The passing of GDPR legislation in the European Union (EU) has changed the way businesses and websites need to do business in order to protect the personal information of consumers and site visitors. While US-based business owners may not think it applies to them, you need to think twice. Websites that attract a global audience may need to comply with certain GDPR regulations or risk being blocked so that citizens of the EU can no longer see your content.
What Exactly is GDPR?
GDPR stands for General Data Protection Regulation. All companies that do business within the 28 EU member states must comply with the new legal framework. The GDPR was adopted in 2016 to replace the Data Protection Directive, which had been implemented a little over 20 years earlier and was considered extremely outdated.
As a directive, the original Data Protection Directive allowed for member states to customize the rules and regulations to meet their own unique needs. The GDPR is a regulation that does not allow for any customization or leeway at all; all of the EU’s member states must fully comply.
The GDPR is rather lengthy, with a total of 99 articles that describe all of the regulations and how they obligate business owners and protect individual rights. Most notable is the fact that personal information or data of EU citizens that is imported from various locations and countries outside of the EU must also be protected.
Does the GDPR Apply to US-Based Businesses?
Absolutely. US-based businesses need to pay special attention to the GDPR. If your business or website touches the data of a EU citizen in any way, shape, or form, whether you are aware of it or not, your business must be GDPR compliant. US-based airlines, hotels, and businesses of all kinds must handle the information of EU citizens in a way that complies not only with their own local laws, but with the GDPR as well.
There are certain pieces of personal data that are very specifically outlined by the GDPR.
- Anything personally identifying (birthdates, SSNs, addresses, and names)
- Health information, including genetic testing and other forms of data
- Anything that is web-based, including IP addresses and cookies
- Information regarding sexual orientation and/or gender
- Ethnic and racial information
- Political information
There are certain criterion for identifying whether you must comply with GDPR. Be aware that you should use these as a guideline, but don’t assume you are safe just because none of these entries apply to you. You should always speak with a lawyer to be sure.
The criteria for businesses that must comply with GDPR include:
- Processing the personal information of EU residents, whether your business has a presence in the online space or not. E.g., processing catalogue orders or sending out products through the mail.
- Having a business with a presence in a member country (any country that falls under the European Union or EU). Find the full list of countries
- Having more than 250 employees and/or having less than 250 employees (if the information you regularly collect can impact a citizen’s rights).
How to Comply with GDPR Regulations
When GDPR first went into effect, you probably received a dozen or more emails from companies you do business with letting you know that their privacy policies had been updated.
Even Facebook prompted users to review their privacy settings, putting special emphasis on what information advertisers could see and how they could be targeted.
This made sense at the time because repercussions were VERY serious. Any US-based business with a web presence needs to be in compliance with GDPR regulations at all times; ignorance of the law or regulation will not protect you.
The first thing to remember is that if the EU citizen who is using your website is physically in the EU at the time, your website must comply. If the EU citizen is not physically within the EU at the time they are using your website – perhaps they are visiting the United States – GDPR regulations do not apply.
The second thing you need to know is that there does not need to be a financial exchange for a product or service for GDPR to apply. Marketing surveys, email newsletters, and any forms that collect data require you take action to protect the EU citizen’s personal and private data.
Where things become more confusing is that your website needs to specifically target EU members in order for GDPR to apply. For example, if you are a small B2B organization with an English website that is really geared towards US consumers but a person living in a EU country finds your website and wants to make a purchase, you do not need to be in compliance with GDPR.
If your website specifically targets, in any way, to EU countries, via language and other campaign goals, you must comply. Accepting another country’s currency, having an alternate domain with another country’s web suffix, or having content written in another country’s language makes you complicit as well.
Heavily Impacted Industries and Compliance
The most impacted US-based industries known for doing international operations are those that all into the hospitality industry and travel. Companies that deal in e-commerce, technology, and software should be especially conscious as well. Any website owner who could potentially market in the EU should review their website and organizational practices to be sure they are compliant.
The biggest issue with compliance is that consumers must be able to give consent. There are specific criteria for ensuring consumers are informed and the language must be unambiguous. In other words, clients get to opt-in; you do not get to force them to opt-out.
Even if a customer were to make a purchase from you, doing so does not give you permission to add them to a mailing list and continue to make contact via email promotions. A customer must have a box to check to give permission – no exceptions.
Not sure how to implement opt-ins? Call us at the Sachs Marketing Group office. Through our web design service, we can help you optimize and adjust to ensure opt-ins are present without distracting from conversions.
Complications and Consequences
The documentation and articles that make up GDPR is lengthy, complicated, and can be relatively confusing to the average business. If you have any doubts at all, contact a lawyer with experience in ecommerce and GDPR regulations.
Failure to secure consumer data or to respond appropriately to potential breaches (within 72 hours, usually) can result in hefty fines and penalties. There is no room for error when it comes to securing the personal data of consumers anywhere, but those protected by GDPR are watching carefully for any breach in protocol. Take the steps you need now to revamp your web practices, guidelines, and internal policies so that you don’t end up in news headlines later.