The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It was adopted on 14 April 2016, and after a two-year transition period, becomes enforceable on 25 May 2018.
Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (including IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
While the United States may seemingly not have much to worry about what is happening in Europe, we are certain that over the past several weeks, you have all received a swarm of messages from various service providers asking from you to read and confirm your acceptance of their revised Privacy Policies. You may have also noticed all the pop-ups asking you to accept website cookies. This is because, even though GDPR is a European regulation, it applies to any organizations outside of the EU which offer goods or services to customers or businesses in the EU. This means that you can still be liable if an EU citizen accesses your website and you collect their personal data. More importantly, as the internationalization of commercial activities continues to expand, it is inevitable that companies will gradually need to adapt new measures to protect personal data, keep users informed what, when and how their personal data is being used, and allow them to withdraw their consent at any time.
One part of the GDPR references how natural persons may be associated with online identifiers including but not limited to Internet protocol addresses and cookie identifiers. Essentially, when cookies can actually identify an individual through their respective device, it will be considered personal data and subject to GDPR. What this means is that websites need to comply with the following regulations:
- Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent.
- ‘By using this site, you accept cookies’ messages are also not sufficient for the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means:
- It must be as easy to withdraw consent as it is to give it. If organizations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first.
- Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
GDPR cookies regulations apply to all member states of the European Union and websites outside of the EU that target people within EU member states. However, in accordance with Article 3 of the GDPR, if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. In other words, even if you do not directly target an EU citizen, collecting personal identifiable information of an EU citizen makes you liable under GDPR regulations. Therefore, the sensible approach for US companies that operate websites in the US and other countries outside the EU is to ensure that they have an appropriate cookies policy and a mechanism to enforce it.
In accordance with Chapter 5 of the GDPR, non-EU enforcement is supposed to be the result of steps taken by the European Commission and supervisory authorities to:
- develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
- provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
- engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
- promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.
While there are ways to enforce EU-judgements in the US, this depends on a number of factors, including the degree each member state enforces GDPR regulations that may have been violated, whether a US entity has EU presence or not, or whether reciprocity will allow US judges to enforce EU- judgments. Since this is an area that has not been tested yet, the sensible approach for website operators in the US and other countries outside the EU that target EU customers are to take their own legal advice and to keep that advice under review as the implementation of the directive progresses.
A GDPR compliant Website Privacy Policy is a document or a page on your website telling visitors to your site what personal information you collect, what you do with that information, how long you retain that information, whether you transfer or disclose that information to third parties, how you protect that information, how long you keep that information, their rights to that information etc. More importantly, the policies included in this Website Privacy Policy are in line with the GDPR regulations.
Since GDPR regulations apply not only to member states of the European Union but any organization outside of the EU that targets people within EU member states, then a GDPR compliant Website Privacy Policy is very important to consider. Even if you are a small business that earns no income from your website and isn’t sure why on earth in the first place you’d need one, you might be surprised. This is because when someone comes to your website from around the world, you might be collecting various forms of personal information from them, such as tracking them with analytics or displaying ads. Even though the applicability or enforcement of GDPR for US business has not been tested yet, one cannot ignore that data privacy is a fundamental human right for which legislation, especially in Europe, has become increasingly protective. Even if you are not sure or convinced whether you need a GDPR compliant Website Privacy Policy, given that GDPR is considered to be one of the toughest data privacy regulations in the world, you should consider adopting it simply because it’s better to be safe than sorry.
In an effort to ensure that you are compliant with data privacy regulations in relation to the services that Global Reach provides to you, we have taken the following pro-active measures:
- We have already updated our Website Privacy Policy and we welcome you to review it. We strongly recommend that you also update your Website Privacy Policy accordingly. If you need assistance you are welcome to reach out to your account manager. Our Website Privacy Policy applies to how we (Global Reach) handle our clients’ data. It may not be applicable to your business, however, you are welcome to use it as a starting point but please do consult with your legal department.
- We have also updated our cookies policy to be compliant with GDPR. When you visit our website you will be presented with a GDPR-compliant Cookies Notification that not only makes it easy for you to provide consent but also makes it easy to adjust your preferences and withdraw your consent at any time. We recommend this feature for your website as well.
