Disclaimer: This article does not constitute legal advice.

You’ve probably received countless emails with subject lines like this lately:

“We’ve updated our privacy policy.”

You’ve also probably noticed more websites making you opt into accepting cookies when you visit. Perhaps you’ve been getting numerous emails asking you to opt into newsletters again even though you’ve been subscribed for years. Maybe you’ve noticed you can’t even access certain websites all of a sudden.

There’s a (sort of) simple explanation for all of these recent changes: the GDPR.

What is GDPR

What is the GDPR?

The General Data Protection Regulation (GDPR for short) is a new regulation from the European Union (EU). This regulation came into effect on May 25, 2018, which is why you’ve been seeing all of these changes suddenly.

It was companies getting ready for that deadline. And you may continue to see more as companies scramble to become compliant if they missed the deadline. In basic terms, the GDPR includes regulations designed to protect consumers’ privacy and give them more control over the data companies collect about them.

Read More: Full text of the General Data Protection Regulation (GDPR).

How are Consumers Protected by the GDPR?

Here are some of the specific things the GDPR does to protect consumers in the EU:

  • Consumers have the right to know how their personal data will be processed and used.
  • Consumers have the right to see what personal data companies have about them.
  • Consumers must actively provide consent for the collection of their personal data.
  • Consumers can revoke consent after giving it.
  • Consumers can request their personal data be deleted in certain circumstances.

Types of Data Collection Covered by the GDPR

With all the talk about “personal data” these regulations are designed to protect, what exactly does that include? Basically, it’s any data about an individual or that can identify an individual.

While this isn’t clear-cut because different kinds of data can be personally-identifying in some situations and not others, here are some potential examples to be aware of:

  • names
  • addresses
  • phone numbers
  • email addresses
  • birth dates
  • other location data
  • information about someone’s physical appearance
  • ID numbers
  • IP addresses
  • tax information
  • religious or political affiliations
  • medical histories
  • genetic data

Is Your Business Compliant with the GDPR?

Not sure if your company is GDPR compliant? While these circumstances don’t guarantee full compliance, they’ll give you an introduction into what GDPR compliance requires. A GDPR compliant business will:

  • only possess individuals’ personal data if they obtained consent or have a legitimate business interest (such as collecting a delivery address to deliver something a customer ordered);
  • notify individuals about how their data will be collected and used;
  • remove individuals’ personal data when it is no longer necessary for the reason the business collected it;
  • keep all personal data secure;
  • notify consumers if their personal information is exposed in a data breach;
  • have a thorough privacy policy that explains how personal data is collected and used, and how consumers can view and request the removal of their data when appropriate.

gdpr compliance

A Note on GDPR Consent

It’s important to understand that under the GDPR you need a consumer’s “active consent” before collecting, processing, and storing their personal data.

For example, if you use a form on your website to collect personal information like a consumer’s name, address and email address, you might have a checkbox that gives you their consent.

Active consent would mean that checkbox is blank / un-checked when the consumer first sees it. They have to actively click to check that box and give you their consent. If your checkbox is pre-checked, that would not be GDPR compliant.

Another example would be a banner telling visitors to your company’s website that you use cookies to track their behavior (such as for ad-serving) or to improve their experience on your site.

If your notice simply says “by using this website, you consent to us using cookies…” that would not be GDPR compliant. You would need a button or some other active behavior on the part of your visitors to give consent.

Does the GDPR Apply to U.S. Businesses?

If you run a U.S.-based business, you might be thinking “Why should I care about the GDPR when it doesn’t apply to me?”

It might.

The GDPR doesn’t only impact businesses based in the EU. It covers businesses collecting personal data about anyone in the EU.

That might be intentional, such as your business running a European portal designed to attract customers from the region. Or it might not be intentional on your part – like people in EU countries subscribing to your company’s email list.

Blocking EU Customers & Visitors

Some U.S. publishers weren’t ready for the GDPR changes when they went into effect, so they blocked all EU users.

In theory, this sounds like a good idea if you need to buy some time to become compliant. But it doesn’t necessarily mean you would be off the hook.

Because the regulations are so new, you’ll find a lot of conflicting information about what impact the GDPR may have on companies in the U.S. and elsewhere outside the EU. But here are some important points:

  • The GDPR applies to data collected from people while they are in the EU (not necessarily EU citizens interacting with your business from outside the EU).
  • Your U.S. business could be liable if you have any EU presence (such as running campaigns targeting people in the EU, having an EU office, or storing data in the EU).
  • While it’s unclear how penalties could be assessed on non-EU countries, those fines are hefty and worth keeping in mind: top-level fines can run to the greater of 4% of a company’s annual revenue or €20 million.

Despite EU companies having years to prepare for GDPR compliance, many companies outside the EU simply haven’t heard much about it. If you aren’t compliant yet and you think you might need to be, now is a good time to conduct a full privacy audit and improve your data protection practices.

To learn more about the GDPR and your company’s responsibilities, your best bet is to read the full text of the regulation linked in this articles, and then consult with legal and IT experts about your questions and concerns.

  • cybersecurity
  • gdpr
  • GDPR compliance
  • gdpr consent
  • General Data Protection Regulation
  • personal data protection

While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal, medical, accounting, investment, or any other professional advice as individual situations will differ and should be discussed with an expert and/or lawyer.

See Also