The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It was adopted on 14 April 2016, and after a two-year transition period, becomes enforceable on 25 May 2018.
Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (including IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
While the United States may seemingly not have much to worry about what is happening in Europe, we are certain that over the past several weeks, you have all received a swarm of messages from various service providers asking from you to read and confirm your acceptance of their revised Privacy Policies. You may have also noticed all the pop-ups asking you to accept website cookies. This is because, even though GDPR is a European regulation, it applies to any organizations outside of the EU which offer goods or services to customers or businesses in the EU. This means that you can still be liable if an EU citizen accesses your website and you collect their personal data. More importantly, as the internationalization of commercial activities continues to expand, it is inevitable that companies will gradually need to adapt new measures to protect personal data, keep users informed what, when and how their personal data is being used, and allow them to withdraw their consent at any time.
One part of the GDPR references how natural persons may be associated with online identifiers including but not limited to Internet protocol addresses and cookie identifiers. Essentially, when cookies can actually identify an individual through their respective device, it will be considered personal data and subject to GDPR. What this means is that websites need to comply with the following regulations:
GDPR cookies regulations apply to all member states of the European Union and websites outside of the EU that target people within EU member states. However, in accordance with Article 3 of the GDPR, if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. In other words, even if you do not directly target an EU citizen, collecting personal identifiable information of an EU citizen makes you liable under GDPR regulations. Therefore, the sensible approach for US companies that operate websites in the US and other countries outside the EU is to ensure that they have an appropriate cookies policy and a mechanism to enforce it.
In accordance with Chapter 5 of the GDPR, non-EU enforcement is supposed to be the result of steps taken by the European Commission and supervisory authorities to:
While there are ways to enforce EU-judgements in the US, this depends on a number of factors, including the degree each member state enforces GDPR regulations that may have been violated, whether a US entity has EU presence or not, or whether reciprocity will allow US judges to enforce EU- judgments. Since this is an area that has not been tested yet, the sensible approach for website operators in the US and other countries outside the EU that target EU customers are to take their own legal advice and to keep that advice under review as the implementation of the directive progresses.
A GDPR compliant Website Privacy Policy is a document or a page on your website telling visitors to your site what personal information you collect, what you do with that information, how long you retain that information, whether you transfer or disclose that information to third parties, how you protect that information, how long you keep that information, their rights to that information etc. More importantly, the policies included in this Website Privacy Policy are in line with the GDPR regulations.
Since GDPR regulations apply not only to member states of the European Union but any organization outside of the EU that targets people within EU member states, then a GDPR compliant Website Privacy Policy is very important to consider. Even if you are a small business that earns no income from your website and isn’t sure why on earth in the first place you’d need one, you might be surprised. This is because when someone comes to your website from around the world, you might be collecting various forms of personal information from them, such as tracking them with analytics or displaying ads. Even though the applicability or enforcement of GDPR for US business has not been tested yet, one cannot ignore that data privacy is a fundamental human right for which legislation, especially in Europe, has become increasingly protective. Even if you are not sure or convinced whether you need a GDPR compliant Website Privacy Policy, given that GDPR is considered to be one of the toughest data privacy regulations in the world, you should consider adopting it simply because it’s better to be safe than sorry.
In an effort to ensure that you are compliant with data privacy regulations in relation to the services that Global Reach provides to you, we have taken the following pro-active measures: