With GDPR set to go into force next month, promising sweeping changes to Europe’s privacy laws, organizations are shifting their compliance efforts into top gear.
According to a recent PwC survey, more than half of US multinationals identify GDPR as a top priority — with 77% planning to spend $1 million or more on compliance.
Many businesses, compliant with North American laws, including CASL in Canada and CAN-SPAM in the US, may feel they’re prepared. But as Microsoft President Brad Smith recently told the Financial Post, if you have customers or employees in the EU — even if you know nothing about the EU — GDPR matters to you.
There are critical differences companies need to understand — or they could put themselves at risk. Here’s a comparison between CAN-SPAM, CASL and GDPR, and what the new rules could mean for your business.
Where privacy laws overlap
GDPR, CASL and CAN-SPAM share core provisions to deal with spam and malicious messages. That includes measures to…
- Define impermissible electronic communications like spam
- Set standards on permissible communications, including:
- Limits on who you can send messages to
- Requirements for senders to clearly identify themselves
- Requirements for clear unsubscribe, opt-out and or opt-in mechanisms
- Set rules for acquiring and documenting recipient consent (opt-in vs opt-out)
- Specify penalties for infraction including fines and private right of action (PRA)
The key differences: data processing and consent
Each privacy law differs, however, on scope and rigor.
CAN-SPAM for example, was groundbreaking when first passed in 2003. But its rules, focused on “King” email spammers, have since become antiquated. Mockingly called “You-Can-Spam”, the law has also been criticized as too lenient by many commentators.
In contrast, CASL, in force since 2014, is one of the toughest anti-spam laws in the world, according to Deloitte. Unlike CAN-SPAM, it uses tough “opt-in” consent rules giving consumers far greater say over what messages they receive. It also addresses new electronic threats, such as malware and spyware, not accounted for in CAN-SPAM.
Set to go into effect on May 25, 2018, GDPR represents the next step up. The regulation is intended to extend a “single set of rules” across the EU and tackle privacy challenges highlighted by the Equifax hack and Cambridge Analytica scandal.
GDPR shares CASL’s tough opt-in consent rules — with key differences, including heftier penalties up to 20 million Euros or 4% of a company’s annual global revenue — and strong consent requirements.
Under GDPR, consent for sending messages must be “freely given, specific, informed and unambiguous.” And similar consent rules apply to how you “process” personal data. (In Canada, data privacy is governed by a separate piece of legislation, PIPEDA.)
GDPR will apply to all companies handling the personal data of people in the EU, regardless of the company’s location.
Each time you gather consent from someone you will therefore need to do the following:
- Obtain consent just before you send an email
- Obtain it again each time you want to contact a person for a different product or campaign
- Include the identity of your company
- Include clear, plain-language explanation of how you will use (i.e., “process”) their data
- Include any further explanation of who you will share their data with
In addition, under GDPR, persons gain several rights with regards to their data, including the right to be made aware of their rights when their consent is gathered. These rights include:
- The right to be withdraw consent
- The right to be forgotten
- The right to see and correct their personal data
- The right to object to processing
In summary, when doing business in the EU or with EU companies, it’s critical to keep the following in mind:
- First, you must have explicit prior consent before sending any unsolicited direct marketing by email. Every email you send, from simple newsletters to drip campaigns, must comply with the law.
- Second, your outreach campaigns will need tick boxes, signatures or “click here” buttons (all acceptable mechanisms) with clear and specific supporting text. (Pre-ticked consent boxes are out.)
- You’ll need to make sure persons can easily withdraw consent and have their data erased (i.e., exercise their “right to be forgotten”).
- Finally, you’ll will also need rock-solid processes for documenting and verifying consent — including archived evidence of consent such as emails, screen prints, call recordings and signed documents.
Exceptions to explicit consent
Given GDPR’s complexity, it can be really risky and time-consuming to rely on overt consent for data processing. Gathering explicit consent may seem a safe default option. But it may place you in a legal “catch 22”.
Thankfully, like CASL, GDPR provides a few reasonable exceptions that can serve as your first choice. For example, you can process a person’s data without explicit consent when it is…
- In compliance with a legal obligation
- in the person’s vital interest
- a legitimate interest of your own
- or what’s known as a “public task”.
The bottom line
With GDPR going into effect next month, businesses in North America need to get informed — whether they’ve got employees in the EU, plan to market to EU consumers or handle personal information collected in the EU.