Ever wonder why your email inbox is overflowing with privacy policy updates from seemingly every company under the sun from Facebook to YouTube to Instagram and LinkedIn? The culprit is GDPR.
Let’s start from the beginning. What is this new regulation that has gotten the attention of virtually every website owner in the United States and has earned itself as unflattering a reputation as the “Mean One, Mr. Grinch?” The General Data Protection Regulation (GDPR) is an EU privacy law. For those who are unfamiliar with it or who got so tired of hearing about it that you stuck your head in the sand, the law went into effect back on May 25, 2018.
It applies to any individual or company who uses the Personal Data of EU citizens – regardless of where the company is based. By far, the single most asked question by U.S. entrepreneurs and business owners is, “Why should I care about an EU law when I operate a U.S. business?” The answer is very simple: the fines for noncompliance are staggering and the law, for better or for worse, casts a wide-enough net to ensnare even those who operate businesses outside of the European Union. Operating a website with EU users in Sri Lanka? You must comply. How about a website with EU users in Freeport, Kansas? You must comply.
Below are some tips to help you navigate the minefields of this confusing law.
- What Is “Personal Data?” Personal Data is defined as any information relating to an identified or identifiable individual. This includes names, addresses, email addresses, IP addresses, and a lot more.
Anyone who collects, changes, transmits, erases, or otherwise uses or stores the personal data of EU citizens must comply with GDPR. A quick and dirty example is if you have an email list that includes EU citizens, you must comply with GDPR. There are no if’s, and’s, or but’s about it.
Under GDPR, in order to use Personal Data, you must have a legal basis to do so. You cannot do so arbitrarily. “Consent” is the most common legal basis. Consent must be both specific and verifiable.
Suppose someone sends you a crotchety email wanting to know how their their email address wound up on your list. You must be able to show not only that they provided consent, but the means by which they provided consent and when they provided it. If no proof of the person’s consent exists, don’t throw caution to the wind. Remove them from your list immediately!
- Obtaining Consent
If you suspect that their are users on your list for whom you lack consent, before adding one new person, update your systems to ensure that no user is added without a full and voluntary consent. If you are uncertain about the procedures for obtaining a user’s consent, there are specific rules that break it down into its core requirements:
- Consent to the use of Personal Data must be specific to distinct purposes.
- Silence, pre-ticked boxes or inactivity does not amount to consent; users must unequivocally opt-in to the storage, use, and management of their Personal Data.
- Separate consent must be obtained for different processing activities. In other words, as the site owner, you must state in clear and unambiguous terms how the user’s Personal Data will be used before you obtain their consent.
Here are a few helpful tips for getting on track: (a) a positive opt-in is no longer an option – it’s required; (b) it must be separate from other terms and conditions; and (c) it must include a simple, straightforward way to refuse consent (recall the slogan from the infamous Geico commercial, “It’s so easy that even a caveman can do it.”). For example, once someone opts-in, they should receive a confirmation email from your auto-responder with a menu of options that can be checked off in the event the user refuses to consent to particular uses of their Personal Data.
- Privacy Policies
If you collect any kind of data through your website, a privacy policy is essential. This policy must be continuously updated to stay current with GDPR.
- Penalties for Non-Compliance
The fines for failing to comply with GDPR could leave you with nothing but the shirt on your back. The maximum penalty could be as high as 20 million euros. But when it comes to companies, the maximum is the greater of: (a) 20 million euros or (b) up to 4% of the company’s total annual revenue from the previous fiscal year.
The reality of this petulant new law is that U.S. companies must be vigilant and hyper-sensitive when it comes to ensuring that any Personal Data – not the last of which relates to EU citizens – was obtained with proper consent.