New Orleans is a tourism haven. Folks from all edges of the Earth are lured to the magic of this city again and again. In 2016, we broke a tourism record hosting 10.45 million out-of-towners, and this year, with our tricentennial celebrations and the addition of Condor’s direct flights to Germany and over 130 European destinations to Armstrong Airport this summer, international tourism is only projected to increase. In fact, The New York Times named New Orleans the #1 travel destination of 2018.
Come May 25, every business in New Orleans that does business with Europeans whether in the tourism space or beyond, will have to implement new systems to protect the data of EU citizens and comply with the new data privacy law, the General Data Protection Regulation (GDPR). With all of these tourists staying at hotels, using our online forms to find restaurants, get festival details, and signing up for newsletters, we can’t proceed with “business as usual” anymore. Choosing to do nothing could put your business at risk being fined of up to 4% of your organization’s global turnover or 20 million Euros (about $24.5 million), whichever is higher.
If you’re not freaking out yet, it’s okay we’re freaking out for you.
WARNING: While this piece is focused on the hospitality industry, it would be unwise to think that those offering services that Europeans do research or purchase from abroad are immune.
- If you sell and ship products overseas (digital or physical) from your site;
- Offer a medical procedure that draws attention and clients from around the world (such as plastic surgery, fertility, or reconstructive);
- Provide information via a newsletter that people beyond the US borders like to receive.
These are simple examples and by no means cover all scenarios, but if you are engaged in similar exchanges within other industries, then the following piece is worth a read. Better safe than sorry.
What is GDPR?
In a nutshell, the GDPR is a new European Union data privacy regulation that is designed to provide strong protections to the personal data of EU citizens. As individual’s data has become more valuable to obtain and more harmful to have stolen, the EU has taken steps to make sure that their citizens are giving their personal data to reputable organizations and are aware of the exact intentions for their use of the data. So they have set new obligations and large penalties for noncompliance on every business inside the EU and for businesses outside that collect or use EU citizen data.
Who is affected?
You may be saying to yourself that you’re off of the hook here, but you’d be surprised. Depending on what your website is built on and what technology you use to process bookings, reservations or even just simple contact/contest forms, you need to evaluate your processes as well as third party providers that you use on your site. If a third party provider is not GDPR compliant, the fault rests on you. We had one such case here in New Orleans just last week.
Here’s a scenario to consider:
A couple from France makes their way to New Orleans for a weekend vacation. While they are in town they want to try out one of our incredibly reviewed restaurants for dinner. Le pair visit the restaurant’s website and proceed to book a reservation (which happens to use third party reservation provider OpenTable).
You may be thinking that this all falls on OpenTable’s shoulders to be GDPR compliant, but you would be wrong. According to these new rules, you need to get your own house in order, as well as assess if third party vendors that you are collecting potential EU citizen information through, are also compliant.
How do you do that? You ask them.
If you can’t find it via a Google search for something as simple as “Opentable GDPR Compliance” then you ask them. We reached out to OpenTable (via Twitter) and asked them.
While I am happy to see they are on it, had we not asked, we would not know that they did have a plan.
Don’t assume that those with access to your contact/customer data are "on it". Ask them. Ask ALL of them. Your hotel reservation booking engine, your email provider, marketing automation provider, take stock of every company that has access to your data and find out if they are working toward compliance.
Steps to Getting Compliant
Most resources for GDPR compliance, like this awesome resource provided by the UK Information Commissioner, have been created by those in the EU for those in the EU. But, we can glean a lot from their rules since so many of us will have to follow them. The key point that the GDPR hits on is the idea that our current user agreements exist with the philosophy of implied consent, which the EU believes abuses the rights of their citizens.
Depending on the sophistication of your marketing or web staff, you may not be able to limit your efforts to those in the EU. One thing to consider, especially the scrutiny around increased access to personal data is at an all time high - data protection looks good to all of your visitors. It shows that you are dedicated to transparency and user empowerment. Following and advertising your GDPR compliance could even attract new customers from the EU, but may also create trust with your existing clientele right here in The States.
Here are items to start with as you work toward GDPR compliance:
A lot of privacy policies are lengthy pages written in "legal-ese" that occupy individual pages on websites and are incredibly inaccessible to the vast majority of internet users.
2) Affirmative Cookie Notices
Cookies can no longer hide in the background of your site. You must advertise that you are using cookies and require your webpage users to accept their use.
3) Capturing and Storing Personal Data
Do you know your data capture functionalities? They probably need to be changed.
4) Email Cleanup and Opt-ins
Any subscribers in your email database that were not collected according to the GDPR standards (i.e. did not give active consent) need to be removed or re-engaged with the option to give active consent to remain on your list. This re-permission email will act as your proof of consent for GDPR compliance.
5) Website Opt-In Forms
In order to be GDPR compliant, you will have to update your contact forms. Most standard forms have pre-ticked boxes for agreeing to privacy policies and signing up for future emails. That is not okay anymore. These boxes need to explicitly ask for people to opt in to each separate item of consent. That means a different tick box for email subscribing, privacy agreement, newsletters, etc. The Information Commissioner's Office states that “People should not be forced to agree to all or nothing - they may want to consent to some things by not to others.”
In addition, you need to make sure that you have a clearly defined option for opting out once they have filled the form.
The Compliance Clock is Ticking
It’s time to face the facts. You have less than a month to get your site GDPR compliant so that you can take advantage of the international tricentennial tourism boom and avoid potentially business-closing fines.
The items above are a start, but there is more to be done. You’re best bet is to get moving on these, while determining a full strategy around handling these new requirements for the long haul.
We’ve curated a links to additional resources and articles that help to answer any lingering questions you might have.
- GDPR Checklist - HubSpot
- GDPR Means Third Party Processors - MarTechToday
- Hospitality: Unprepared for GDPR - Hospitality Tech
- GDPR Fines Could Affect Almost 80% of US Firms - ComputerWorld
- Yes, GDPR WILL Affect Your US Business - Forbes.com
One final note, if you are currently targeting digital ads to any European countries, keep an eye on the paid search and digital traffic, conversions and ad spends. These changes will impact how ads can be targeted which will likely result in some drop in ad impressions, site visits and potential revenue.
Don’t have the time or the personnel to make the changes that you need, contact us to discuss a strategy to get your website on the path to compliance.