The European Union has recently adopted new privacy regulations, collectively known as the General Data Protection Regulation, or GDPR. We administer insurance for North American insured customers, but Selman & Company has made changes to our website and privacy policy to comply.
GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy, and to reshape the way organizations across the region approach data privacy. As of May 25, 2018, GDPR takes effect, and companies who are non-compliant risk fines of 4% of annual revenue or €20 million. Because of the scope of the regulation and the stiff penalties involved, GDPR impacts nearly all businesses that conduct digital marketing. Today, the internet is global, and achieving compliance is time consuming, but not too difficult.
According to the new regulations, the GDPR applies to US marketers if they offer services over the internet to any consumers located in the EU. This can happen if a marketer, for example, accepts payment in Euros, offers its goods and services in EU languages, or offers to ship to the EU. Selman & Company doesn't currently offer services or products in this manner. However, some other interesting aspects of the law may apply to our business.
The regulation stipulates that organizations located outside of the EU must comply if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of people residing in the European Union, regardless of the company’s location. A US company is subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed. A US marketer should also comply if it monitors any consumers within the EU, e.g., through the use of browser cookies. This last part is important, because the use of cookies helps us implement much of our permission-based digital marketing. Indeed, cookies are standard practice for companies that market products or services online.
Our privacy policy previously described how we use personal information for business purposes in insurance administration. For example, it is necessary to provide us a date of birth to obtain a life insurance policy. Contact and business use as part of a performance of a contract is permitted under GDPR.
But, as part of GDPR compliance, we are also updating our privacy policy to better describe how we collect and use personal information for marketing use. Non-North American visitors may encounter our website content, so some aspects of GDPR are relevant to us as a US-based insurance administrator.
This chart summarizes how we will use personal information, which is data that can “identify” an individual:
Type of Personal Data |
Collected for Selman & Company Business Use? |
Collected for Selman & Company Marketing Use? |
Name, address, and phone number |
Yes |
Yes |
Country of residence/US State or Canadian Province |
Yes |
Yes |
IP address and cookies |
No |
Yes, with permission |
Racial identity |
No |
No |
Religious and religious affiliation |
No |
No |
Health and genetic data |
Sometimes, regarding a policy/claim |
No |
Biometric data |
Sometimes, regarding a policy/claim |
No |
Sexual orientation and gender preference |
No |
No |
Marketing and web traffic is mostly where GDPR affects us, and we have activated new website functionality on our website to support these changes.
First, we analyzed our marketing contacts databases. Currently, all leads and contacts in our marketing database have an associated address in a US state or Canadian province, or were supplied to us by our US/Canadian clients. For those contacts where location was unspecified, we will obtain explicit consent via email. Only 0.71% of our contacts lack such data.
Second, we activated new features on our website:
Enabling these new features won't make our processes GDPR compliant automatically; rather, these features will help us comply going forward.
Use these resources to learn more, or contact us with questions.