The European Union (EU) made a new law you have probably heard about called the General Data Protection Regulation (GDPR).
Am I affected?
The GDPR applies to U.S. companies if they offer goods or services to EU citizens, monitor EU citizens’ behavior, or process and hold the personal data of EU subjects. Basically, if people in Europe can access your website, then the law affects your business.
What if I don’t comply?
The GDPR imposes astronomical fines for noncompliance—up to 20 million Euros or 4% of the prior year’s total global revenue, whichever is higher. The GDPR is vague about how these fines will be calculated, how they’ll be enforced outside the EU, or how they’ll be collected.
While we cannot say with any certainty that smaller U.S. companies are safe from the GDPR and its penalties, we think that the Act is targeting larger companies with a significant presence in Europe (Facebook, Google, Apple, etc.). The day the law became effective, Google and Facebook were both fined $8.8 billion combined for non-compliance.
The best way U.S. companies can protect themselves from GDPR fines or complaints is by following the law. Here’s what it says:
You need a privacy policy on your website
- You must have a privacy policy and you must communicate it in layman’s terms on your website.
You must track your data and report data breaches
- If you fail to report a breach, even a breach you were unaware of, you could face significant fines (2% of global revenue or 10 million Euros, whichever is greater). This fine is in addition to the fine for the breach itself.
You have to turn over data to users who request it
- If a user requests their data, you’ll have to provide the data in a common format and free of charge within 30 days. If the request is excessive or unreasonably burdensome then you may refuse it (but you must inform the individual why you refused). If someone requests a copy of their data, you may not charge them for the request.
You may have to appoint a Data Protection Officer (DPO)
- Some companies must appoint a DPO. Companies that are affected by this include: ones where “the core activities” require “regular and systematic monitoring of data subjects on a large scale” (i.e. Facebook, Google, or if you’re tracking customers’ online behavior for marketing purposes) or companies that collect personal information relating to sex, age, ethnicity, race, or another special category.
Consent has changed
- Before this law, you might have had a pre-ticked box on your website that said something like, “By using this website I consent to all the terms and conditions” and the conditions probably scrolled on in 5-point font for pages. You’re not allowed to do that anymore. Now consent has to be clear, “an affirmative action,” and “freely given” after the user is provided with “sufficient information.” Basically it’s a high burden.
Those are the critical points; there is much more to it than that. Please contact Kathryn Unbehaun at kathryn@sampath-law.com if you have any questions or want help updating your privacy policy.