Invasion of [Internet] Privacy: Your Website, GDPR, and Privacy Policies

What is GDPR, why is everyone updating their privacy policy, and what does it mean for your business? Here's an easy overview.

Privacy is the hot topic. It's in the news and in your inbox. Everyone is sending their updated privacy policy (and it’s kind of getting annoying). GDPR is about to launch and people aren’t sure if they should panic or not. Mark Zuckerberg testified in front of the senate because Facebook is making money on our data via targeted ads. There’s a divisive album out called Invasion of Privacy. Are all these things related?

Let’s stick to the issues that matter for us and our clients:

Zuckerberg-testify-Adjusting settings - Imgur

What is GDPR?

Why is everyone updating their privacy policy?

What does it mean for your business?

Disclaimer: This post does not intend to serve as legal advice, but rather a top-level summary of website user privacy and GDPR from a marketing perspective. For complete information about GDPR, see

Be Careful [With My Data]

Here’s what happened:

The EU set out to formally protect citizen’s personal data, and as it turns out, it’s not a bad idea. The GDPR (General Data Protection Regulation) sets rules for how companies share data after it’s been collected.

That’s a noble pursuit, to be sure. However, that means that companies have to rethink how they approach collecting and sharing data, and how they approach advertising. It means companies need to be transparent about what they collect and how they use it, and it means that users have to give permission for companies to use their data.

The GDPR affects any company that provides services or products directed at customers in the EU. Later, it may also affect any business whose website can be accessed by users in the EU, because, as we know, websites collect and store users’ data.

With great power comes great responsibility.

...So, what exactly is our responsibility?

GDPR in a Nutshell

EU users are afforded extra rights to their online information through the GDPR.

  • A business must have a legal reason to use their data. Legal reasons include:
  • User opted in to having their data or information used for something which they clearly understand the purpose.
  • The user demonstrated legitimate interest in your products or services.
  • The user must consent to a business collecting, using, and keeping their data.
  • A business must specify an expiration date at which time they must delete their user data records and may no longer use it unless they receive consent.
  • If you are collecting and using data from customers based in the EU, your business and privacy policies must be compliant by May 25th, 2018.

[The Compliant Life is the] Best Life

HubSpot is building tools to address these concerns for the websites they host. The goal is to make it easier for businesses to be GDPR compliant.

IMO, having a marketing automation tool like HubSpot is already useful in proving lawful basis of data processing because it tracks website users’ points of contact and history with your website, showing either legitimate interest, or not.

Their updated tools include:

  • Expanded manual and automated properties to track and audit the grant of lawful basis using the property history for that new property.
  • Consent tracking tools to ensure consent with proper notice, including updated subscription preferences and cookie-consent messages.
  • A GDPR-compliant permanent delete function that allows HubSpot admins to delete contacts personal data.
  • Easy access and portability to verify user data processing lawfulness and change user data if users request a change.
  • Enhanced security measures to protect your users’ data.

Businesses with a presence in Europe should update their privacy policy. The email notices you are receiving are from companies and organizations that do business overseas. While we plan on updating our policy by May 25th to include a clause for EU residents, the main points in our privacy policy won’t changed—we don’t sell, trade, or otherwise transfer your data to any outside parties, but we do use cookies to offer a better site experience, and we only send communications with users that have subscribed or requested communications.

We have also made sure that our policy is clear and transparent. Any company should try to do the same. In the wake of Facebook’s Cambridge Analytica data breach scandal, regaining customers’ trust is essential. And that trust should be warranted. A number of privacy and consumer rights agencies have urged Facebook and other big tech companies sitting on massive amounts of our data that they should apply GDPR standards globally. Until the GDPR regulations apply to everyone, it isn’t such a bad idea to adopt them as a standard to aim for. If not to preserve business integrity, at least to avoid the penalty fine of €20 million, or 4% of a company’s global revenue.

Companies from Google and YouTube are making sweeping policy changes like keeping third party ads out of their data and content and, of course, updating their privacy polices as well.

Are you prepared? Make sure your privacy policy is adjusted, and that your website asks for the appropriate level of consent.

Wondering what should go in your privacy policy, how to protect your users’ data, and how to be GDPR compliant?

Watch our free webinar, a step-by-step guide to privacy regulations for companies with EU customers, and how to ensure compliance with the new regulations through your business and marketing efforts. Ongoing optimization is how we handle an industry that’s constantly changing (and we love it). Security and privacy go hand-in-hand with an ethical marketing strategy, building a secure website, and implementing SEO that responsibly monitors traffic and other audience engagement.

We can help you implement online marketing best practices, regardless of where your customers reside.

Let’s get started with a strategy!