GDPR Myths Exposed (With Special Relevance to Lead Generation)

It’s all about the privacy policy or “all I need is a GDPR privacy policy”

No…. its not all about the privacy policy. You do of course need a privacy  policy, but the privacy policy is not the issue. Even the best written privacy policy is not going to cure GDPR violations.

It’s all about protecting people’s personal information! Just about anything you collect from an individual (even if you don’t know their name) is considered by the GDPR (and the Israeli regulator) to be personal information e.g. an e-mail address, an IP address and any other information that could lead you to a specific person, with or without the addition of other information which may even be freely available on the Internet.

The purpose of the privacy policy is to describe transparently how you collect personal information  from individuals and what you do with it.

It’s all about consent or ‘if I get consent, I can do anything’

No… it’s not all about consent! There are a variety of legal basis’ for collecting personal information, and consent is only one of them. Using consent as a basis to collect personal information is particularly tricky, and if it can be avoided – I would encourage it.

In order for consent to be valid, (1) it has to be freely given (2) it has be given using an active step (and not a previously checked, checkbox) (3) you need separate consent for each use of the personal information and as it can be withdrawn at any time.

Fortunately for lead generation, as long as your privacy policy is written properly – you can use the legal basis of “fulfilling a contract” for much of your activity. A lead-generator needs to pass the personal information it collects onto third parties in order to fulfill its contract with the user; but this fact has to be very clear and transparent!

I don’t have any European customers, so it doesn’t apply to me

If you are not located in Europe and you are not marketing to Europe, it is likely that the GDPR does not apply to you directly. However if you have any international customers, anywhere in the world, it is likely that they have European customers and that they will insist you be GDPR compliant or they will not use your services.

So yes, even if you are not in the EU, it is highly likely that you will not be able to ignore the GDPR.

I’m in Israel, why would a European regulator care about me?

You are correct, it is unlikely that any European regulator would proactively seek you out, but remember that under Israeli law you also have certain privacy undertakings and the Israeli regulator has become more active in the last year or two; and don’t forget the risks you face of a class action suit or a data breach. These things could cost you a lot more than any fine from any regulator.

I’m not responsible for my sub-contractors

Oh yes you are! You are responsible for your entire supply chain all the way down, and this is why you should be sure to use GDPR compliant sub-contractors, and this is why if you purchase leads – you must be sure that the company that is selling you the leads is GDPR compliant, otherwise you will be equally responsible for any privacy fouls.

I need GDPR certification

As of this stage, there is no such a thing as GDPR certification. The EU have yet to grant anyone the accreditation to give GDPR certification.

If I do GDPR, I am okay for California (the CCPA)

I’m afraid not. It will certainly help, but California (the fifth biggest economy in the world), has its own regulation (the “CCPA”) which entered into force on January 1^st this year.  In some cases the CCPA is even more stringent than the GDPR, in others could be considered more lenient. If you have any clients located in California, it is important to check this out as the exposure here is serious.

So to summarize, some tips:

1. Your privacy policy should describe transparently and clearly how you collect and treat people’s personal information. Anything that can lead you (with or without additional information) to an individual person is considered personal information.
2. It is important to note that under the GDPR you need a separate cookies policy. More information about this will come in a separate article.
3. Please make sure that it is easy to find your privacy policy on all pages of your website.
4. If you are relying on consent, you need a separate consent for every single thing you plan to do with a person’s personal information. For example, in the case of lead management (if you are basing your collection of personal information on consent), you need consent to pass the information the third party who has requested the information, and if the third party also wants to add the person to their mailing list, this will require additional consent.
5. There are alternatives to consent – and if you qualify, they can be easier to comply with.
6. Even if you have consent, you can only use the information for the specific purpose for which it was provided.
7. The data subject has many and various rights which have to be taken into account, such as the right to withdraw his or her consent at any time, “the right to be forgotten” (which means deleting personal data as soon as a user asks) and more.
8. GDPR also means that you need to make sure you handle all personal data securely.

Disclaimer: the foregoing is only general information and not legal advice. Please engage  legal counsel should you require.

Beverley Zabow, Adv., CIPP/E is an experienced Israeli commercial attorney, certified by the International Association for Privacy Professionals (IAPP) for compliance in Europe. She has extensive knowledge and experience supporting hi-tech companies at all stages and in a large variety of fields.  Beverley can be reached at beverley@ht-ip-law.com. or visit www.ht-ip-law.com.