How to Run GDPR Compliant Giveaways, Contests, and Quizzes

One of the benefits of interactive, online technology is the ability for you to get to know your customer. By increasing engagement through giveaways, contests, and quizzes, you can create a positive relationship between your brand and potential users of your product.

The flipside of that technology is the use and collection of personal data, which is increasingly a subject of public policy. This year marks a new era in privacy laws with the enforcement of the European Union’s General Data Protection Regulation. If you are an online marketer, it probably applies to you, even if you are not based in Europe.

Thankfully, you can comply with these new regulations while still protecting your users and continuing your marketing efforts at the same time. Doing your due diligence requires care and attention paid to the knowledge you gain about your customers and offering them transparency throughout the process.

What is the GDPR?

The General Data Protection Regulation comes into effect on May 25, 2018. It is an initiative of the EU but has wide-reaching impacts that go beyond Europe. The GDPR is designed to protect European citizens and their personal data, even if a company outside EU borders collects it.

The GDPR has strict rules around the collection, storage, usage and transport of personal data. Among the key tenets of the GDPR are the rights of EU citizens to access their personal data held by a company, provide consent to collection and demand complete data erasure. This last point is termed “the right to be forgotten.”

If you fail to comply with the GDPR, your company could face a hefty fine.

Who Must Comply?

What makes the GDPR different from earlier EU privacy laws is its long reach. It applies to any company gathering personal data on EU citizens. So if you’re based in the US, but running a contest that collects entrant data from someone in an EU country, you have to understand the GDPR.

Even if you are not actively reaching out to European citizens, your company can fall within the GDPR gambit. If you collect IP addresses from visitors, that may be enough – so it’s a good idea to chat with your technology people to get a handle on what kind of data you’re collecting.

In laying out the categories of application, the GDPR refers to information gathered by non-EU based companies to profile a person to establish future preferences or behaviors. It’s a mouthful, but it does seem to capture common marketing techniques. Again, it doesn’t mean you can’t do it – just that you have to follow GDPR rules as part of your efforts.

If you partner with another company who collects data on your behalf, you don’t get a pass – your contract with that company must certify that your partner will also comply with the GDPR.

What is Personal Data?

The GDPR takes a very wide view of personal data. It is anything that can be used to identify a person, directly or indirectly. The FAQs on the official GDPR website offer such examples as photos, email addresses, social network posts, or IP addresses.

If you’re running a giveaway or contest, you are probably taking entrant’s personal data. User-submitted posts, such as photos and comments, also count as personal data.

The good news is that you don’t have to stop running contests altogether – you just have to do so in a way that complies with GDPR guidelines.

Tips to Comply

You don’t have to shelve all of your marketing activities in the wake of the GDPR. You can still run giveaways and contests all you like, but should take specific steps before launching your next campaign.

1. Understand and Document the Data You Collect

Personal data may sound quite obvious, but you may have knowledge of your customers through day-to-day online interactions that fall under the GDPR that you’re not really aware of. If you’re running a giveaway, you’re going to have identifying information, but remember the law isn’t just concerned about name and address. IP address, or indeed any piece of data that can lead back to an individual, is considered personal information.

Under the GDPR, controllers – those who collect personal data – have to document what kind of data they gather and why. Set up a system or guideline, such as an internal policy, that outlines what kind of personal information you collect, why and from whom. This policy should also include how long you keep the information, since persuant to the GDPR it is only permitted to be kept as long as necessary before the data is deleted or made anonymous.

2. Get Consent for Data Collection

There are several lawful grounds to collect personal data, but the most relevant for online marketers is consent. The GDPR insists that consent must be specific, informed, unambiguous and freely given. That means your terms and conditions have to make sense to someone who doesn’t know the legal terminology. You should be able to demonstrate that individuals gave their consent, and have the ability to withdraw that consent should they wish.

For a contest, giveaway or quiz, include an action that gives consent – such as ticking a box – to the collection of information. To satisfy the requirement that consent is unambiguous, it should be listed separately from other questions asked of a user, such as asking if they are of age or agree to be placed on a mailing list.

3. Appoint a Data Protection Officer

Data protection officers are only required in certain circumstances, such as when organizations are gathering data on a large scale. However, you may nonetheless want to appoint an individual tasked with administering data collection policies and ensuring compliance with the GDPR. One of the most important parts of GDPR compliance is demonstrating you are following this law – so having a data protection officer can help you document your efforts to keep on top of privacy obligations.

4. Implement Procedures for Data Requests

Since the GDPR gives individuals the right to request data, it is a good idea to ensure that you have a mechanism that divulges this information quickly and easily. You must give this data over to users within one month upon demand, so it should be easy for you to access and transmit as needed.

5. Update Your Own Privacy Policies

If you hold the information of EU citizens in the US, you may have to comply with the EU-U.S. Privacy Shield. This allows companies to hold personal data of EU individuals as long as they uphold privacy standards. In part, this means having an up-to-date privacy policy on your website.

Penalties for Non-Compliance

Failure to comply with the GDPR can result in a fine of 4 percent of annual revenue or €20million, whichever is greater. Although these are the maximum penalties, and likely won’t be levied in every case, they indicate how serious the EU takes this new regulation.

Err On the Side of Caution

The GDPR is still new, so it hasn’t yet been tested in court. To protect your organization, it’s best to meet the highest possible standards of visitor privacy. For example, small businesses may think they don’t have to appoint a data protection officer or keep detailed records. However, the risk of fines or loss of customer trust in the event of a breach or misuse of information is enough reason to be hyper-vigilant on privacy issues.

How Woobox Can Help

By complying with the GDPR, you can give your customers even more confidence in your trustworthiness and transparency as an organization. You can still have some fun by creating giveaways or quizzes – it’s free to get started with Woobox. A subscription is only required to publish and run your campaigns.

The Woobox Support staff are happy to provide any walkthrough or question-answering needs. Support is available from 9 am — 5 pm PST, Mon. through Fri at 1-360-450-5200 or