with Pamela Muldoon
In Part 2 of our riveting Email Compliance series (it’s true, we promise), Anne and Pamela talk about the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA). Learn how to store, collect, and handle data securely, while following these important laws and avoiding liability #LIKEABOSS
Quick Concepts from Today’s Episode:
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.
The GDPR sets out seven key principles:
Data must be:“
(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them. This landmark law secures new privacy rights for California consumers, including:
The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale of their personal information; and
The right to non-discrimination for exercising their CCPA rights.
CCPA applies to you if your business:
Has a gross annual revenue of over $25 million;
Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or
Derives 50% or more of their annual revenue from selling California residents’ personal information.
Referenced in this Episode
Direct links to things we brought up +
Pamela Muldoon’s Website
BadAss Editing by Carl Bahner
Recorded on ipDTL
>> It’s time to take your business to the next level, the BOSS level! These are the premier business owner strategies and successes being utilized by the industry’s top talent today. Rock your business like a BOSS, a VO BOSS. Now let’s welcome your host Anne Ganguzza.
Anne: Hey everyone. Welcome to the VO BOSS podcast. I’m your host, Anne Ganguzza, along with my CAN-SPAM Pam [laughs] special guest host Pamela Muldoon. Hey Pamela, how are you?
Pamela: Oh my goodness, Anne.
Anne: CAN-SPAM Pam.
Anne: I say this, BOSSes, because if you did not listen to our previous episode, we talked all about compliance and the CAN-SPAM – I can say that three times fast – the CAN-SPAM Act, which was set forth to ensure that all emails are sent within a certain set of guidelines and rules to avoid spamming and all sorts of stuff like that.
Pamela: And I’m a rule follower, Anne, so I’ll take that as a title compliment today.
Anne: CAN-SPAM Pam.
Pamela: That doesn’t mean you can spam me. Just so you know. [laughs]
Anne: That’s right, that’s right, you cannot spam Pam, but it’s CAN-SPAM Act Pam [laughs] Muldoon.
Pamela: Thank goodness we’re going to use different letters and different [laughs] acronyms.
Anne: I’m glad that you actually brought that up. So compliance is a huge issue. I remember a couple of years ago a whole bunch of stuff coming out about GDPR. So I think that we should probably discuss GDPR as well, Pam, and maybe a compliance part two to the series, because I think it’s something as BOSSes and entrepreneurs, we need to be aware of these things. So GDPR came out I believe in 2018, right, Pam?
Pamela: 2018, yeah, it did. Yep. And I think what we’re going to talk about today has more to do with data privacy. What was great about the CAN-SPAM Act is it gave you a specific set of guidelines that are very actionable and very doable. When we start talking about these other compliance laws that have gone into effect around the world, it really is a response to data breaches and the privacy concerns that have become even part of our culture and just hot topics over the past years as well.
Anne: I think in 2018, when GDPR, which by the way stands for General Data Protection Regulation, came out for the EU, other places started looking at those and adopting those policies as well.
Pamela: Yeah, they definitely took the lead, and it’s all designed for protection of information, and so we’ll touch on some probably key highlights and key points of GDPR. We’re not here again to [laughs] put the fear in anyone. It’s just, there’s a very specific subset or group of folks that are listening to VO BOSS that this will affect more than others.
Anne: I think here, number one, the most important thing that as BOSSes you have to understand, when being concerned about data and data privacy, is understand that when you have someone’s email address, that’s a piece of data. When you’ve built your buyer persona, and you understand, you have a first name, a last name, an email address, a location, could be all sorts of other things you have, you know, a record of what they’ve purchased, or if they’ve contacted you. All of that is personal data. So you have to ask a few questions I think in terms of understanding your data practices and where you may need to step it up in terms of compliance. So what personal data do you hold? This could be the data you have in your ESP. It could be the data you have in your CRM. It could be data you have in an Excel spreadsheet, right? And if you have that data, is it secure? Do you have that data on a Web server? Do you have it hosted somewhere, and wherever you have it, it has to be secure, probably encrypted would make me feel better about it, so that people can’t steal it. Like who has access to it besides yourself? And that includes people who might be hosting on the server, if they have admin privileges or data privileges to access the database there. And then who or where is it transferred, if you’re going to be downloading it, uploading it, if it’s going to be moved from server to server, and how long do you keep that data? All very, very important questions.
Pamela: And these are especially, I mean when we talk about GDPR, we’re talking about the members of the European Union, right? You could be listening from the EU, right, and you’re marketing to each other [laughs] within it, or you could be listening here in the United States, and you market to somebody in the EU, right? This is why this is so critical.
Anne: I’m glad – you reeled me in on that one. I do want to say it’s important you understand what it is that you have. If it’s not applying to you right now and maybe it’s just applying to – not in the United States yet, I guarantee you that if there were a data breach, possibly on a server, or people got information – I have websites where people have passwords, and they log in. If there’s a data breach, there’s a certain amount of responsibility that you have. Especially if you’re selling services on your website, you might potentially have people’s data. I know that I always make sure the data that I have is either hosted on another server that takes that responsibility, or if people are paying me and using a credit card, that sort of thing, it’s hosted by another server like PayPal or Stripe, or that sort of thing. But understand that if you have a Web server that maintains, even a WordPress server that maintains email information and/or credit card information, that’s important for you to know. If you don’t know, find out. [laughs]
Anne: Make sure that you’re not going to be responsible for it if there’s a breach on that server.
Pamela: Just like you know last time, when we talked about CAN-SPAM, we talked about that opt-in. This has been a theme for us, I think, is the importance of the opt-in. But with something like GDPR, it becomes even more important that you can provide the consent record. So again, because it’s data, to your point, Anne, right, your email address for example is data. You know, people forget, [laughs] “did I, did I opt into this,” for whatever reason. Again you know, and you have touched on this, I think, how can an average VO BOSS, owner, entrepreneur stay on top of this? Be aware of what’s in your data. Just be aware of what’s in your database, who’s in it. I would encourage them to consider re-looking at their database a couple of times a year, just making sure they’re very aware of who is in it and how they opted in, and really understand, and of course the larger your database gets, the more complicated this can get, but if you are using a large database and really doing a lot around email marketing, more than likely you’re also working with a virtual assistant or somebody else who can help you kind of stay on top of these things as well.
Anne: Absolutely. And if you do have that data on, let’s say, a server, let’s say you’re using a CRM to keep a database of your potential clients and contacts, they should have a policy. You should make sure that you read that policy, understand where that data is being stored, and actually I would even question, if it’s not written somewhere in the fine print on the server, ask where’s that information being stored, is it on that server, and how is it being protected security wise? Is it encrypted? Are those servers safe from being, I don’t know, hacked? This is something that we have all been through like, Target’s servers were hacked what, not so long ago, and people’s data was compromised. I just had something the other day, a thing that you don’t want to see, that trusted source that all of a sudden had a data breach. You don’t want that to be you. And so I know what it feels like when, gosh, my Target account just got compromised or whatever it is, or your credit card account got compromised.
Pamela: When they mention a brand, you’re like oh that could oo – now I have to pay attention. [laughs]
Anne: Exactly. So pay attention to where your data – and don’t just blindly say, well, I purchased this package, and this is what I’m doing. Make sure you know how they’re handling the security of the data, and if they’re keeping it, how they’re keeping it, if it was encrypted. Back when I worked for the school, it was a policy I had to adhere to. I had to actually create a report every year about where was the data being held, and was it being encrypted, and where were they being stored, because we didn’t want to have people, you know, hacking into the server and getting passwords. Not that you’re likely to have password information so much, unless you have a service that you’re offering for your, you know, clients to log in, but if you do, make sure that that’s encrypted, and if that’s hosted on a Web server, make sure that that Web server is either, they don’t store those passwords on that same server, or that server is behind a firewall, or something like that. It’s just good to know.
Pamela: Well, and we have been talking mainly about, you know, your data being housed on say an ESP or something that holds your email address, but I think it’s a good opportunity to also remind folks of the importance of CRM in terms of this as well, which is that, you know, the relationship management software, right, your customer relationship management software. And so there’s a number of discussions on any [laughs] in any given moment out there on the inter-webs on these things. But again, doing this versus an Excel sheet, I want you as a VO BOSS to think about this, what’s more hackable, right? [laughs] Using something like a Nimble or a Voiceoverview, or these actual software services, that you can use, and those are for multiple reasons, but this alone could be one of those reasons you need to consider that. Right? Because again it’s not a third-party vendor that’s going through that, you know, compliance process as a company to ensure that the data is secure.
Anne: Yeah. It just makes me think, honestly, I just like brought up Tiktok, you know.
Anne: Is that data being sold? Is the data being compromised? It’s really something that if you’ve not thought about it, I need you guys to think about it. We need to be BOSSes and understand where your data is, and make sure it’s protected.
Pamela: And yeah, if you’re taking data from other people, you now are part of that chain [laughs] of command, right?
Anne: Absolutely. You could be liable. I also think it’s important, Pamela, to have a terms of service, or policies that are on your website, because we’re BOSSes, and we sell our services. And so I think it’s important for anybody that has a website, if they do not have a terms of service, that you consider putting a terms of service on your website, in regards to what you’re doing with data that people supply to you and/or email addresses. I know that on my pop-up on VO BOSS, I actually have a statement, a policy statement and a link to the entire written policy that I have on what’s done with the data. And so as long as you’ve made that clear – and it wasn’t that we needed to do that. There was no law mandating it, however since the GDPR came out, it was just something I did as a measure of knowing it was going to come [laughs] at some point.
Pamela: Right. And keep in mind, your website is out there for anyone in the EU to access. It just, it’s a great precautionary type move. If you’re working with a reputable web designer, this is a very common ask. Many of your web designers can help you at least today if they’re staying on top of this, they can definitely help you get it all set up appropriately as well.
Anne: The question is, well, what really is considered personal data? Under GDPR, pretty much everything. [laughs]
Anne: We’re talking first name, last name, your age, any Social Security number of course, email addresses, online identifiers, and location data. I’m sure – by the way, guys, if you’re not putting your location on your website, there are certain ways for location services to determine where you’re based in the world, which is how they trace a lot of addresses back to, you know, computers, because we all have IP addresses. And those IP addresses are trackable and traceable to two locations for the most part. Cookies, mobile device ID’s, all of that’s considered to be personal data for GDPR consideration.
Pamela: And that’s why too, I mean think about this as a user, I don’t think you can go to too many websites today, and it tells you to accept the cookies, right, or it gives you those options. All of that’s because of these new laws that have gone into play. It’s just funny, I go to a lot of websites, any given week, and sometimes I’m like, I have to click on that darn thing again. Right? [laughs] But they’re doing it to make sure you know and understand that when you come to this site, they’ll either say yes, we do this, and you can just leave the site, or they’ll give you that option, I accept, and you click I accept, or you click out of it, and it won’t cookie you. You’re probably seeing that. You’re just not even aware that’s part of a result of GDPR and also the California act that’s recently been put into place as well.
Anne: Oh yes, we should definitely talk about the California act as well. Let’s do so. [laughs] What’s the California act, Pam? [laughs]
Pamela: The California act. So it was about a year after GDPR, I want to say 2019 somewhere. Probably it’s been around for about a year now. And this is the California Consumer Privacy Act, CCPA. This one has got some similarities to GDPR. I think at the end of the day, it’s all about the intent, right? The intent of both of these is to ensure data is protected, that you have more say in how your data is being used or at least being notified in how it’s being used, right? [laughs] So I don’t want to again scare too many people, but the intentions here are very positive and moving in a direction that I don’t think we’re surprised to see. This one is specifically for California, not for any other state currently.
Anne: I think we have to think of these rules and regulations and compliance acts as something that’s there to protect us, not necessarily to delve into our private, personal data. It’s to protect our private and personal data.
Pamela: It is. And of course, think about this from California’s perspective. Where are most of the very large tech companies? [laughs]
Anne: Yeah, absolutely.
Pamela: Facebook, Google, you know all the – and they’re in the news for this stuff all the time, so this was a real driver for California to take the lead, and you know, kind of be a forward I guess innovator of compliance, if there’s such a thing. But I think the parameters around what the CCPA is important to point out, because they’re pretty big parameters. I mean, we as VO BOSSes for the most part may not even have an issue here. It’s just again if you’re marketing to folks that are in California, which we know there are quite a few folks here that are. You just want to be aware of this. I don’t know, Anne, if you want to just talk about the three, I guess, parameters or thresholds for who applies for CCPA. One threshold is your annual gross revenue is in excess of $25 million. So if that’s you, call me. [laughs]
Pamela: So. [laughs]
Anne: Or if you annually buy, receive, sell, or share for commercial purposes, personal information of 50,000 or more California residents’ households or devices.
Pamela: Yes, so that would apply to like a Google or Facebook for sure, right?
Anne: Now here’s one where I think it’s very possible: or if you derive 50% or more of your annual revenues from selling California residents’ personal information. We should talk about personal information, because the personal information under CCPA is a little bit more extensive than GDPR. Right now of course it could be identifiable information like phone number, email address, Social Security number, all that. But it also goes beyond, to include such information as biometric, geolocation, and that’s, you know, IP addresses. That’s something that we don’t think about, but as I just mentioned, every computer, your computer on the Internet, has its own IP address. And Google has long done geolocation for your IP address, which is, you can kind of figure out that’s how they do Google maps. They figure out where your location is, and also professional and employment data. You’re talking about a lot of information. [laughs]
Pamela: For sure, yeah. And again, there’s some similarities to GDPR in terms of intent. As you get into the real deep details, it might just differ a little bit. Bottom line is if you’re covered for GDPR, more than likely, you’re covered for CCPA. [laughs]
Anne: And like I said, it is, you know, putting a policy, you know a terms of service and a policy on your website, if you’re collecting email addresses or collecting information like that, it’s not a big deal. There’s lots of templates out there. I took mine from a template that’s out there. You can just Google search it for, you know, terms of service template, compliance template, you know, whatever it is, you search for, there’s lots of templates you can use and just modify to work for your website and your business. And I think putting on your website, and possibly if you have a terms of service for your email compliance, or your ESP, usually the ESPs can have you – they have templates already there that you can use for GDPR compliance. I’ve seen that through my own ActiveCampaign account. When it first came out, it was like super simple, where it was like you can add in your compliance here. And it just will automatically generate it for you.
Pamela: And I think something to remember as well, you know, Anne, you mentioned, this is to protect us, and I think this is just going to become a norm, not just, you know, California. It’s going to be something we’re going to see more than likely as additional states recognize the need for this, because it’s a big question, right? Especially this big social media sites and the sites that really house a lot of our data: what are they doing with it? How do we make sure we’re safe, how do we ensure that there isn’t a breach? You know, all of those questions. So we’re just a small part of that, but whatever we can do to stay compliant and just be on top of it, it’s very important.
Anne: Good stuff. I just, I remember, Pamela, when I started doing advertising on social media, the amount of targeting that you can do on Facebook alone, if you ever wonder, how much data is collected in some of these social media platforms –
Anne: – and then of course, you know, we don’t even need to go into what happened to that data on Facebook, because I think we know, or maybe we don’t know the extent of it, but we know that that was something that was a big, huge deal not so long ago. What was Facebook doing with our data? But when you created an ad on any of these platforms, because they all model themselves after Facebook, the amount of information was incredible. I mean, age, demographics, salary, job, previous job location. I mean, it was insane, how much you could really target –
Pamela: You could hone in on location in a way that you never could before.
Pamela: You know, I’ve been saying this for a number of years, as a marketer, it’s truly phenomenal. As a human, it’s very scary. [laughs]
Pamela: I have this constant angel, devil on my shoulder as a marketing professional. [laughs]
Anne: Absolutely. Because you know – and I know that we complain about ads on social media. And the funny thing is, it’s like that devil’s advocate. Well, you can complain about ads on Facebook, but yet you might be the person that needs to do them, to use them in order to sell your services. So as people and as businesses, it’s kind of the double-edged sword. It’s nice to be able to have that information, to be able to target and actually talk about developing your persona, your buyer persona. It helps in doing that.
Anne: That’s where you can get some of your information.
Pamela: Very much so. Even as a consumer, there have been quite a few things I’ve purchased via a Facebook ad for example, because my interest was in that.
Anne: Oh yeah.
Pamela: It was. So even from a recipient standpoint, I like to also think of it as, sometimes I don’t have to go scouring the web for information. It literally is coming into my feed.
Anne: It knows.
Pamela: Right? [laughs]
Anne: The best is where, I was just talking to you about it, and all of a sudden, an ad showed up. Well how did that happen?
Pamela: Right. Those microphones, they’re alive and kicking.
Anne: They sure are. So yeah, guys. Understand your personal data, you know, what it is, what personal data you might be collecting for your potential clients, what you’re doing with it, and be compliant. Know your compliance laws.
Pamela: Yes. Just be a good student, and you’ll end up being a great business owner, for sure.
Anne: Good topic. We could go on forever.
Pamela: It is. It’s a big one.
Anne: A big topic.
Pamela: It’s a big one.
Anne: But yes. All right, well, BOSSes, be compliant. [laughs] Be BOSSes, be compliant. Know your compliance rules. Big shout-out to our sponsor, ipDTL. We love ipDTL. It lets me and Pamela connect every week to tell you all sorts of good stuff about being compliant.
Anne: And all sorts of other stuff to come. So you guys have a great week, and we’ll see you next week.
Pamela: Bye now.
>> Join us next week for another edition of VO BOSS with your host, Anne Ganguzza, and take your business to the next level. Sign up for our mailing list at voboss.com and receive exclusive content, industry revolutionizing tips and strategies, and new ways to rock your business like a BOSS. Redistribution with permission. Coast-to-coast connectivity via ipDTL.
Anne: What am I going to call you this time?
Pamela: I don’t know, what other word is there?
Anne: My Spammy Pammy.
Anne: My Spammy –
Pamela: Oh my God, if you do that, I won’t recover. I promise –
Anne: My Pam Spam, my Pam Spam Muldoon.
Anne: With my host, with my cohost –
Pamela: My CAN-SPAM –
Anne: My Can Pam Spam.
Pamela: Oh my God.
Anne: Okay. [laughs]
Pamela: Gerry is probably really lucky he’s not there.
Anne: Okay, here we go. Okay. I might do that. Okay.
Pamela: Okay, I’m ready.