A NAB Show webinar series
Cindy Zuelsdorf: Hi everybody, welcome. I’m Cindy Zuelsdorf with NAB Show Exhibitors Webinar and Kokoro Marketing. Today, we’re here with David Fowler from Act-On Software. Hey, David!
David Fowler: Morning, how are you?
Cindy Zuelsdorf: I’m good, thanks for being with us today.
David Fowler: Sure.
Cindy Zuelsdorf: We are looking at GDPR, and let’s get right into it. Tell us what GDPR stands for and the key points we should know about?
David Fowler: Sure. It’s great to be here today, thank you for your time. The GDPR is the General Data Protection Regulations. Really, in a nutshell, it’s a complete rewrite of the digital legislation landscape within the European Union.
The last time that was done was 20 years ago, so it’s a massive overhaul of the current digital regulations that nurture the entire digital channel within the European Union.
Cindy Zuelsdorf: Wow. We have a mix of companies here on the call. Some are based in North America, some in Europe, South America, Asia, really all over the place. Does it matter where you’re located concerning GDPR?
David Fowler: No, it does not. If you have any European data in your database, then you will be required to adhere to the GDPR regulation. For example, Act-On Software, the company I work for, we have 500 clients over there, and we have customers that have European data subjects in their files, so we have to comply as well.
Cindy Zuelsdorf: Got you. Now, most of us are going to be at the NAB Show in April in Las Vegas, we were just talking about the great drive down through the desert to that Show. How does it affect trade shows? You’ve got someone walking in your booth, they hand you a business card, use the scanner, maybe you’ve got some other way of lead gathering. What happens next and how does that matter in terms of GDPR?
David Fowler: There’s two things that you have to consider. First of all is the data that you already own in your database today, and then it’s the addition of data that you’re going to acquire through the trade show or other events.
One of the obligations of the data controller under GDPR is if, so if you own the data essentially you control the data so you’d be the data controller, is to ensure that you have consent and can prove consent on all the records that you have come May the 26th. If you don’t have consent or can’t prove it then essentially at the very bare bones minimum, you are not in compliance.
There are two things you need to think about. First of all is you need to think about your existing databases and how you have acquired consent over the years, where that data sits. You need to do an analysis of what you have, where it is, how old is it, do you really need it? Those types of events or those types of activities.
Then obviously when you start to think about growing your database at shows etc, you have to find a way to obviously obtain affirmative consent within a booth. For example one of the things that we’re doing, Act-On, is essentially we do the same thing. We go to European shows; we collect data on European individuals.
One of the things we’re doing is basically having signup forms, electronic signup forms in our booth, so when someone visits our booth we can have a signup, we can have documentation that someone gave consent, a certain period of time, and for what specific reason. That may be different for different verticals, but the reality is, is that at the end of the day if you can’t prove consent, then you’re not in compliance.
Cindy Zuelsdorf: That sounds like … I mean, sometimes I’ll be at a show and I’ll see a person on the aisle, just like, “Hey, can I scan your badge? Hey, can I scan your badge? Hey, would you like this cool pen?” Kind of an interchange or exchange happening. Have you seen that and what do you think?
David Fowler: I think what the GDPR does is it basically sort of molds you into better thinking of how you digitally acquire consent. The chances of everyone walking in your booth in Vegas being from the European Union is pretty low I would imagine, right? What you will end up with is a database of non-European Union subjects and potentially European Union subjects. Again, it’s one of those things where the letter of the law states one thing, but in practicality speaking it’s a different scenario.
Again, trying to be able to provide consent in a sort of non-consent way is going to be somewhat difficult for a lot of people to get their arms around initially. What you will begin to see, and this is something that I think is long overdue, is you’ll start to get contractual language in your event documentation that allows for you to jump on that individual as they walk past your booth, knowing the fact that they’ve agreed to opt-in to certain types of data.
What the GDPR does is it basically forces down the consent chain, meaning everyone’s sort of on the hook now for good ombudsman from a consent perspective.
Cindy Zuelsdorf: Right.
David Fowler: One of the things that GDPR is requiring of you to do is have third-party data agreements in place with your vendors, so in the trade show example, if I was running the trade show, knowing that I’d have a European audience attending, one of the line items in that documentation would be something about along the lines of opting-in to emails or digital messaging, so you’ll begin to see those things happen I think.
Cindy Zuelsdorf: I see, and we can let Nick, if you want to speak to it at the end, I see when a person signs up to come to NAB Show, there are some tick boxes that let them select some various things, but it’s quite simple language.
David Fowler: Right.
Cindy Zuelsdorf: David, I wanted to circle back to your comment about the audience of NAB Show and so yes, while a substantial number of the folks at the Show are from North America, we do have a lot of European visitors at that Show. Can I say, I can see on this call we’ve got some companies based in the UK and other as well.
A lot of us on this call, I recognize so many people, I’ve seen at IBC, at the Amsterdam Show.
David Fowler: Got it.
Cindy Zuelsdorf: A chunk of us, while we’re at NAB Show, will all meet up in September at the RAI and do the IBC Show as well, so everything you’re saying is super relevant to us here on this call. We’re just finishing up with ISE in Amsterdam, and BVE in the UK, and other shows as well.
David Fowler: Right, I mean, it’s a very hot topic now because as I said, it’s the biggest re-write of the digital law. In fact, right now in Europe there isn’t a one law fits all for all countries. It’s a directive, it’s a misunderstanding or an understanding of a directive that’s applied to local laws in country level.
Come June 1st when GDPR goes live, you’ll have one law that is applied to every country within the European Union. Obviously, that will be in place also within the UK until the Brexit occurs, and when that occurs we’ll have to go down that road as well.
There are 99 articles in the law; there are 11 chapters, there are 173 recitals. If you haven’t read it, you have two options, read the GDPR or watch paint dry. I mean I would go with option B, right? Because the reality is it’s just a massive piece of legislation.
The good thing is, and I think for all of us who are in the market space, is that it allows us now to think about getting consent in a way that is communicated appropriately to the end user.
I think in the U.S., over here we operate in an opt-out world, right? Where we don’t necessarily have to get consent before we start to market to folks, and that’s a complete reversal of pretty much the rest of the planet. For a U.S. marketer like myself who has a very large portion of my business in the European Union, it’s really getting us to rethink a few of these things as it relates to onboarding clients, reaching out, et cetera.
Because again, one of the things that GDPR is that as the recipient of the individual you can tell the marketer what you’re willing to accept from them so you can actually say, “Yes, I’ll accept an email but I don’t want you to call me or send me something in the letter.” Right? Profiling and being able to manage your user experience in a more in-depth way is certainly in play now.
Cindy Zuelsdorf: Does that mean that companies need to be able to set up preference centers and that type of thing that talk about communication and that sort of thing?
David Fowler: Yes.
Cindy Zuelsdorf: Could you touch on that a little bit?
David Fowler: Yeah, absolutely. Really, what you end up, you’re beginning to see this, I mean I’ve seen … You mentioned you have some folks on the phone from the UK. You’re beginning to see this in advertising about re-opting into preference centers, being able to say, “Hey, send me … I’d like to have some jeans, but I don’t necessarily want tennis shoes.” Or, “I’m not interested in coats, but I’ll take the bicycle email,” for example, right?
That’s obviously, I’m sort of drilling that down, but the point being is, you will be able to see now the adoption of more in-depth, B to C retention-based strategies in an acquisition world.
That’s kind of a different kind of play, but the point being is the vehicle for that is certainly going to be the preference center, right? Something to think about. Another thing you can’t do in a GDPR is have any kind of pre-checked consent boxes.
Cindy Zuelsdorf: Right.
David Fowler: The days having something pre-checked are going to be over. You can’t do that either. Again, because that’s kind of opting-out and not opting-in.
Cindy Zuelsdorf: Right. Some of the language I’ve seen, and it could have been in one of your articles. Fallon just popped a link to one of your recent articles on GDPR on the chat here. I saw wording around implicit opt-in and explicit opt-in. That wording really kind of explains it. Maybe just touch on that a little bit, because you see that wording.
David Fowler: Sure, so there’s different levels of consent, right? Explicit consent is, “I’m opting-in for this webinar, and that’s all I really want.” Right?
Cindy Zuelsdorf: Yeah.
David Fowler: Implicit meaning, “I’m kind of maybe a little bit interested in the webinar, but I really want the Y Paper.” Right? As a marketer, you’re going to want to get explicit consent based on your activity. Meaning, double opt-in, which you’ll have to be required to get a double opt-in in the EU anyway.
Also, being able to communicate to the individual that, “You are signing up for this. You will receive this, and the frequency will be in this particular manner.” As explicitly as you possibly can get. Then it takes off the table any misconception from the individual about signing up for certain things.
When you think about we as marketers, we put our marketing hats on, right? We think about the low hanging fruit of consent, sorry, the low hanging fruit of compliance is consent, right? If you have someone who complains about you, it’s easy for a data protection authority to actually track that consent mechanism and say, “Hey, Cindy. Can I see the opt-in form?”
If you don’t have it, then that opens up a massive conversation that you don’t necessarily want to have with the data protection authority. It will be those things that trigger activity, in my opinion, within the data protection organizations around the European Union.
We saw that here in the U.S. and we saw it in Canada, right? When CAN-SPAM over here and CASL in the north. It’s easy to track consent. It’s easy to track the management of consent, and it’s also easy to request documentation. Low hanging fruit, and those are the things that I think are really going to trip marketers up at some point.
Cindy Zuelsdorf: Got you. Now talking about consent, a lot of us on this call, we have databases that go back 5, 10, even 20 years that could have originated from a Rolodex of some business cards or we’ve got some salespeople with some Excel spreadsheets that they’re keeping for themselves that maybe aren’t in the company’s CRM.
David Fowler: Yeah.
Cindy Zuelsdorf: I’m sure no one on this call has that.
David Fowler: Big deal.
Cindy Zuelsdorf: Yeah, I’ve just seen it once or twice.
David Fowler: Right.
Cindy Zuelsdorf: What do we do with that? It’s like I’ve got this database of people I met from Sky and Fox and BBC from 15 years ago.
David Fowler: Right, right.
Cindy Zuelsdorf: What to do?
David Fowler: “Do you really need it?” is the question, I guess under GDPR, right? Under GDPR, you have to have consent on every piece of data you have.
Cindy Zuelsdorf: Okay.
David Fowler: Data inventory would be a really good place to start, right? What do you have? Where is it? Who has access to it? How old is it? Then you need to make a decision. I think a lot of marketers are struggling with this right now in terms of, “Do I try to re-permission my database now, or do I wait until March, April, May time?” That really is up to …
I mean, I have companies that are doing it now, and I have companies that are going to wait right until the last minute because if you re-permission your database, what’s going to happen, right? You’re going to lose a massive chunk of it. That’s a massive, massive asset that you may or may not be required or be prepared to lose.
The other thing you could think about is maybe trying to have re-engagement campaigns on the data that you own. We talk about this in email a lot. Meaning, “I have this list, it’s a year old, what can I do with it? Can I mail to it?”
The reality is is that yes you can, but the longer that or the older that data is, the less likely it is that they’re going to actually engage with your brand. You may get three, four, five percent of your data back, but at the end of the day, you’re going to lose a large chunk of it.
That’s something that, especially if you’re doing co-branded marketing with other companies, right? If you’re doing multifaceted marketing, they are also on the hook for compliance with your efforts as well.
As I said earlier about the consent being pushed downstream, you’re going to have to have contracts in place with your vendors that will agree to compliance in the GDPR based on whatever relationship you may have with them as well. Find out where your data is, do the analysis on your database.
Again, if you’ve got some wild west spreadsheets flying around, find out where they are, bring them back into the fold and put some policies in place that, “Hey, it’s okay to market, but we’ve got to put a framework around this a little bit more than we currently have.” Because again, low hanging fruit of compliance are things that the rogue sales rep is going to reach out, and if you can’t prove consent then you’re not in a good spot.
Cindy Zuelsdorf: Does that mean that rogue sales rep who has his or her Excel spreadsheet that they’re hanging on to, can they just go ahead and email them, one-off emails? Does that apply to this or is it really just applying to marketing emails?
David Fowler: Essentially, it’s applying … There’s been some conversation around, “Is this B to B or B to C focused?” Right? The reality is, it’s both, right? What I said earlier when we kicked off the call, the spirit of the law versus actually what’s going to happen, and we saw this in the U.S. right? In the U.S., we had CAN-SPAM that went into effect in 2004. You had the Federal Trade Commission in 2006 define certain facets under CAN-SPAM. Things like a PO Box is a physical address, right?
You’ll start to see guidance that comes out after these activities occur within the data protection authorities at the European level. If you feel you can roll the dice on a B to B versus a B to C email or B to C database, then that’s really your call, right? Some companies will make that decision.
I will forward it to you after this call a thread that I responded to, a client of mine yesterday, and you can share it with the group. The point being is that you’re right. I mean, it’s a gray area, right? Laws aren’t always black and white, there’s a lot of gray in them. You don’t want to be the company that takes it on the chin for the rest of us if indeed you make a decision base on a certain business policy.
By the way, the fines under GDPR are huge, right? There’s four percent of global turnover for a company or 20 million Euros, whatever’s the most amount. If you’ll Google, right, four percent of a gazillion dollars is a lot of money. Can you afford four percent of your business if you’re a $50 million business? I don’t know.
It’s just really interesting because it’s basically getting everyone to sort of think in a very structured way but yet, we all work in this digital channel, that’s great but the problem is, is what’s really going to happen that we don’t really know?
The big thing to think about, and not really wanting to depress anybody on the phone here but the GDPR is interesting, but what’s really going to be interesting is going to be what’s called the e-Privacy Directive. That’s the sort of, that’s the cousin to GDPR. If that goes live in January of 2019, that’s a complete rewrite of the Cookie Law.
Cindy Zuelsdorf: For folks that have a database, most of us have databases where we’ve got people in there, and we don’t know what country that person resides in. Is there a suggested plan of attack around that?
David Fowler: Well, I mean mostly our RAM databases have maybe some triggers where you could do a cross-reference lookup as to where they may be geo located, etc. Again, sooner than later if you’re going to do a re-engagement campaign, “Hey, update your profile.” There’s nothing wrong with sending out an informational email or informational outreach, say, “Look, we’re trying to figure out our database, Fill in the blank if you’d like to or not.” Right?
Consent is interesting. It’s once you get it, as a marketer, we tend to not necessarily abuse it, but we have to be at a point now where we set the appropriate expectation around frequency, volume, outreach and all these other things that we don’t necessarily really think too much about over here.
I think one of the things that we’re doing on our forms is maybe putting some geo information on the signup. We’re looking for things that could trigger certain countries of origin or other types of datasets that may give us some insight. If we don’t have that, then I think we’re just going to shelve it. That’s just a business decision that we’ve made, right?
Cindy Zuelsdorf: Yeah, right.
David Fowler: It’s sort of buyer beware when it comes to certainly data acquisition, and certainly rental of data. Those two markets should be dried up relatively quickly within the European Union after GDPR goes live.
Cindy Zuelsdorf: Yeah, so a lot of trade shows do list rental through the leads gathering company, so third party lead gathering company will say, “Hey, I’ll send out this email on your behalf.” Am I responsible now for their practices? I don’t know who’s on their list.
David Fowler: Yes, you are.
Cindy Zuelsdorf: Yeah. Important for all of us on this call to know because that is a big practice in the broadcast and media industry.
David Fowler: Right. Act-On is primarily a marketing automation platform that allows organizations to essentially build lead nurturing campaigns on certain datasets, right? We are clearly in that orbit. The thing that we’re thinking about, and obviously in this country, renting or acquiring data from a third party is not illegal. It’s not a best practice, but it’s certainly not illegal.
Cindy Zuelsdorf: Right.
David Fowler: We saw when CASL went live in Canada, that just as our businesses practices we just said, “Look, we’re not going to do any kind of data acquisition through third parties for Canadian recipients because we just can’t trust the sources.”
Cindy Zuelsdorf: Yeah.
David Fowler: Right? If you have a vendor who can’t show you the consent mechanism that they have on a list, then my advice to you would be buyer beware, right?
Cindy Zuelsdorf: Got you.
David Fowler: Again, it forces compliance down within the industry as well, so I think we’ll see a lot more of that going on.
Cindy Zuelsdorf: Yeah. This is awesome. We’ve got a lot of questions, or a few questions anyway coming in through the chat. I think we’ll just go ahead and have a little transition into QA if that’s okay with you, David.
David Fowler: Sure.
Cindy Zuelsdorf: All right. One of the questions ties right into what you were talking about and just maybe underscores your point a little bit. How often should you ask for re-consent? Is there a benchmark on what that should be?
David Fowler: I think a lot depends on what your program is going to do and what your achievement is or your benchmark, right? I mean, best practices would state that once you engage, you onboard a recipient, you have their attention, right? It’s a really good thing to start to set that expectation around, “Hey, Cindy, thanks for signing up. I’m going to communicate with you every week or once a month,” or whatever the case may be.
It will give you the power to set the expectation in your shop as opposed to me telling you what I’m going to do for you. Regaining consent would be certainly an indication of engagement from that user. If that’s a three-month decision you make or six-month decision you make, there’s no, I don’t think there’s any formula for any particular organization, but you should try that.
Because again, an engaged client is going to be a repeat customer, right? The ROI on that engaged customer is going to be far more than it would be if you haven’t set the appropriate expectation right from the start of the digital relationship.
Cindy Zuelsdorf: That makes sense, that makes sense. This is something we’re all thinking about. A little tangent off here is what happens with targeted advertising like remarketing or targeting ads like Facebook, all that type of advertising. How does that tie into GDPR?
David Fowler: That’s going to be more of an e-Privacy Directive kind of initiative, right? Where retargeting of electronic ads, etc., is all based on cookie consent, all right? The right to be forgotten, those types of concepts or the right for data portability, those types of concepts, I think it’s going to be a battle royal in the market once the e-Privacy Directive is either aggressively passed or actually goes live because that has a massive impact on the whole ecosystem.
I don’t really have a concrete answer to that question, but I think we’ll definitely see a lot more of those things coming along. That clearly is on target for the browser market and other types of verticals that have a stake in the digital channel that really aren’t talking about their particular position yet.
David Fowler: It is a subset of GDPR, essentially.
Cindy Zuelsdorf: Okay.
David Fowler: There is some commentary around that. Any European website you visit, you should see a disclaimer around accepting cookies for functionality purposes, right? When that actually went live, there was some countries that said, “Yeah, that looks great, we’ll adopt it.” Some countries said, “Screw it. We’re not going to do it.” Depending what sites you go to, you either see that disclaimer or you won’t, right?
When the e-Privacy Directive goes live, every website will have some form of that and will have to adopt that mechanism. It also will be deeper because it will track you and you’ll have to gain consent as you’re being tracked, right? Let’s say you look at the shoes on a Nordstrom website, you go to Tesco’s, and all of a sudden the shoe ad pops up, right?
The question is if I present that ad on the Tesco website, have I got consent to do that? That’s really where I think there’s going to be a lot of gray area. That will definitely get tested out.
Cindy Zuelsdorf: Yeah. I was listening to the Reply All podcast because it’s just pretty fun, and they got into a whole thing about does Facebook, does Instagram listen to us, and are ads popping up based on audio? Which was so fascinating. Of course, as I understand it, that’s denied by Facebook.
Yet, I’ve had that experience myself even yesterday where something popped up when we were pondering, “We said that out loud, but we didn’t do anything else. Was there some geo location, was there some anything else we did to indicate that?” That ad popped up in a minute. It was crazy.
David Fowler: Yep, yep.
Cindy Zuelsdorf: All right. Let’s look back to some other questions right here. For folks who have questions, just shoot them into the box here. David and I will stay on for a few more minutes. We want to be sure to take care of everything you have.
You can see that Fallon’s putting into the chat box links to a checklist, a GDPR checklist that David has on his website, his company’s website, as well as his most recent article, so you guys can all go to that. We can include these links on the replays as well so you’ll have access to those as well. All right.
David Fowler: If I could say, Cindy, as I said earlier, this is a very complex piece of legislation, so I would encourage anyone on the call to seek a legal opinion on their obligations and certainly not listen to me, because I can’t give you legal advice. At the end of the day, when these things get ironed out, it will get ironed out in the court of law in the European Union. That will drive a lot more additional sort of information and guidance and that kind of thing.
As we are based in the UK, we are using the Information Commissioner’s Office, the ICO, as our data protection authority of record, and basing our preparation on some of the advice and guidance that they’ve given to date. They’ve got a lot of information available and I just saw the link in the chat box.
I would encourage anyone to go there and certainly do some diligence and do some homework there because they have a lot of stuff they talk about. It’s the closer you are to managing consent, to managing consumer data, the more risk you have under GDPR, in my opinion.
Cindy Zuelsdorf: Now, does it matter the size? As we look at the callers here, we’ve got all different size companies. How does that affect some of the responsibilities and the DPO stuff that you and I talked about last week? Does that matter on the company size?
David Fowler: You’ll have certain obligations if you have over a certain amount of employees, then you’ll be required to have a DPO protection officer on staff. I believe that number is 250 and above. The hottest job right now in the European Union is outsourcing data protection. If you do a Google search, you’ll be inundated with job offers for that.
Again, it’s just common sense, right? We don’t want to abuse this great channel, that’s our livelihood. At the same time our customers have the right, should have the right to manage their user experience. When you think about data and privacy from a European’s perspective, it’s built into the framework of the European Union.
It’s essentially saying it’s in the Bill of Rights of the European Union that you have a right to privacy. That is a very deep and wide initiative that people get very sensitive about in the European Union. Maybe not so much in the U.S., but certainly over there. That’s really where this whole thing, the genesis of this whole thing’s coming from.
I think I would much rather be a bit inconvenienced in terms of my marketing obligations, but ensure that I have a client that’s going to re-engage with me on multiple occasions because I onboarded them correctly when they came in, as opposed to have someone engage me once and then leave, right? I’d rather have a repeat buyer four, five times a year if I’ve set that expectation out of the gate than once, than one and done.
Cindy Zuelsdorf: I like your approach. It makes sense and it really helps, all the information you’ve given us today. If you were to give somebody … I know it’s such a big piece of legislation, but if you were to give those of us on this call one or two pieces of like, “What should I do first? The first two things I should do?” What would that be?
David Fowler: Well, drink heavily initially. I think because we’re in a data business, find out what you have, where it sits, how old is it, do you really need it anymore? Right? If I have all these data points on Cindy and I only use your phone number, why am I, have all these other sort of subsets about you?
Because again, it’s one thing if you make cars, it’s another thing if I’m managing your data. It’s going to the individual’s data that drives a complaint or inquiry as opposed to the wheel on an Oldsmobile. I think definitely do the data analysis is really key. If you do one thing today, that’s really what you need to do.
Cindy Zuelsdorf: Nice. Thank you David Fowler, so appreciate it. We’ll be thinking of you as you give your keynote in Athens coming up, that’s amazing. You’re amazing to take time to be with our group today here at NAB Show. Nick, do you have anything you wanted to bring in, or I think we will wrap it up.
Nick: Yeah, just do a quick note on that. As David, I know you mentioned, we do have a lot of demographic and geo data, When attendees and exhibitors are both at a NAB Show. We are working with our legal staff to obtain the proper consent by the May deadline for GDPR… which conveniently is after the NAB Show.
David Fowler: Better late than never.
Nick: Yes, so thank you both. Again, to Fallon, if you’re still on the line, if you could just pop in my email for folks, if you have any exhibitor questions, any logistics questions about the Show, I’m more than happy to help.
Cindy Zuelsdorf: All right. With that, have a beautiful day everybody and thank you.
Helpful links mentioned in the webinar:
Act-On GDPR Hub Page – includes GDPR checklist:
UK Information Commissioners Office (ICO):
David Fowler’s Latest Article on GDPR: