You’ve probably heard the term “GDPR” thrown around a time or two in the online space. And if not, don’t worry – it will be engrained in your memory after reading this blog post.
The General Data Protection Regulation (GDPR) went into effect in the European Union (EU) on May 25, 2018. At its core, the GDPR requires businesses to gather personal information legally and protect it from exploitation or face penalties.
I get asked frequently: “If I’m based in the U.S., why do I even care?”
FYI before you read any further, I will be chatting about the GDPR from the United States law perspective. I share legal education and information, not business, financial, or legal advice; and this information does not create an attorney-client relationship between us. You should chat with an attorney in your local area to make sure you’re taking the right steps for you and your business.
Ok, back to why you should be aware of the GDPR even if you’re a U.S.-based business.
The GDPR’s Purpose
The law is trying to play catch up to the burgeoning e-commerce and digital marketing era. This has meant a mishmash of legislation being enacted around the world. But it has also meant a slow convergence of data privacy laws globally.
There is no federal regulation in the U.S. . . . YET, although some states have started to individually regulate data privacy (case in point, the California Consumer Privacy Act (CCPA)).
The GDPR is another law in a long line of legislation aimed at giving control back to consumers by requiring businesses to be transparent in their data collection processes and policies.
Article 3 of the GDPR extends its data protection requirements to any business that processes personal information within the EU OR personal information of an EU resident so that they are subject to the same requirements and penalties as EU-based businesses. And “EU resident” means anyone residing in the EU even if they’re not an EU citizen!
This means that any business that processes the personal information of even one EU resident must comply with the GDPR – even if it is only offering something for free.
Think about the opt-in/freebie/discount code you use to grow your email list – did someone from the EU sign-up? In today’s global economy, you have no idea where your website users are located – California, Timbuktu, or the EU. So really, any business that has a website should comply!
And no, you cannot profile people based on where they’re located – aka you cannot block EU users so you don’t have to comply. There are 2 reasons: (1) the GDPR applies to all EU transactions, even if the participants are not located in the EU (if the transaction takes place there, the GDPR applies); and (2) that won’t address any information you may have collected prior to when you started to block people. Not to mention the affect you’ll have on your customers if you profile them in a negative way based on where they’re located. Besides, rules around the way businesses receive and handle the personal information of their clients and customers are inevitable; I say it’s a smarter business decision to comply.
So, what is personal information?
“Personal Information” as Defined by the GDPR
The GDPR defines “personal information” as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”*
So, basically any information from which an identity can be derived – date of birth, telephone number, driver’s license, license plate, email address, photo, handwriting, etc. And yes, even IP addresses (which we’ll talk more about in connection with cookie consent below).
Note that anonymous data or data about a deceased person is not covered by the GDPR.
Now that you know what personal information is, let’s chat about what it means to process it.
“Processing” Personal Information
“Processing” under the GDPR is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”*
This definition essentially encompasses anything and everything you’d be doing with personal information as a business. But the GDPR distinguishes between two types of people – the data controller and the data processor.
The data controller “determines the purposes and means of processing of personal data” whereas the data processor “processes personal data on behalf of the controller.” Let’s use the opt-in/freebie/discount code you use to grow your email list as an example again – you are the data controller (who decided to collect email addresses vis-a-vi your landing page) and your email service provider is the data processor (who is collecting and storing the email addresses on your behalf).
The GDPR places equal responsibility on both the data controller and data processer – which means you are responsible for any and all third-parties you hire or designate.
Data processors must provide “sufficient guarantees to implement appropriate technical and organisational measures” through written contracts.**
So, when you’re looking to hire any third-party data processor (i.e. payment processor, email service provider, cloud provider, or any service provider who has access to personal information acting on your behalf), it’s important that you ask about their GDPR-compliance. It’s also highly recommended that you review their vendor contract with the assistance of an attorney to ensure your rights and obligations are sufficiently covered.
Both data controllers and data processors must pay attention to the GDPR’s 7 key principles for processing personal information:
- Lawfulness, fairness, and transparency
The GDPR prohibits you from processing personal information unless at least 1 of 6 legitimate bases for processing exist:
i. Consent – You must be able to demonstrate that consent is still freely given from the EU resident to process their personal information for a specific purpose
ii. Contract – You are processing data to carry out a contract or a pre-contractual request that you otherwise couldn’t without processing the personal information
iii. Legal Obligation – Your processing is absolutely necessary for compliance with a legal obligation that you are subject to
iv. Vital Interests – Your processing is necessary to save someone’s life
v. Public Task – Your processing is necessary to carry out your official tasks or functions
vi. Legitimate Interests (of you or third parties) – This is the most flexible lawful basis but you must: (a) identify a legitimate interest; (b) show that the processing is necessary to achieve it; and (c) balance it against the EU resident’s interests, rights and freedoms.
Unsure of your basis? Use this interactive tool that the Information Commissioner’s Office created (the office in charge of enforcing the GDPR) to help you determine under what bases (if any) you process personal information.
- Purpose Limitation
Personal information must be collected for a “specified, explicit and legitimate purpose” and not processed in a manner that is inconsistent with that purpose.
- Data minimization
You must only collect and process personal information related to the purpose for which it is collected.
You must take steps to erase or rectify inaccurate personal information.
- Storage Limitation
You must only keep personal information for so long as is necessary to carry out the purpose for which it was collected.
You must process personal information in a manner that protects against a data breach.
You must be able to demonstrate compliance with the other 6 principles.
When Processing is Based on Consent and Email Marketing Considerations
Since EU residents have the right to withdraw their consent at any time, consent can be the ficklest reason to process personal information. And note that if you are collecting personal information from minors under the age of 16, parental consent is required.
Consent must be “freely given, specific, informed and unambiguous.” And it must be indicated “by a statement or by a clear affirmative action.”*
In plain English?
EU residents must be given the choice to opt-in for each purpose that you’re processing their personal information. For example, you can’t just start marketing to an email subscriber if they only opted in to receive your free guide and didn’t consent to your marketing campaigns. Which means you need to be very clear in terms of what you intend to do with their personal information from the outset.
And an EU resident must take some action that reflects they have said: “Yes, you can process my personal information.” In the online space the most common example is a click-wrap agreement which requires the person to check a box or click a button to say: “Yes, I agree.”
Don’t use pre-checked boxes and then give people the chance to later unsubscribe. That is not affirmative consent! This means you need to make sure that you’re offering consistent value to your audience so that they choose to subscribe. While it may sound like more work than it used to pre-GDPR, the result is actually a more engaged community because it consists of people who truly want to be in your world.
Since you are required to keep records of consent, you should consider using a double opt-in in your email marketing. A double opt-in occurs when an email subscriber signs up and the first email they receive includes a link to confirm their email address and subscription – if they don’t confirm, they’re not added to your list. Your email service provider keeps records of those who confirm. To read more about why using a double opt-in is a gold star business practice (and how to keep your email marketing legit), snag my legal email guide here.
And note that unsubscribing (or withdrawing consent) should be as easy as subscribing (and giving consent)!
Cookie Consent is also Required!
“Cookies” are small text files that are placed on a computer or other device and used to identify the user or device and collect information when you visit a website. All websites have some form of cookie installed which is necessary for the website to function. But the use of third-party cookies for online behavioral advertising (i.e., things like Google analytics or Facebooks ads) is also common in today’s ecommerce and digital marketing landscape.
When cookies can be used to identify an EU resident (ah-hem, IP addresses), they’re considered to be gathering personal information under the GDPR. This means that affirmative consent must be given before anything other than strictly necessary cookies may be activated on your website.
Enter the cookies pop-up you’ve probably encountered on most websites you visit.
I highly recommend using CookieBot, which is a free SaaS that scans your website to determine what cookies are being used, catalogues them based on their function, gathers consent from your website users, and controls the cookies based on each user’s consent.
Rights Under the GDPR
EU residents are provided with the following rights by Articles 12 through 23 and 77 of the GDPR:
The right to rectification so that any inaccurate or incomplete personal information may be corrected or completed.
The right to erasure so that personal information may be deleted and forgotten. This right is not absolute and applies in certain circumstances such as when:
i. The personal information is no longer needed for the purpose it was collected;
ii. An individual withdraws consent and there is no overriding legitimate interest in retaining the personal information;
iii. The personal information was collected in violation of the GDPR; or
iv. The personal information needs to be deleted to comply with a legal obligation.
Any request for rectification or erasure of personal information must be disclosed to any third-party you as the data controller have disclosed the information to.
The right to restriction of processing if:
i. The accuracy of the personal information needs to be investigated;
ii. The processing is unlawful but the EU resident opts for restriction versus erasure;
iii. The personal information is no longer needed for processing but it is still needed for some form of legal claim or defense; or
iv. Pending a decision as to whether the reason for processing overrides the EU resident’s interests.
The right to portability of personal information from one data controller to another. This right applies whenever personal information was directly provided to a data controller and processing is carried out by some automatic means. A portability request should be honored within 1 month of receipt of the request and the information should be provided in a commonly used, machine readable format.
The right to object to the processing of their personal information unless you as the data controller can show “compelling legitimate grounds.” If the objection is made because the EU resident doesn’t want his or her personal information used for direct marketing purposes, the personal information may not be used for those purposes any longer.
The right to lodge a complaint with a supervisory authority if the EU resident believes the processing of his or her personal information is contrary to the GDPR.
Data Protection Officer (DPO)
If your business engages in the large-scale processing of personal information OR processes special categories of information (i.e., relating to genetics, health, racial or ethnic origin, religious beliefs) you must appoint a DPO.
Your DPO could either be an employee or a third-party vendor. Either way, you should vet the DPO to ensure that they have an in-depth understanding of the GDPR and data protection practices.
i. The identity and contact details of you (the data controller) and your DPO (if you have one);
ii. The purpose and lawful basis for processing the personal information collected;
iii. The categories and sources of personal information collected;
iv. The recipients of the personal information;
v. How long the personal information will be retained;
vi. Any cross-border transfer details and safeguards;
vii. The existence of EU resident rights as discussed above;
viii. The right to withdraw consent at any time;
ix. The right to lodge a complaint with a Supervisory Authority;
x. The existence of any automated decision-making (including profiling) and the significance and consequences.****
This information must be written in plain and clear language and provided free of charge. And it must be linked at the point of collection of the personal information.
What if my Business has a Data Breach?
If you have a data breach, the GDPR requires that it be reported to a Supervisory Authority no later than 72 hours after you became aware of the breach so that everything can be done to minimize the damage.
You must also notify any affected EU residents “without undue delay.” ASAP. Pronto. Don’t try to hide it!
Your breach notification should include the categories of information and number of individuals compromised as well as any potential consequences of the breach (i.e., identity theft), measures being taken, and contact information for your DPO.*****
Fines under the GDPR
Complying with the GDPR is not optional. Ignorance is not bliss.
Fines under the GDPR are dependent on the nature and severity of the violation. They range from €10 million or 2% of the business’ worldwide revenue – whichever is greater – for failure to comply or report a breach to €20 million or 4% of the business’ worldwide revenue – whichever is greater – for infringement of the rights of EU residents.******
The largest fine to date since the GDPR was enacted was issued against Google, Inc. in January 2019 for €50 million.
But the GDPR also provides EU residents with a private cause of action – an individual can bring suit if he or she believes that his or her rights have been infringed with respect to the processing of his or her personal information in violation of the GDPR.******* Many legal experts believe that there will be a huge increase in lawsuits being brought as a result of data breaches in the coming years. Especially since many countries around the world are following suit in issuing data privacy legislation.
Your Compliance Obligations
The GDPR is complex legislation with a lot of moving parts. If your business processes the personal information of EU residents, you should speak with an attorney about your compliance obligations under existing data privacy legislation.
At a minimum, you should do an annual “check in” to:
- Update your standard operating procedures with respect to how your business processes personal information;
- Check in with any third-party vendors with respect to their handling of personal information; and
- Evaluate your insurance needs in case of fines or a law suit.
****Articles 12 – 15