The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It was adopted on 14 April 2016, and after a two-year transition period, becomes enforceable on 25 May 2018.
Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (including IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
While the United States may seemingly not have much to worry about what is happening in Europe, we are certain that over the past several weeks, you have all received a swarm of messages from various service providers asking from you to read and confirm your acceptance of their revised Privacy Policies. You may have also noticed all the pop-ups asking you to accept website cookies. This is because, even though GDPR is a European regulation, it applies to any organizations outside of the EU which offer goods or services to customers or businesses in the EU. This means that you can still be liable if an EU citizen accesses your website and you collect their personal data. More importantly, as the internationalization of commercial activities continues to expand, it is inevitable that companies will gradually need to adapt new measures to protect personal data, keep users informed what, when and how their personal data is being used, and allow them to withdraw their consent at any time.
One part of the GDPR references how natural persons may be associated with online identifiers including but not limited to Internet protocol addresses and cookie identifiers. Essentially, when cookies can actually identify an individual through their respective device, it will be considered personal data and subject to GDPR. What this means is that websites need to comply with the following regulations:
- Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent.
- ‘By using this site, you accept cookies’ messages are also not sufficient for the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means:
- It must be as easy to withdraw consent as it is to give it. If organizations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first.
- Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
GDPR cookies regulations apply to all member states of the European Union and websites outside of the EU that target people within EU member states. However, in accordance with Article 3 of the GDPR, if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. In other words, even if you do not directly target an EU citizen, collecting personal identifiable information of an EU citizen makes you liable under GDPR regulations. Therefore, the sensible approach for US companies that operate websites in the US and other countries outside the EU is to ensure that they have an appropriate cookies policy and a mechanism to enforce it.
In accordance with Chapter 5 of the GDPR, non-EU enforcement is supposed to be the result of steps taken by the European Commission and supervisory authorities to:
- develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
- provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
- engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
- promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.
While there are ways to enforce EU-judgements in the US, this depends on a number of factors, including the degree each member state enforces GDPR regulations that may have been violated, whether a US entity has EU presence or not, or whether reciprocity will allow US judges to enforce EU- judgments. Since this is an area that has not been tested yet, the sensible approach for website operators in the US and other countries outside the EU that target EU customers are to take their own legal advice and to keep that advice under review as the implementation of the directive progresses.
In an effort to ensure that you are compliant with data privacy regulations in relation to the services that Global Reach provides to you, we have taken the following pro-active measures:
- We have also updated our cookies policy to be compliant with GDPR. When you visit our website you will be presented with a GDPR-compliant Cookies Notification that not only makes it easy for you to provide consent but also makes it easy to adjust your preferences and withdraw your consent at any time. We recommend this feature for your website as well.