Does GDPR apply to you?
We want you to feel on top of these changes.
First thing to know: GDPR does not affect American companies, yet. Your business in America won’t change. If you are a global company, there’ll be more of an impact.
What is GDPR?
The General Data Protection Regulation is a comprehensive and stringent data protection law sweeping through the European Union. It went into effect May 25, 2018.
GDPR gives EU citizens more control over their personal data, and how it’s used by companies. Companies are penalized for being vague or dishonest about data they collect, how they use it, and if any third parties see the data. In essence, it expands what “personal data” means and requires that people give permission before companies collect their data.
GDPR applies to all companies that have an Internet presence in the European Union, or that use the Internet to offer goods and services to customers in the EU. This includes large American companies like Google or Facebook, but if you don’t have an Internet presence in the bloc, then you don’t need to comply.
The new law also applies to companies processing and holding the personal data of EU subjects -- so if your company has ever gathered data (including contact information) about EU citizens, then you must comply with GDPR. If not, then business as usual.
So if you received an email this month from a company updating their privacy policies, then that company has an Internet presence in the EU (e.g. Spotify, eBay, Facebook).
If companies do not comply with GDPR, then the EU will fine them up to 4% of their annual global turnover or 20 million euro (that’s roughly 23 million USD).
“Non-compliance” can mean not having sufficient customer consent to use their personal data. Your website should be very clear about what personal data you’re collecting; why you are collecting it; and what you will do with the data. The language should be straightforward and there should be clear ways for customers to agree or decline. “Legalese” is specifically listed as unacceptable on the EU GDPR website -- customers shouldn’t need a law degree just to understand the “terms and condition” page.
If the language is murky; or if there are no clear ways to opt out; or if the company uses the personal data for something other than what’s specified on their website, they will be fined.
What counts as “personal data”?
Generally speaking, personal data is anything that can identify the user, directly or indirectly. Some are obvious, like contact information, or date of birth. Under the new GDPR law, personal data now includes social media, your GPS location, your IP address, photos that can identify you, and your electronic medical records. EU companies with an Internet presence (or American companies that work in or with the EU) cannot gather this information without clear consent from customers.
This has already led to some tricky questions: what if a tourist takes a picture of a famous monument, but there are EU citizens in the background? Are they allowed to post that picture online or do they need the consent of the identifiable EU citizens? If the photograph will be used for marketing purposes, then yes, consent is required. If not, then something called “unambiguous consent” comes into play -- that means that a person gives tacit consent to be casually (rather than professionally) photographed if they’re around a tourist attraction. So, an EU citizen doesn’t have to “opt-in” to your tourist photo, but if they ask you to stop taking their picture, you must comply.
Difference between U.S. and EU Privacy
While all companies with an EU Internet presence are required to update their privacy policies, what’s permissible in the U.S. and the EU is different. Basically, the protections are more stringent in Europe. Companies must have explicit consent before collecting most data.
For instance: ever wonder how Facebook tags people in photos before you do? They use facial recognition software. In the U.S., you have to click through a few screens to opt out of that; otherwise, facial recognition is the default. In the EU, after GDPR, Facebook has to get explicit consent from users.
Right now, the United States has data protection laws for financial and medical records (i.e. HIPAA), and for children’s personal data. However, there is no single federal law that comprehensively protects personal data. There are laws that prohibit deceptive or unfair practices (e.g. companies can’t lie about what they do with the data) but otherwise, there is little to protect what happens with the photos you post on social media. This leads to companies using legalese to hide their data practices in complicated jargon -- something the GDPR now explicitly forbids.
Instead, data protection and management laws in the U.S. vary from state to state. California, New York, and Massachusetts have the strictest data management laws in the union.
After GDPR, if you’re an American company operating in the EU, you must comply with these more stringent laws. But if you’re an American company with no EU presence or customers, then you must only comply with the state regulations and the federal data laws about specific entities (i.e. financial and medical).