The General Data Protection Regulation ( GDPR ) is a new set of data protection laws put into place by the European Commission, governing the way that private personal data is secured & handled by businesses everywhere.
That’s right… Everywhere. You don’t have to be based in Europe to be subject to these new laws. So if you’re based in the EU or have customers based in the EU, we’re here to help you prepare!
What Does This Mean for My Business?
Since it is currently unclear as to how strictly these laws will be enforced, it’s a good idea to be on the right side of the law when they go into effect. No one wants to be made an example of!
Which means there’s two main things you’ll want to be ready for on May 25th, 2018:
1. You’re going to need to gain explicit consent from any EU customer in order to capture their email address or other contact data. “Explicit Consent” means adding an opt-in checkbox anywhere on your site where customers enter their email address, and being clear & forthcoming about how you plan on using the data.
2. You need to be able to prove clearly & affirmatively that consent was given by retaining information on:
- Who consented
- When they consented
- What they were told at the time of consent
- How they consented (check box, social media ads, etc)
- Whether consent has been withdrawn.
And while we don’t think this is going to be quite as scary as it sounds right now, there are some things you should be aware of as a business owner before writing these new laws off.
- As mentioned above, the long arm of the EU law can reach you anywhere, if you have customers in Europe & you don’t adhere to these laws.
- Both your business & your email provider can be held liable for mistakes. So we’re taking steps to help our customers implement new practices both for their sakes… and ours!
- The fines for breaking these laws can go up to $2M or 4% of annual global turnover.
What Does This Mean for CartStack Users?
Don’t worry, CartStack will be fully compliant with GDPR by the regulation start date. Here’s how it will look after May 25th…
If you are located in the EU:
Moving forward, you will need to gain explicit consent in order to capture user’s personal information (eg: email address). So you will need to add an opt-in checkbox for all forms on your site (which will need to include language about what type of emails the user may receive). Then our system will be able to capture the user’s opt-in before tracking and sending cart/browse abandonment reminders.
Since website visitors have to give explicit consent our system will probably capture a few less emails. However, since our pricing is based on results & email volume, you’ll pay less to use CartStack.
We’ll also be launching “web push notifications” soon, which will be a great way to offset decreases in email opt-ins.
If you are located in the US (or any other country outside of the EU):
Since GDPR relates to personal data of its citizens the new regulations will still affect you if you have website visitors/customers located in the EU.
So, with this in mind, CartStack users not in the EU have two choices:
- Follow the above EU updates, or
- You will be able to flip a switch to stop all tracking of EU visitors (based on geo-targeting).
What Should I Do Next?
At some point before May 25th, you’ll probably want to run a re-permission campaign through your email provider (Mailchimp, Drip, Infusionsoft, etc … not CartStack) with your current EU subscribers to ensure they still want to hear from you. Luckily, this won’t be an issue for CartStack users since, moving forward, shoppers will only receive emails from our system once they consent.
We will release more information in the coming months on how to stay compliant with your CartStack campaigns & we’re working hard to make sure CartStack is even more effective with these new regulations. We see this as a great opportunity to take things to the next level of visitor abandonment recovery!
For questions, please feel free to email us at firstname.lastname@example.org.
Please note, CartStack is providing this information for informational purposes only and should not be relied upon as legal advice. We encourage you to consult legal and other professional counsel to fully understand how GDPR applies to your organization and business activities.