I am an Attorney licensed to practice law in New York State. I have no international law experience as I work solely with business owners in the United States, specifically in New York State. This post includes information that is my legal interpretation of the GDPR. You should always seek legal advice from your own business attorney as necessary. This post is for informational purposes only.
I know you’ve seen it everywhere. In your emails, on blogs other business websites. I also know, if you’re like most business owners here in the United States, you’ve been wondering what does a law created in Europe have to do with your business here? I’ve seen conflicting information online so I decided to do some research for myself and share what I discovered with you so that you too can understand the law, how it applies to online businesses here in the U.S., and everything you need to do in order to be in compliance (and why you need to be).
Let’s jump right in…
WHAT IS THE GDPR?
The General Data Protection Regulation went into effect in May of this year and was created to set up more efficient protections for consumer information collected within the European Union. It is an attempt to battle hackers and protect privacy. I am sure a question just popped in your head – I am not in the European Union so why should I care? Great question!
Under Article 3 of the GDPR, whenever a business collects information from a consumer in the EU AT THE TIMEof the collection, the law then applies. The consumer does not have to be a citizen of the EU. They only need to visit your website while in the EU. So let’s say for example I go to Paris (I’d love to go to Paris) and I decide to visit your website while I am relaxing in my hotel…I enter my email information to obtain an e-book you have. Even though I am a US citizen and your business is in the US, the GDPR now applies to you.
There is no need for a financial transaction to take place. I don’t have to buy anything from you. The only thing that is required is that you collect information from me. You may think it to be impossible, however, it is very likely and highly probable that a visitor will visit your site from the EU and may even like the information you provide, free or otherwise. Since it is possible it makes complete sense to ensure GDPR compliance.
WHAT IF I AM A SMALL BUSINESS? WILL THIS HURT ME?
Small businesses get a little break as far as the GDPR is concerned. While businesses with more than 250 employees are required to contract with a company or hire special personnel, smaller businesses do not have such a requirement. Which means if you decide not to hire out, you’ll be responsible for compliance all by yourself; therefore, you’ll need to know what information is covered under the GDPR which includes:
- Pedigree information such as name, address and email information
- Racial or ethnic identity
- Political affiliation or opinions
- Any sort of personal information
- Computer and technical information collected automatically
The GDPR requires that you obtain SPECIFIC CONSENT from visitors to your website. But what does that mean? It means that you should update your website to be sure it obtains explicit consent from visitors before they input their personal information. This consent has to be given “freely, specifically, informed and it must be unambiguous.”
No longer will visitors be able to check a single box when visiting your site or purchasing a product. They will need to consent to each and every collection of data. If you’re collecting name and email, they must check a box consenting to that. If you will give their email address to a third-party affiliate or company (including email service companies) you must get consent for that. They MUST check a box for each and every piece of information you collect and consent to its gathering and to its use.
Also, be sure to confirm that any email service you use has an opt-in and opt-out ability that is easily accessible and that will completely delete information if such a desire is indicated.
WHAT ABOUT THE PEOPLE FOR WHICH YOU HAVE ALREADY COLLECTION INFORMATION?
You will need to bring your current list into compliance and this is perhaps the most annoying part of the GDPR for US businesses. You can do this by sending them an email with a link to provide their explicit consent. If they do not respond, you will have to delete them from your list. Once again, if any one explicitly asks that their information be deleted, you must do so immediately upon being made aware of the request.
While it is not altogether certain how the GDPR will be enforced but what it is clear that there are hefty penalties for non-compliance and I do mean HEFTY!
This is why you need to be in compliance ASAP!
WHAT ELSE DOES YOUR WEBSITE NEED?
Good luck to you! Don’t forget…I am here to help make your need CRYSTAL CLEAR! I’d love to hear what you think. Please leave your comments below and be sure to share this info with your followers. I appreciate you!