GDPR Article 6: What You Need to Know
If you do any kind of online marketing in the United States, chances are you comply with CAN-SPAM. Under CAN-SPAM, an email sender is not required to have opted-in (though we still highly encourage it for a variety of reasons). Instead, either affirmative consent is required or an easy to use unsubscribe mechanism must be provided. The European Union has a new privacy law that also addresses this issue. The new law is known as the General Data Protection Regulation and it will become effective on May 25, 2018.
Don’t brush this off if you’re not based in the EU. This will affect anyone targeting customers in the EU. For example, if you have an online store, maybe you’ve translated your website into a European language like French, to capture some market share in France. Thus, you’re likely regulated by the GDPR.There are many important provisions of the law to be aware of, but we’re going to focus on Article 6. The GDPR does not necessarily require an opt-in to send an email, rather it relies on the concept of the lawfulness of processing—Article 6—for guidance. For our American readers, GDPR is a comprehensive privacy law that encompasses the concepts found in the American CAN-SPAM law.
Article 6 of GDPR will affect your business in a big way. This article covers the concept of the lawfulness of processing. What does that mean? Processing the personal data of your customers/prospects (e.g., email address) is only lawful under certain circumstances that are laid out in Article 6, as follows:
a. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c. Processing is necessary for compliance with a legal obligation to which the controller is subject;
d. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
What do I need to know?
There are three sub-sections of Article 6 that will be most relevant to Infusionsoft users: a, b, and f.
Sub-section (a)—processing on the basis of the consent of the individual—is very specific and inflexible. Did you get your prospects email because they signed up for your newsletter? If so, the data subject (prospect) has given consent to process data (email address) in order to receive your newsletter. But was the consent documented in a way that you can demonstrate to regulators that it meets all the requirements for consent that are laid out in Article 7? Was the consent “freely given, specific, informed and unambiguous” as is described in Article 4? There’s plenty of pitfalls here, and these requirements are somewhat subjective. Other aspects of Article 6 may provide more legal certainty with respect to the legal grounds for processing personal data.
Sub-section (b) will be very important for Infusionsoft users (more on that later). Did you get the email address because someone bought something from your site? If so, you, as the site owner, needs to process the email address and home address in order to complete the contract—i.e., delivering the product.
Sub-section (f)—processing on the basis of the pursuit of a legitimate interest—offers a more fluid set of possibilities, though it also requires further explanation. First, you have to understand the definition of legitimate interests. An EU court case defined it with a three-part test:
- Identify the legitimate interest (this is broad): For example, your interest in selling your good or services (although this is a rather permissive interpretation of what a “legitimate interest” can represent)
- The need to process personal data for the purpose of pursuing the legitimate interest: An email needs to be sent to announce a sale. We can’t pursue our legitimate interest without processing the personal data.
- Privacy rights of the individual can’t outweigh the legitimate interest being pursued (this is critical): The individual’s right to privacy must not be outweighed by the legitimate interest pursued
This where you, the Infusionsoft user, should focus your attention. If you are offering anything on your site, whether a physical product you mail to the buyer, a consultation, or a membership, you need to read on.
Making any kind of purchase from you constitutes a contract. That doesn’t mean you can send them anything you want, but you do have the ability to process their data as necessary in order to fulfill the promise you made to your customer in the “contract.” You’ll need to, of course, communicate with them and to deliver what they requested from you.
Learn more about GDPR and how it may affect you as an Infusionsoft user. All posts on GDPR are meant to be informational only and should not be used as legal advice.
Subscribe to our newsletter
Fresh small business insights and ideas delivered weekly to your inbox, gratis.