent for you to continue to email them, or you have to delete their information.

So, set up an engagement campaign, you know, let them know like, “Hey, are you still interested in hearing from me?” Get that consent, be able to record proof of that consent, and for the people you do, great, if not, then delete them from your database and kind of just take a no E.U. approach going forward.

John: Yeah, so this is a very safe approach. The other thing that I would recommend if this is the approach that somebody is going to take, is to change your Terms of Use agreement to allow access to your website only to members outside, excuse me, users outside of the European Union.

So, I think this is a relatively safe approach, but again, it’s a business risk, obviously, because you want European money. But yeah, as far as safety is concerned, I think it’s a good idea.

The Broad Strokes Approach

Andrew: The third one is called “The Broad Strokes,” and the idea here is to focus on email consent, and, you know, some of the biggest parts of the law. We’ll link up to the E.U., the official website, and they have a ‘Key Changes‘ page where the, of course, the official law is monstrous like any law, but this kind of boils it down to the things that if it’s on the key changes page for the official website for it, these are probably the things that would be great to focus on.

I think one of the big ones would be email consent at number one, so scrub your list for contacts like we talked about, or get them to re opt-in. Stop adding your E.U. visitors to your general marketing list when they purchase from you or when they opt-in to a lead magnets. So, make sure you’ve got a real clear consent there.

And in terms of emails to think about, communication to think about, you need to be thinking about lead magnets, if you’ve got a discount that pops up for, you know, incentivizing people to join a newsletter, thinking about curt abandonment emails, you know, if somebody goes and starts to check out but they don’t finish but you have their email.

I don’t think you can contact them under GDPR unless people opt in somehow, opt in to purchase on newsletters when people are buying, those kind of things.

So, thinking about those things, making it very easy for people to revoke consent and unsubscribe from all your emails, update your policy privacies, excuse me, your privacy policies, to be GDPR compliant. And there’s a pretty cool…Shopify has a good policy generator that is, I believe, thinks, you know, thinks through all of the terms of the new law as well. I’ll link up to that in the show notes.

And then one I didn’t include on here is, you mentioned record keeping kind of earlier, would you include that on this one, John?

John: Yeah, I would. There are a lot of really interesting plugins. I don’t know if there’s a Shopify plug-in yet, but there is a really good WordPress plugin. So, if you’re running off of WordPress like I have, there is a consent/recordkeeping plugin that will actually time and date stamp the consent, and allow you to look back. So yeah, I think that could be added easily in the broad strokes category.

Andrew: Do you know what that one is called?

John: I don’t, but I can send it to you for the show notes.

Andrew: Okay, we’ll try to get that linked up, so, very cool. Anything else on that before we go to the fourth approach there, John?

John: No, I think that’s a…If you are going to try to comply but not kill yourself, that would be the approach that would take.

The Better Than 99% Approach

Andrew: Nice. Number four, I’m calling “The better than 99% of people” approach. And this would be everything that we talked about before with kind of basic record keeping and also with kind of your consent emails, thinking about how you’re emailing people, plus a few other aspects in terms of your internal policies. So, this would be set up internal policies.

This could just be an internal SOP, or a process, or a checklist for how you would, a) Transfer someone’s data to a different provider, b) A process for how you’d scrap all of their data from your system, so think through, “Hey, where do we store all the data?” We store in our, you know, in Shopify, we store it in, you know, in Klaviyo, we have it in our ERP. Here’s all the systems we need to go through in a process for deleting them out.

A checklist or some kind of documentation on the fact that you did the legwork to make sure that all of your contractors and SAS providers were GDPR compliant, or at least as many as possible as you could have, and then use something like cookie bots to be able to, when people come to your site, I believe, correct me if I’m wrong, John, but under the new law, they have to opt in to all of your cookies.

So, everything from like a Facebook cookie, a Google Analytics cookie, all this kind of stuff, and you have to be able to tell them what the cookies are for. Have something like cookie bot manage that for you, so it pops up and you’re compliant there.

John: Yeah, that’s right. And also, privacy policy needs to properly disclose whether you’re using session or persistent cookies as well, which I think a lot of people kind of ignore, they just randomly say cookies. But the E.U. is really concerned about persistent cookies more so than session cookies, so I would look at that too.

There are also, I don’t know if your listeners know this, but there are services out there that will sell you these compliance contracts. It’s worth looking at. I’ve looked at some of them, and I purchased some of them just to see what other people are doing. For a very reasonable price, you can get some of these internal policy documents and you can comply a lot more than you would otherwise.

Andrew: Oh, so you mean like a policy for how you would scrap someone’s data from your system, is that you mean?

John: Yeah, and also policies for transfer of personal data as well.

Andrew: I see, got it. So, on the cookie front, is it…in the E.U., do you have to opt in to all the cookies? Because I was a little confused on…I thought that was the case, but then you know you have to disclose them and sometimes there’s a whole, the cookies will pop up, but you can approve consent by actually just closing the window as opposed to, you know, or by continuing to use the website. Do you know if officially to comply, you actually have to click “I accept all of these cookies”? Which just sounds like something no one is gonna do.

John: Well, it’s a really good question. The standard for consent is that it must be given freely, specifically. It has be informed, it has to be unambiguous. So, whatever that means, is the answer. I think the E.U. would say to click the “I agree” box, but I don’t know that that’s a reasonable interpretation of informed and unambiguous, so I think it’s a spectrum of risk.

If I was complying, I would kind of do what I can to make sure it’s informed and kind of specifically identified, but I wouldn’t go out of my way to add an “I agree” box for a cookie. We know how cookies work, though maybe the regulators don’t, I don’t know.

The Sell your Kidney Approach

Andrew: And then the fifth approach, this is the one I’m calling “Sell your kidney” approach. This would be, you know, if you wanna hire a consultant or a lawyer to make sure you’re 100% compliant. Of course, you know, you’re gonna need some funds for this one. So, do you have an idea, just roughly, John, I don’t know if it’s kind of a huge guessing game, but let’s just say you’ve got a retailer in the U.S. doing five million sales, they got a team of 10 people.

Do you have any idea in terms of just raw cost and also hours, like ballpark, where you would put full compliance on this?

John: I don’t. I can tell you what we’re doing, and let me preface it by saying what we’re doing is highly disclaimed, because we don’t truly know what compliance looks like without actually seeing what enforcement looks like. So, what we’re telling clients is we can try to help you comply with the regulation as we know it today but that may change, so if you wanna give us money, that’s fine, but just know that we may be coming back to you saying that the advice that we previously gave you is no longer correct.

So, what we’re doing is we’re charging clients a flat fee $800 for assessments. So, we go in and we collect information, we have them kind of provide us their vendor list, etc., and then we perform an assessment and then we provide costs and other points of data that could be used for compliance, and then we give them a quote. But the problem is like it depends on numbers of vendors, it depends on the complexity of the transfers, it depends on whether, you know, there are multiple offices.

So, if you’re a seven-figure store, I would probably expect to spend $2,500, somewhere in there. But that’s what I’m doing. I don’t know what other people are doing. I think if you went to a larger firm, you could spend $10,000, $20,000.

Andrew: Do you think you could get full compliance with the law for 2,500 bucks?

John: I think you can get full compliance from the legal perspective, but we can’t change your software for you. So, if there are fundamental problems with the way that you’re collecting and storing data, I can’t do anything about that. You would have to change your business model.

Andrew: So that would strictly be on kind of the legal side in terms of privacy policy, maybe an audit. But if you had to make changes to the way you collected lead, scrapping your database, thinking through all the systems, record keeping, none of that would be included?

John: Yeah, that’s a business problem. We understand how to do that, and we can provide recommendations on ways to do the things that you want to do in a manner that would be compliant, but at the end of the day, that’s really more of a business choice than it is a legal issue.

Andrew: Got it, okay. Great. Well, John, this has been awesome, having someone who knows way more about this than I do to be able to talk through some of these.

John: I don’t know, you know a lot. The intro was pretty good.

Andrew: No, thank you. I think you dove into this a lot deeper than I have, and, you know, it will be… I think just in terms of some closing thoughts, I think it will be interesting to see how this happens. I mean, we’re coming up on this deadline, and whether the E.U. comes out swinging really hard out the gates, obviously probably the biggest targets are gonna be the bigger firms, but whether or not that trickles down to smaller firms over time, especially in the E.U., some of the implications for expanding into the E.U.

Yeah, it will be interesting to watch over the next year.

More Resources on GDPR

A couple of resources, additional ones, I’ll link up to if you wanna do more of a deep dive on this. Of course, all of the ones we’ve mentioned so far, but there’s a great Amy Porterfield episode on this topic that I’ll link up to as a podcast. There was another lawyer on that podcast that had a training, and it sounded like he was pretty comprehensive on GDPR, I’ll link up to that.

We had an interesting, really interesting discussion in the private community about this topic. Thank you, to everyone who contributed there. A lot of what I learned and kind of used to really kick-start this episode came from there, so to everyone who posted things there, I appreciate that.

The New York University School of Law actually had a really interesting white paper, it’s called “A Primer for U.S. Based Organizations That Handle E.U Personal Data.” It was the most legitimate thing I could find that I could feel like I could recommend that wasn’t just a, you know, a 1,000-word blog post on it, for U.S.-based companies trying to gauge their liability. So, I’ll link up to that. We’ll link up to the full text the GDPR, and then, of course, John over at Revision Legal.

John, you had some stuff, it wasn’t maybe specifically about U.S.-based companies like the article I mentioned, but you had a blog post or two that was really well done about this topic as well. We’ll link up to them.

And then, of course, if you wanna talk to someone from the legal side, John obviously knows his stuff. John, you kind of mentioned you’re not doing full court press stuff because it could change, but you’re definitely help advising people on it at the moment, right?

John: We are, yes.

Andrew: Yeah, and that’s revisionlegal.com. So, John, any final thoughts on a pretty…I wonder what percentage of people stuck with us on this podcast, given how in the weeds we got on a pretty, you know, pretty deep law here.

John: I know. I’m always in the weeds, so I kind of appreciate that. So, I apologize to the listeners. But no, I don’t have any final thoughts. I think, do what you can, and we’ll see what happens. It’s gonna shake out pretty soon, so I doubt that any of your listeners will be in the first round of people who see enforcement, but I certainly will keep you informed about who is seeing that enforcement.

Andrew: Yeah, that sounds good. And hopefully, they’re not in the second or the third round either, but I guess time will tell. So, John, thanks so much for coming on.

John: Thank you.

Andrew: That’s gonna do it for this week’s episode, but if you enjoyed what you heard and are interested in getting plugged into a dynamic community of experienced store owners, check us out at ecommercefuel.com. eCommerceFuel is the private vetted community for ecommerce entrepreneurs, and what makes us different is that we really heavily vet everyone that is a member to make sure that they are a great fit, that they can add value to a broader community.

Everyone that joins has to be doing at least a quarter a million dollars in sales via their store, and our average member does over seven figures in sales annually.

So, if you’d like to learn more, if that sounds interesting, you can learn more and apply for membership at ecommercefuel.com.

And also, I have to thank our two sponsors that make this show possible. Liquid Web, if you were on WooCommerce, or you’re thinking about getting on to WooCommerce, Liquid web is who you should have host your store, particularly with their managed WooCommerce hosting. It’s highly elastic and scalable. It’s got built-in tools to performance test your store, so you can be confident it’s gonna work well. And it’s built from the ground up for WooCommerce. You can learn more about their offering at ecommercefuel.com/liquidweb.

And finally, Klaviyo. For email marketing, they make email segmentation easy and powerful. They integrate with just about every cart out there, and help you build incredibly automated powerful segments that make you money on autopilot. You can check them out and get started for free at klaviyo.com.

Thanks so much, for listening, and looking forward to seeing you again next Friday.

Want to connect with and learn from other proven eCommerce entrepreneurs? Join us in the eCommerceFuel private community. It’s our tight-knit, vetted group for store owners with at least a quarter of a million dollars in annual sales. You can learn more and apply for membership at ecommercefuel.com. Thanks so much, for listening, and I’m looking forward to seeing you again next time.


What Was Mentioned

Flickr: socialmediasl444

Andrew Youderian
Post by Andrew Youderian
Andrew is the founder of eCommerceFuel and has been building eCommerce businesses ever since gleefully leaving the corporate world in 2008.  Join him and 1,000+ vetted 7- and 8-figure store owners inside the eCommerceFuel Community.

Double Your eCommerce
Business in the Next Year alt alt

Learn from the thousands of case studies, stories, and lessons our private community members have shared, plus what we’ve learned in 12+ years of studying eCommerce stores
reddit mail