GDPR, CCPA and other data protection laws
Introduction
In recent years many countries and regions have introduced data protection laws. These give the owner of the data, the rights for their data. For gym's this means your customers are the owners of their data.
This article gives a high level overview of the most common aspects of such laws and how they can apply to your business.
At the time of writing this is an evolving area of law. Laws also vary massively from country to country. Whilst we will try to keep this article updated and sufficiently generic to cover all regions, things are changing quickly. You should always refer to your local laws as a definitive guide not this article.
Scope
Generally speaking the data protection laws apply to personal data. That is information about somebody - for example their date of birth or address. It does not include other data - for example how much revenue you made last month or how many customers you have.
Roles
Most laws have a concept of roles such a data controller vs processor:
- A controller - this is the entity that owns the relationship with the individual and processes their data. In the case of a gym that would be the gym - ie the customer is interacting with the gym and the gym are taking their data in order to fulfil a service.
- A processor - this is another entity used by a controller for some of their data processing needs. For example WodBoard would be a processor for a gym, as would say MailChimp or any other service you use where customer data goes.
Your business using WodBoard creates a second relationship - that is us as a controller and you as a customer. That's because we store personal data such as your name and address for billing purposes. This is completely separate from the role you have with your customers and to avoid confusion isn't covered by this article. Get in touch with our support team if you need any more information on this.
Basis for processing
In order to process data you must have a reason for doing so. The most common two reasons for health and wellness businesses are:
- Contractual - when a customer purchases a service from you will need certain data to fulfill that service. For example a customers name and contact details
- Consent - the customer gives you permission to use their data. For example the customer gives you permission to add them to a newsletter
There are many others but we've not listed them for brevity. You should refer to your local data protection agency for a full list.
If you need to ask for Consent in WodBoard you can turn on that option in Settings -> Customer Options. Note - the checkbox is unchecked by default to comply with the EU GDPR laws but if your country doesn't require this and you would like it checked by default please reach out to our support team.
It is possible to have multiple basis for processing - for example you ask for the customers name and email as part of the contract so customers can login to your booking system (Hello WodBoard!), but you also use email for a newsletter which you classify as needing consent. In that case the customer could remove consent from the mailing list but not the contract part (whilst they are still a member at your gym).
A common confusion is that you must ask for permission to add an individual to a mailing list. This is not the case - it depends what you're using the mailing list for. For example if you use the mailing list to send out offers from 3rd parties then that would typically classified as marketing and therefore Consent. However if you send out membership price changes and other information related to the customer's contract then it would typically be considered Contractual.
Rights of the individual
Under data protection laws the individual has rights. The most common ones for health and wellness businesses are:
- Right to be informed - that is you must let the individual know you are processing their data
- Right of access - an individual can access the information you hold about them
- Right to correct incorrect data - an individual can update data you hold about them
- Right of erasure - an individual has the right to have their data erased
Again there are many others we've not listed here for brevity. You should refer to your local data protection agency for a definitive guide.
Implications for your business
As a result of all the above you will need to:
- Determine your scope and roles
- Work out your basis for processing (there may be several)
- Determine how you will handle the rights of the individual
- Any other actions your must take as a result of your local laws for data processing
You will need to inform the customer that you are processing their data. This can be done via a privacy policy on your website or in a document the customer is given/signs.
In the individual raises a query they would do so against the controller as the party that owns the relationship - so the customer would contact you, not us (or any other processor). You would then farm out any parts of that request to the controllers as necessary.
For example a customer make a request to be forgotten. You would first determine if they still had a membership and if so you would refused any contractual processing (as you would no longer be able to provide the service). However you would need to honour any processing via consent - such as removing them from your mailing list.
How WodBoard helps you manage this
If you need to ask for permission to contact a customer you can configure a checkbox that is shown on registration under Settings -> Customer (or if you have the CRM Settings -> CRM). Once a customer has registered you can see the option (and change it) on their Customer page.
We also provide a series of tools your customers can use. They can
- Download a copy of the data you hold about them from their account
- Update their details from their Profile page
- Delete their account (assuming they do not have an active product)
This means if somebody makes a request for a copy of their data for example you can explain how to do it from their WodBoard account. You would also need to repeat this with any other services that you use - do not forget the rules apply to all places personal data goes!
Automatic deletions
After 18 months of inactivity at your gym individuals are emailed automatically by WodBoard and asked if they want to keep their account. If they do not click the link in the email to keep their account active then their details are automatically deleted. This covers provisions that most data protection laws have around duration of data storage.
Note whilst the customer's account is cleared up the financial and legal records are not cleared up at this point. They are cleared up after the period of time defined in your account under Settings -> Customer Options. That's because many countries have a minimum period which these records must be kept for. For example in the UK financial records must be kept for 7 years.
Data protection agencies
The following is a list of the agencies/government department responsible for managing data protection laws in each country. it is not an exhaustive list and just covers the countries most common on WodBoard who currently have data protection laws:
- UK (GDPR) - Information Commissioner's Office
- Ireland (GDPR) - Data Protection Commission
- New Zealand (Privacy Act 2020) - Privacy Commission
- Canada (PIPEDA) - Office of the Privacy Commissioner of Canada
- USA:
- California (CCPA) Office of Attorney General
Customer Relationship Management (CRM)
For customers that use our CRM, we have an additional way that you can contact customers and leads. Our messaging system allows communication in both an automated and manual way, but has some data implications you must be aware of.
Automation types
The CRM has a concept of automation types:
- transactional (some data privacy laws call this contract) - the message is directly related to a service you are providing or looking to provide to the customer or lead. For example a lead who books a trial will receive a message about the trial booking confirmation, or a new customer customer recieves an email about gym rules
- marketing (some data privacy laws call this promotional) - the message is not directly related to a service you are providing or looking to provide to the customer or lead. For example if you message an ex-customer about a sports drink offer from one of your partners
When you first enable the CRM you get setup with four default automations for introduction booked, introduction cancelled, introduction missed and introduction attended events. These are setup as transactional. All other automations default to marketing but can be changed to transactional if the content is transactional as outlined above. Equally if you extend the default emails you can change the type to marketing.
It is not possible for us to determine if a message should be classified as marketing or transactional - the content of your messages, what you offering as a service and the local laws in your location will determine this. In creating the CRM we had to create a broad system that could cover data protection laws in all countries. You will therefore need to check your local laws to determine what would be classed as marketing messages and what transactional.
Consent for sending marketing messages
For marketing message you will need to decide if you need to initially ask for consent to send them. You will need to ask for this unless one of the following are true:
- There are no data protection laws around needing consent for marketing messages in your country or region
- You consider all the marketing messages you send to be covered by some other legal provision that means you don't need to ask for permission
- You have asked for consent on your website, via email, or some other means such that when the customer fills out one of our forms to become a lead or customer, you already have permission to market to them
- You are adding a lead or customer to our system via a 3rd party system and have asked for consent to send marketing messages there
The setting is made when you first enable the marketing automation system and is available thereafter in the settings page. There is a separate option for leads and customers if your messages for leads and customers require different consent.
If you do ask for marketing messaging permission then a checkbox is added to your forms for leads, leads converting to customers and customers signing up directly (without them being a lead first).
You can choose the wording for the marketing checkboxes so you can tailor it to the messages you send. Note - the checkbox is unchecked by default to comply with the EU GDPR laws but if your country doesn't require this and you would like it checked by default please reach out to our support team.
Example: Gym X enables two automations within the CRM:
- a sms reminder 24 hours before an introductory appointment
- a series of 3 emails introducing the gym training facilities, the gym training methodology used and gym social events that happen each year. These are sent when a lead signups for a membership.
Gym X determines each of these are transactional in their country and therefore does not need to ask for consent for marketing messages.
However if Gym X added another automation:
- a series of 10 emails after a customer cancels their membership
and this is not classed as transactional in their country, then they would have to ask for consent for marketing messages.
Manual messages
When staff send a message from the Inbox and the customer/lead has chosen not to accept marketing messages then a warning is shown that the message must be transactional. In these cases staff should not send marketing messages and only use the inbox to send transactional messages.
Will customers/leads receive a message?
Regardless of whether you require consent from the customer or lead at the start, they will have the option to unsubscribe from your marketing messages. If they do this we will only send transactional messages from that point onwards.
As such customers and leads will receive a message if:
- It's transactional (regardless of their marketing preference)
- It's a marketing message and either:
- The customer/lead didn't need to opt into them and hasn't opted out
- The customer/lead did need to opt in and has opted in