GDPR & ePrivacy for U.S. Based Websites
So, you are sitting in your office trying to get caught up on your never-ending pile of work and all of a sudden you get an official looking email from Google letting you know about their new GDPR policies. The first thing you think to yourself is, "What is GDPR and how does it affect me?". Well, that is a mighty good question, one that many American companies are going to be asking of themselves over the next few weeks as we get closer to May 25th, the official deadline for GDPR compliancy. Read on so that we can help you to navigate the murky waters of the GDPR, what it means to you, and who is affected by it.
What is the GDPR?
In an effort to help citizens of the EU, new data privacy and protection regulations are going to be enforced through the new General Data Protection Regulation (GDPR). The goal of the GDPR is to strengthen and unify data protection for citizens of the EU, whether they visit a EU based website or a website based abroad.
What Are The Penalties For Non-Compliance?
The penalties to companies that have not adapted the new regulations face the possibility of being heavily penalized, very heavily penalized. In fact, the penalty for non-compliance can be up to 4% of annual gross revenue, up to €20 Million (about $25 Million), Ouch!
In order to help you make sure that you don't fall prey to the GDPR regulatory penalties we have broken it down into easy-to-read sections so that you can gauge whether your company will be affected by the measures or not.
Who is the GDPR trying to Protect?
The GDPR has been established to protect the information of natural persons, also known as "Data Subjects". Data Subjects must have full control over any data that is kept about them and must be able to opt in or out of having that data collected (when the data is not being collected to satisfy any other legal requirement).
One thing to note , however, is that there are overlapping laws and regulations that require the retention of some types of data for some activities. The GDPR does not supersede those requirements but will, instead, work to enhance them where it can. For example, both the EU and US have strict regulations regarding the retention of account data for investors. The GDPR is not intended to override these regulations, it only seeks to alert Data Subjects that their data is being stored to meet those requirements.
What Type of Information is Protected?
Generally speaking, personal data is anything that can be used, alone or combined, to identify a Data Subject.
Below is a list of types of data that would be considered protected data:
- Email Address
- Phone Number
- Bank Details
- Social Network Postings
- Medical Information
- Computer IP Address
- Location Data
Below is a list of the types of Privacy Protection Items that would need to be disclosed to your site visitors:
- All Data Collected
- Tracking Pixels
- Retargeting Pixels
- Session Tokens
- Online Behavioral Profile for Advertising
This is certainly not the entire list, since each piece of data has to be considered within the context of its application. This should, however, give you a good idea of what could be considered Personal Data and Privacy Protection.
What rights does the GDPR Establish?
According to the GDPR, whenever a person's Personal Information is collected, that person needs to know. If a site visitor visits a website and any activity is tracked then GDPR compliance states that the Data Subject should be made immediately aware about the specific data that is being collected along with a non-pre-checked checkbox allowing the site visitor to opt for the collection of each type of data or tracking of the Data Subject.
In addition, a Data Subject should be able to request a copy or list of the collected data, and have it provided to them in electronic format. This is known as the Right to Access clause.
The Data Subject may also request that any data collected be deleted, this is covered under the Right to Be Forgotten clause.
Under the Data Portability clause Data Subjects have the right to download the data and transfer it to another controller.
What Companies Will Be Required to Conform?
At the time of the writing the GDPR is intended strictly for EU audiences. If you have a website that targets persons in the EU then you are definitely responsible for implementing GDPR compliant measures. If you have a website that has a presence in the EU and know that EU citizens traffic your website then you are probably going to need to comply as well.
What Are Some Steps You Can Take To Be GDPR Compliant?
You must disclose every piece of data that you gather, store, set and use. You must give the Data Subject the opportunity to opt out BEFORE (or as soon as possible) data is collected by presenting them with a list of what is collected and a method to check whether they want you to collect it before they proceed through the website.
You must let the Data Subject know how they are being tracked and the opportunity to opt out.
You must let the Data Subject know what third parties you will share their data with.
You must let the Data Subject know if you plan on sending them marketing materials or ads based on any of their data and allow them the opportunity to opt out.
You must provide Data Subjects with a method to view what data is collected, export that data for their own use, and provide them with a method to delete or request deletion of their data.
In addition to all of that, if you are a Technology Provider that is responsible for the collection, retention, and analysis of Personal Data data then you will probably want to sit down with your favorite glass of wine and read through the details of the GRPR and ePrivacy on Service Providers. The itgovernance.co.uk site has some great information regarding this.
The Rumored Gray Areas
There are many controversial topics surrounding the GDPR and it is likely that the GDPR will go through an iterative process before all of the wrinkles are ironed out.
Of all of the controversy, the one topic that seems to bubble to the top the most is the presentation of site materials even if a user has opted out of data collection. There has been mention that site visitors, when electing out of data collection, should be presented with the same content that Data Subjects see. The issue is that if you have a website site that relies on Membership-Only access, a user must allow the collection of data in order to gain access to the site. The site owner needs to have some data in order to verify that the site visitor has a valid access level and the website itself needs to be able to distinguish who is visiting the site to determine what type of content to display.
Sticky stuff indeed, hopefully more measures will be put into place that will protect the rights of website owners as well as the site visitors.
Not following far behind the EU, the US is exploring new ways to borrow some of the GDPR for US Based companies. The highly publicized Mark Zuckerberg Congressional Hearings bring quite a bit of attention to the issues that people are starting to have with the lack of control over their Private Personal Information. It will be interesting, indeed, to see how long it takes the US to adapt its own data protection policies and what other regulations will be spun off as a result.
PLEASE NOTE: The information found in this article is provided for general informational purposes only. Privacy Requirements for websites are rapidly evolving and are different from country to country and we cannot guarantee that all of the information on our site is accurate or up-to-date. We are not attorneys nor are we affiliated with any law firms and we do not provide legal advice. Any information found on our site should not be considered as a substitute for the services of an attorney. You should not act on information in this post without seeking appropriate legal advice from a professional who is thoroughly familiar with the laws in your particular jurisdiction.