Data protection in the US and beyond
Have you noticed notifications on your favorite websites directing you to new privacy policies?
The reason you are seeing so many of these notifications is likely due to the expanded scope of the European Union’s General Data Protection Regulation (GDPR) to United States businesses.
The GDPR, which went into effect May 25, gives European Union residents certain rights to safeguard their “personal data,” which is defined as “any information relating to an identified or identifiable natural person,” such as a name, identification number, location data, or other factors specific to the identity of that person.
Individuals who fall under the protection of these regulations have the right to know what personal information about them is being collected, and they will have certain rights to control the handling of that personal information.
The GDPR requires all persons controlling or processing personal data of EU residents to adhere to the GDPR’s principles relating to data processing and address a number of requirements consistent with those principles. Depending on the circumstances, these requirements include performance of an assessment of the person’s right to control and process EU residents’ personal data, acquisition of consent from affected individuals before collecting their personal data, implementation of data protection and retention measures, appointment of a data protection officer and adoption of a breach response plan.
Before the GDPR, a company with no physical presence in the European Union would more easily fall outside the reach of the European Union’s data protection directives. Now, organizations that do not have a physical presence in the European Union must comply with the requirements of GDPR if they monitor the behavior of EU residents, or if they offer goods or services to those residents.
A business does not automatically become subject to the GDPR by offering a website that is then accessed by EU residents. However, if a website is determined to offer services to EU residents, data collected or processed regarding EU residents through that website would be subject to GDPR.
For example, if a website specifically mentions availability to users in a specific EU member state, or if a website operator pays search engines to facilitate access in a member state, or if the website uses an EU top-level domain, or if the website provides EU contact information, a regulator might be more likely to find that the website is designed to offer services to EU residents and is thus subject to GDPR.
Similarly, using cookies on a site is not sufficient to trigger GDPR requirements, but tracking taken with the intent of influencing an EU resident (e.g., through targeted advertisements) may well render the website within the scope of GDPR. Given this broad scope, many U.S. businesses operating websites have updated their data collection practices to be compliant with the GDPR.
Businesses that violate GDPR are subject to heavy fines of up to €20 million, and can be liable for damages caused by noncompliant processing.
It is important to consult with a qualified attorney to determine which standards govern your business, and to implement or update your data protection program to comply with applicable law.