Why you should care about complying with the GDPR even if you don’t have customers in the European Union
These updates are all in response to the European Parliament’s adoption of the General Data Protection Regulation (“GDPR”) that became enforceable on May 25, 2018. The companies that operate these websites scrambled to become compliant with the GDPR’s requirements and if you operate a website, you should pay attention to compliance as well, even if you don’t have many customers in, or visitors from, the European Union. In fact, according to a recent study, more than two-thirds of U.S. companies believe that the GDPR will impact them.
Who Does the GDPR Apply to?
The GDPR applies to the collecting and processing of personal data of individuals in the European Union (“EU”). This data includes a person’s name, address, identifying internet data such as IP address, location and typical browsing data and website preferences stored in cookies. The GDPR affects U.S. companies because any company that stores or processes such personal data about citizens or residents of the EU, regardless of where that company is located, must comply with the GDPR. Although cookies do not necessarily have personal data stored in them, the European Parliament believes that cookies can be used—with other data—to uniquely identify someone, and therefore are subject to the GDPR.
Key Requirements of the GDPR
The GDPR allows companies to store personal data subject to certain requirements, including:
- The data may only be stored for as long as it is necessary for the purposes that it was collected.
- The data must be able to be transferred from one company to another.
- Consent may be revoked by the person who gave it at any time, effectively requiring the company to keep track of all consents given. In other words, it is no longer sufficient to just have a click-through screen or notice on your website, but you must store and manage consents on your backend.
- The person has the “right to be forgotten”, meaning if the person revokes consent, the person can request that all data tracked and stored be deleted. However, this right would not supersede any existing legal requirements in the U.S. (or abroad) that requires a company to maintain certain data, such as HIPAA requirements for healthcare records.
What Changes Should I Make?
You should also consider how third parties handle the data you collect from your website users. For example, ensure that any vendors or other third parties with whom you may share this data also comply with the requirements of the GDPR, which may necessitate a review of your standard form contracts or one-off contracts with third parties.
Risks of Non-Compliance
Depending on your business, location of website visitors and risk assessment, there are a number of options available to you in order to comply with the GDPR. First, you can take the approach of a number of large U.S.-based businesses and simply block all visitors from the EU (approx. 500 million people), including any U.S. citizens that may be visiting the website from the EU or if their home internet connection is run through a proxy/VPN in an EU member nation. At the end of May 2018, The Los Angeles Times, The Chicago Tribune, The New York Daily News and A&E Television Networks are a few examples of companies that simply blocked connections from the EU until such companies could figure out how to become fully compliant with the GDPR. It is unlikely that this blocking will be permanent but it highlights the risk and cost analysis for businesses.
All of this may sound daunting, especially reviewing existing documentation for compliance. We’re here to help! Give us a call if you have any questions.
Disclaimer: This summary is provided for educational and information purposes only and is not legal advice. The websites and companies mentioned herein are for illustrative purposes only, and the author and Rich May, P.C. do not recommend any services or products that they may offer. Any specific questions about these topics should be directed to attorney Arvid von Taube.
© 2018 by Rich May, P.C. and Arvid von Taube, Esq. All rights reserved.