+44 (0)330 024 0477

The GDPR & Visitor Identification

Hyped by opportunistic compliance consultants and played-down by anxious data providers reassuring us of ‘business as usual’, the GDPR has triggered a biblical fervour across social media and industry blogs frothing with contradicting assertions that gave us the heebie-jeebies. We kept cool heads and over many rounds of tea, sat down to unpick the knotted mess of claims to establish once and for all if the business skies really will rain fire and brimstone come May 2018.

Here’s what you need to know about how the GDPR will impact website visitor identification services.

GDPR & IP Addresses

The naked, legalistic truth on this is that in a post-GDPR world…

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers]…[This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

Source: Official Journal of the European Union

In human-speak, this means that IP addresses will be considered as potentially representing personal data when combined with additional information that may permit the identification of an individual associated with that IP address. What the official GDPR literature fails to make explicitly clear is the difference between commercial ISPs and business network internet services.

Business network IP addresses are associated with the business entity rather than with an individual consumer so it is not possible, with an IP data profile alone, to identify the individual at the business browsing your website. Consumer IP addresses, when combined with additional data obtained through their ISP, may enable the identification of that individual customer associated with that IP address.

Although IPFingerprint tracks both business-visitors and home-user browsers, in neither case will we ever seek to obtain the additional data that may facilitate the identification of individuals… so there really is nothing to see here. In the same way that your website will continue to legitimately leverage Google Analytics, it will also continue to legitimately leverage IPFingerprint since the core premise behind what data is collected and how, is the same.

If you have concerns, questions, or would like to receive a few lines of text from us outlining the above to add to your privacy statement, just ask and we’ll be glad to provide the details.

GDPR & Hunter Email Addresses

Because even prior to the GDPR it has not been legal, ethical or technically possible to identify individual web-visitors with IP data alone, we’ve promoted lead-research methods involving LinkedIn and Hunter email finder that enables users to approximate the individual likely to be behind web-visits so that sales teams can reach out to build a conversation toward lead-conversion. So what does the GDPR think of Hunter-style algorithm-driven email finder tools?

Let’s look at what the incoming legislation prescribes for unsolicited outreach.

“The most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you’re targeting has given you their permission”

Source: Information Commissioner’s Office

Ignoring the glaring contradiction, it’s clear that ‘consent’ will be a key factor but importantly, not the only factor. Marketing outreach will require an explicit opt-in from individuals even when contacting people via their business email address and, on top, your own contact details and opt-out options must be clearly be offered. The new legislation defines consent as…

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Source: Official Journal of the European Union

On the face of it, this would spell curtains for email finder tools like Hunter. However, there is an important plot twist. This is where things get a little murky…

The ICO have been keen to stress that ‘consent’ is only one of six legal grounds for processing personal data, such as business email addresses. The sixth is ‘legitimate interest’ and, by our understanding, represents the saving grace for use of tools such as Hunter for prospecting. If a browser visits your website from a business that aligns with your target market, interacts significantly viewing a number of pages that suggest they may be interested in your offering, we’re confident that post-GDPR you would have a ‘legitimate interest’ in contacting them to build on their visit having sourced their email address using Hunter.

The ongoing legitimacy of our service and associated tools in light of the upcoming changes is water-tight, however, we must encourage users to educate themselves on practices and etiquette that need be applied to avoid complications when prospecting with IPFingerprint and it is also important to note that the new regulation will impact businesses outside of the EU marketing to EU citizens. So long as you follow a few simple rules, some of which are merely continuations of what’s already enforceable, then there’s no reason why May 28th 2018 shouldn’t be just another day.

To get you started on confirming your own compliance, here’s a checklist provided by ICO to provide a little guidance.