European Data Privacy Laws – Why Should I Care?

GDPR has frequently been mentioned in the US technology and business news, but most US-based businesses haven’t worried about the details. GDPR (the General Data Protection Regulation) is a European data privacy law that controls collection and processing of personal data of individuals within the European Union (EU).   In an effort to establish digital rights for European Union citizens, the law addresses the exportation of personal data outside the EU thus becoming applicable to many jurisdictions around the world.  The GDPR replaces the 1995 Data Protection Directive within the European Union, which did not regulate businesses based outside the EU.  

With GDPR in place, even if you operate a US-based business with no presence outside of this country, the regulation may still apply and impose significant fines if you fail to comply.  To fall under the umbrella of the GDPR, you don’t have to market or offer your goods and services in the European Union – the GDPR will apply to any organization that collects and stores personal data on European Union users on its website.  So, if that sounds like you or your company – listen up!

What is “Personal Data”?

According to the European Commission, personal data includes “any information relating to an individual, whether it relates to his or her private, professional or public life.” In other words, any information related to an identified or identifiable natural person could be qualified as personal data. It could be anything from a name, address, a photograph, bank details, social media posts, medical information, or a computer’s IP address.  Below are some of the examples of what can be qualified as “personal data”:

  • Name, telephone, physical and email address and government ID numbers
  • Medical information, biometric data, demographics
  • Political and religious opinions
  • Sexual orientation
  • Tagged photos
  • IP address, cookie history and RFID tags

How Does GDPR Impact US Websites?

All websites that collect personal information will be held accountable for any data collected from or processed on an EU citizen. While you may not specifically market your business to EU customers, if EU citizens input data to your website, you are responsible for compliance with GDPR.  In particular, if an infringement of a customer’s information occurs on a US website or a security breach is not reported in the prescribed manner, US companies will risk steep financial and legal penalties. The GDPR requires non-EU companies that handle EU data to appoint a representative in the EU, who will represent the non-EU entity in all matters relating to regulation including receipt of fines and other penalties relating to regulation compliance.

How Do You Protect Your Business?

Compliance with GDPR for U.S. businesses who operate websites and may receive web visits from European residents puts an additional burden on companies.  If your business captures personal data from users, whether it is a newsletter sign up or a live website chat, you must obtain a comprehensive consent from those users to keep records of all user interactions.  Further, you must obtain an explicit permission from those users to send email newsletters or promotions to them. If you do so without confirming their consent, you are in a dangerous spot. Organizations are not allowed to market to anyone on their mailing lists who did not explicitly consent to be marketed to. Several of the key requirements of the GDPR regulation are that user consent must be given freely, it must be specific in nature, informed and unambiguous.

To ensure compliance, below are several actions that your company may consider:

  • Have clear processes in place for detection, reporting, and investigating data breaches.
  • Add a privacy policy to your website with clear explanation of user data collection and use.
  • Add a digital certificate to your website.
  • Ensure that website contact and inquiry forms are sent securely through an SSL.
  • Provide for explicit opt-in option for all forms and other data collection methods on your website (note, a tick-box must not be pre-ticked).
  • Make an easy option for your users to withdraw their consent, submit a request to “be forgotten,” opt-out, or unsubscribe.
  • Add a cookie alert banner, create a cookie policy, and give users an option to use your site without cookies.
  • Update your company’s privacy policy to reference GDPR terminology.

Is This Regulation a Panacea or a Mere Palliative?

While GDPR is intended to impact how businesses use personal data, the question remains open as to whether this privacy regulation makes cyber world a better place.  It does to some extent but it is not a panacea from all privacy evil by any means. It is clear that other laws on privacy and digital rights are much needed, especially in this country.  California Consumer Privacy Act is the next natural progression in legal evolution, and we will discuss it in our next newsletter.  Stay tuned!