On May 25, 2018, the European Commission (the executive branch of the European Union) imposed new rules regulating the personal digital data of individuals located in the EU. This law, known as the General Data Protection Regulation, or GDPR, has far-reaching implications for all businesses in the United States with a digital footprint—even those not doing business in the EU. While it’s also generally a good idea to consult with legal counsel on this matter if you’re concerned about it (I’m no lawyer), we wanted to summarize the ins and outs of GDPR so that it’s easier to understand what all the fuss is about.
The GDPR is the most significant initiative on data protection in over 20 years. The purpose of the regulation is to protect “natural persons with regard to the processing of personal data and on the free movement of such data.” It changes the way personal data is regarded from an asset and commodity that companies can benefit or profit from to a fundamental right owned by the individual. What this means is that all individuals have the right to know what personal data is being collected, and must actively opt-in to consent to the collection of data. Webmasters must also have a way to permanently delete users’ data.
The GDPR rules were implemented by the European Commission to protect the personal data of any “natural persons” physically located in the European Union. This includes, for example, any American citizens visiting or working in the EU, but does not cover any EU citizens located outside the European Union. As a reminder, the EU is a political union of 28 member states, including Germany, France, Italy, Spain, and (for now) the United Kingdom.
Overall, the GDPR has a broad definition of “personal data.” It includes identifying markers such as internet protocol (IP) addresses, cookies, and identifying user-IDs, but also extends to medical data, names, email addresses, and even as far as genetic data such as DNA and RNA.
The European Commission’s stance on personal data is that any marker or tag that identifies a single person cannot be collected without that individual’s consent. Without that consent, the personal data shall remain private and essentially is owned by that individual.
Chances are, unless you have a very static HTML website, your website does collect some personal data. The most common type of personal identifying marker is going to be the tracking information that you obtain using analytics software. This includes the data that Google Analytics compiles. Additionally, if you’re using cookies to track users for online advertising, such as the Google global site tag, Facebook, LinkedIn or Twitter pixels, etc. these are all considered identifying markers that are being collected from people.
Be aware of other personal information you collect too, even with the users’ consent. These may include things like comments on blog posts, email addresses that they are requesting to add to your newsletter, as well as contact information coming through ‘request a quote’ or contact forms. Even though users are willingly giving up these pieces of information, GDPR states that the users have a right to have their information deleted.
On April 27, 2016, the GDPR was passed by the European Parliament and went into full effect on May 25, 2018. That gave businesses and websites over two years to prepare for the regulations to take effect. The three main goals of GDPR were to:
If your business has any sort of online presence, it’s likely affected by GDPR. While website visitors from outside the EU aren’t covered under GDPR, the 21st century has a reality of globalism where small actions in the Des Moines metro have repercussions around the globe. Therefore, it is imperative for your small, local business to think globally, because after all, your website is accessible to people in all countries, not just the US.
It is likely that with many of your marketing efforts, you’re targeting specific audiences either on Facebook, Instagram, or Google Ads (formerly Google AdWords) and trying to drive traffic to your website. These third party platforms assign unique identifiers and cookies to each website visitor, which are also covered under the GDPR. Therefore, you may need to revisit the strategy behind some of these these digital marketing efforts in order to plan for and protect visitors coming from the European Union.
According to the European Commission (EC), they will begin issuing fines in late 2018. The fines can range from €10 – €40 million, or 2%-4% of annual revenue. It is still unclear whether or not the EC will be able to enforce it in the United States. They don’t have any direct jurisdiction in the US, but there’s nothing preventing them from at least issuing the fines and then disallowing you from doing business or even traveling to the EU without being prosecuted.
There are two main ways for your business to comply with GDPR:
While this may seem like the easiest and most convenient way for your website to comply with GDPR, it does come with several drawbacks. Because the internet is a world wide web of sorts, it’s likely not a good idea to block an entire half billion people with almost 30% of the world’s GDP. Additionally, many of the businesses in your supply chain likely have many of their employees, if not their entire management team, working in (or traveling to) the European Union.
There are also implications for backlinks and web crawlers. If your website has citations from international publications, journals or news outlets, all of those would get blocked if you restrict traffic from the European Union. Google and other sites have bots and web crawlers based out of the EU as well, and if you block them, you would likely become un-indexed in the European Union.
There have been reports of several major news outlets in the United States who decided to go the route of blocking traffic from the European Union as well. While many of them are still trying to find a strategy to implement compliance, the negative repercussions are likely major for these companies.
The European Commission gave guidelines on seven requirements to any website that is collecting personal information. These sites must:
To summarize these items, the most important things for the owners of a website to do are to show a cookie opt-in consent notice upon entry to the site, to have clearly defined terms & conditions and privacy policies explaining what data the site collects and what might be done with it, and to provide a way to either export, correct or delete the personal information upon request.
Near the end of May, 2018, Google sent out emails to all of their Google Analytics customers outlining specific changes that would be taking place in preparation for GDPR. They introduced data controls to determine how long you want to retain unique visitor data for traffic to your website. The default time set by Google is 26 months, but users can change those settings to not automatically expire.
If you have Google Analytics installed on your website, you likely will need to be aware of these settings (and if you are unsure if you have Google Analytics installed, our digital marketing team would love to hear from you!)
Google also now requires account owners to accept a new EU user consent policy when signing up for a new analytics account. This agreement essentially shifts the responsibility to handle end-users’ data away from them, onto you, so it is once again vital to ensure that your website is equipped to do so.
If you are using Google Analytics, or any other 3rd party marketing platform that uses unique identifiers to track users across the internet, you likely need to be aware of how the GDPR could affect you. Even if you’re not actively targeting users outside the United States, it’s still good to have a cookie and data retention policy in order to handle any questions you may receive.
At this time, many legal scholars are unsure whether the GDPR can be enforced from the European Union onto businesses in the US. They have no jurisdiction in American courts, and it’s very uncommon for an international court to press charges on small businesses. Nonetheless, it’s a risk that might not be worth it, and ultimately, you may also find that the easiest way to handle this is to add an opt-in consent form for cookies and tracking in addition to your privacy and data retention policies.
It’s hard to know; there has been increasing pressure on Congress to regulate big tech companies like Facebook and Google in how they use (and often sell) your personal data. The internet has evolved significantly since the founding of Google in 1998, so it would behoove you to always expect change right around the corner.
Already this year, eleven states, including California and Iowa, have passed some sort of digital privacy law. California’s law, which goes into effect January 1, 2020, has wide implications and is nearly as strict as GDPR. However, since it’s in the United States, the regulation can be enforced in American courts.
The act (the full text of which is available here) gives “consumers” (defined as natural persons who are California residents) four basic rights in relation to their personal information:
Iowa also passed a digital privacy law in 2018 that you should be aware of. The law, HF 2354, which was passed on July 1, 2018, imposes:
information security requirements for websites which are marketed to and used primarily for kindergarten through grade 12 school purposes. Under the law, Operators will be required to implement and maintain information security procedures and practices consistent with industry standards and applicable state and federal laws to prevent students’ personal information from unauthorized access, destruction, use, modification or disclosure. Operators also are prohibited from selling or renting students’ information. The law does not apply to ‘general audience’ websites, online services, online applications or mobile applications.
Essentially, in Iowa, websites can no longer track, target or sell school-aged children’s personal identifying markers.