GDPR Compliance for Estheticians and Spa Owners

GDPR Compliance For Estheticians and Spa Owners

Has your inbox been inundated with emails about GDPR and privacy policies lately?

As an esthetician and spa owner, you may wonder what the big deal is and how GDPR affects you as a local business in the United States.

If you’re like many of my clients and students, the legalese may send your head spinning.

Don’t worry, this article will tell you what you need to know and, more importantly, what you need to do to stay compliant.

(Note: I’m not a legal professional or privacy policy expert. Information in this article shouldn’t be taken as legal advice.)

What’s GDPR?

GDPR stands for General Data Protection Regulation. It went into effect on May 25, 2018, to give EU citizens more control over their personal data.

It’s a law designed to protect EU citizens and applies to all businesses that process personal data of those residing in the European Union, regardless of the company’s location.

Simply put, if there’s a chance that someone residing in the EU may share her personal identifiable information (PII) with you, e.g., by signing up to your email list, you need to stay compliant with GDPR.

What’s PII?

In the context of a beauty business, PII could include email address, phone number, name, billing information (e.g., during online scheduling,) photos (e.g., before/after pictures,) medical information (e.g., online intake forms,) IP address, and tracking pixels (e.g., online advertising.)

Why Should You Care?

If someone from the EU lands on your website and it uses cookies to collect data, you’re required to comply with GDPR – even if your business is located in the US and services local clients.

The penalty for non-compliance can be quite steep. Organizations could be fined up to 4% of annual global turnover or €20 Million (whichever is greater.)

How GDPR Affects Estheticians and Spa Owners

For estheticians and spa owners working with a local (US) clientele, the biggest concern around GDPR involves email marketing because anyone, including EU citizens, can sign up to your email list.

Here are a few things you should do to stay compliant when collecting and processing subscriber data:

Explicit Consent

When visitors opt-in to get a freebie, e.g., a checklist, you can only send them emails regarding that lead magnet.

You can no longer automatically add them to your main email list and send them your newsletters.

However, you can give them an opportunity to provide explicit consent so they can be added to your main email list.

For example, they can do so by clicking a checkbox on the opt-in page (the default state needs to be unchecked) or clicking a button/link on the thank you page/email when you use double opt-in.

I highly recommend using double opt-in for your email signup. This may be an extra step for your subscribers but it’ll help you build a higher-quality list of people who want to hear from you.

Most email service providers have integrated mechanisms to obtain explicit consent into their form builders so all you need to do is to update your form and grab the new code.

Email Marketing

To make sure your list is “clean” – that every subscriber has given consent to receive email communications from your business – you can run a re-permission campaign that asks recipients to re-subscribe to your list.

I’m not going to lie… it can hurt a bit since a good portion of subscribers may not open that email or choose not to re-subscribe.

However, it’s ok. Use this as an opportunity to clean up your list so only those who want to hear from you remains. This will help increase your open rate and make it much easier to nurture relationships with your audience.

In addition, make sure you adhere to the updated data subject rights detailed in GDPR: the right to access, the right to be forgotten, and data portability by making it easy for your subscribers to request access to their data or have their data erased.

If you use an email service provider, you should be able to easily export the data or delete a subscriber.

Privacy Policy

Having a privacy policy posted on your website helps protect you and your business. It should indicate how you’re collecting, processing, securing, and utilizing the users’ data.

If you use third-party service providers, e.g., Square to process payment or Mailchimp to send out emails, you need to link to their privacy policies as well.

Include a link to your privacy policy on your website’s footer so it appears on every page. Also, add the link to any signup form that you use to collect users’ information.

GDPR: an Opportunity To Foster Trust

GDPR encourages businesses to increase their level of transparency and respect the personal information of their subscribers.

As a beauty professional, the success of our businesses depends on nurturing trust and relationships with our clients.

Staying GDPR compliant is an opportunity to revisit how you can better communicate with your clients and subscribers in a way that respects their privacy and their relationships with your business.

Running a business is more than about practicing your craft. You also need to be aware of the latest developments that affect how you run your business.

In the Esthetician Inner Circle, you’ll be able to stay up-to-date and get the support you need to keep up with everything you need to know to operate your beauty business as a world-class leader.

If you have additional questions, please post in the comments and I will do my best to answer!

Share This: