Why Am I Receiving So Many Privacy Notices?
Our Company is a US Company - What Do We Care About GDPR?
The long-anticipated effective date of European Union Global Data Protection Regulation (“GDPR”) is upon us. On May 25, 2018, GDPR, a mandate for safeguarding the personal data of European citizens officially became effective. This article explores just what implications GDPR has on U.S. based companies.
For companies based in the United States of America, whose business comes mostly from customers in the US, it may be easy to assume that this “European” mandate does not apply. After all, what jurisdiction does an EU regulation have over a US Company? Jurisdiction is gained and regulation compliance issues face US companies like these because GDPR requires all companies who collect, store, or process the personal data of EU citizens to comply. And, the regulation defines “personal data” broadly to include direct contact information such as name, phone number, address, and e-mail address, in addition to other information that could be used to identify an individual, such as a username or IP address. Any US company that has an office in any EU country is subject to GDPR. But, there are many other, more subtle ways that US companies may be subject to the regulation. For example, the following companies would also have obligations to comply with GDPR: any US company that has a website that is accessible to EU citizens, that is accessible via any EU Country’s URL suffix, any US company whose website is provided in any of the official languages of the EU countries, and any US company whose website accepts payment in Euros.
ii. Why Should a US-Only Company Care?
US companies should care about compliance with GDPR for two reasons. First, there is a private right of action, such that private individuals who believe their private information has been compromised may sue for damages. Second, fines for non-compliance with GDPR are significant, where penalties may be as high as 4% of the company’s annual revenue or $20 million, whichever is greater. Thus, the importance of compliance could not be clearer.
iii. What Steps Should a US-Only Company Take?
US Companies who find themselves subject to GDPR may feel trepidation as to where to start in terms of establishing compliance. While this is not an exhaustive list, companies should, first and foremost, have a privacy notice in place that is clear and transparent and addresses the following: specify the personal data that is collected by the company, how is it stored and for how long, why is it collected, and with whom such data is shared. Companies should name all organizations that will have access to and/or process user personal data. The website should provide the user a means to consent to personal data collection and processing. Consent should be “opt-in” and not merely a pre-ticked “opt-out” box. Further, email marketing issues should be addressed. Pursuant to GDPR, companies should obtain new and affirmative consent from users who previously received email marketing messages, in order for the company to continue to send those emails.
Although GDPR is not explicit in terms of how these issues should be addressed, companies must accommodate these rights of EU citizens:
The right to be forgotten (have their data deleted);
The right to access and right of accountability (users should be able to view the data that companies have on them and correct any inaccuracies);
The right to breach notification (users are entitled to be notified within 72 hours if user data has been breached in a way that can cause “risk to the right and freedoms” of EU based data subjects); and
The right to data portability: companies must supply users with the ability to virtually send the data that the company collects on them to a different business, trusted third party, or the user themselves when “technically feasible”.
Companies should also update internal policies and organizational measures by having protocols in place for data management and responding to a potential security breach. Vendor contracts should be updated. For example, if a vendor handles email marketing for Company A, Company A is the “Controller” of the data and is responsible for ensuring that their vendor has sufficient compliance practices in place.
iv. Is It Too Late?
No. Originally passed in 2016, with a May 25, 2018 effective date, GDPR has been the impetus for many companies to drastically change their existing privacy practices. While many companies have been preparing for May 25, 2018 for months, or even years, it is not too late to begin taking measures to comply. Technically, GDPR has no “grace period” and fines can be instituted at any time. However, in practice, regulatory bodies will look to what efforts are being made to comply as a means of mitigating fines and penalties. Thus, efforts for compliance continue, even for companies that initially never dreamed that an EU regulation such as GDPR could affect them.
If you have questions on GDPR or would like to take steps to become compliant, please do not hesitate to contact us.
Natalie A. Remien, Partner and Chair of Privacy and Data Security, CIPP / US
180 N. LaSalle St., Suite 3200
Chicago, Illinois 60601