Earlier this month, the Court of Justice of the European Union (EU), which is basically the European version of the Supreme Court, ruled that the current U.S.-EU Safe Harbor framework does not comply with the EU Data Protection Directive.
In other words, Safe Harbor, the agreement that allows data to be transferred between European and American companies, doesn’t go far enough to protect personal data that originates in the EU. The Court’s decision also opens the doors for legal action against companies that violate privacy laws.
On July 1, 2014, the Canadian Anti-Spam Law (CASL) went into effect. This law is designed to protect Canadian citizens from any number of commercial electronic messages – primarily email spam, but also various types of text and instant messaging, including social media. Instead of simply providing an opt-out option, organizations can only market to people who have opted in.
In other words, you have to obtain “express and informed consent” from each recipient of your emails and other forms of marketing and communication. Companies have until July 1, 2017 to obtain consent if they haven’t already. Violations incur penalties of up to $1 million for individuals and up to $10 million for businesses, as well as criminal charges.
Why should you care as an American small business owner?
These rulings are just two examples that reinforce the importance of understanding what kind of data you must collect, how you protect personally identifiable information, and how you communicate with individuals and companies in a way that meets legal standards.
It’s not enough to simply follow the U.S. CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act of 2003, which provides regulations for sending unsolicited emails. Violations of CAN-SPAM will cost you up to $16,000 per email. If you send 1,000 non-compliant emails, you’re looking at a fine of up to $16 million.
But here’s the kicker. The laws in Europe and Canada are tougher, and the regulators won’t wait to act until somebody comes to their door yelling and screaming. They’ll come after you.
You can’t just send a blanket marketing email to people from all over the world. You have to dig into your CRM (customer relationship management) system to find out the physical location of each individual or company in your database. If you’re not collecting this information and paying attention to domain extensions like .ca, you could be creating a serious legal risk.
Ignorance is no excuse, regardless of how big or small your company is. You can’t just say, “I didn’t know where they were from.” It’s your responsibility as a business owner to stay on top of these rules and collect the right information. You have to be diligent.
All of this data originates in your CRM, so it’s time to make sure your data is clean and up to date. For example, you might need to create and standardize a “country of origin” field. This will make it easy to search your database and identify every contact located outside of the U.S.
You should also consult with your attorney to make sure you’re collecting the right data, properly securing and insuring your data, and following laws for communicating with and marketing to individuals and businesses in your database.
Clean up your CRM. Talk to your attorney. Be diligent with your data. These investments are far less costly than the fines incurred for breaking the law.