The General Data Protection Regulation (GDPR) is set to go into effect on May 25th, 2018. As it looms, it’s essential for any company that is collecting personal data from EEA citizens to determine whether it should comply with the regulations. In this article we highlight what GDPR is, what it entails, and why it’s important.
What is GDPR?
GDPR creates consistent data protection rules across Europe. The EU states that it applies to all companies that process personal data about individuals in the European Economic Area (EEA), regardless of where the company is based (i.e., it can be based in the United States). Processing is defined broadly and refers to anything related to personal data, including how a company handles and manages data, such as collecting, storing, using and destroying data. For more information; you can visit the EU’s GDPR site, but the below is a good primer.
What Data Does GDPR Protect?
Some examples of personal data cited by the GDPR are: a person’s name; location data; and any online identifiers such as an IP address, cookie identifiers, radio frequency identifiers, etc. Any of these that can be used, directly or indirectly (or combined with other pieces of data), to identify a person are now considered to be personal data under the scope of the law.
Does GDPR Affect My Site?
The EU states that the GDPR applies to any website that an EEA citizen visits, regardless of that website’s location. According to the EU, the law “will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
How Does A Website Comply With GDPR?
To comply with GDPR, a website must:
- Obtain opt-in consent for the collection of any Personally Identifiable Information (PII)
*Here is an excellent example of opt-in consent (note the three consent boxes before the “request proposal” button
Do I Really Need to Do All Of This?
If your company operates in and/or markets to the EEA, then yes, you need to comply with GDPR. If your company doesn’t operate in and/or market to the EEA, then this is a question you need to ask yourself and your lawyers. This is because your site is most likely visited by EEA citizens even if you don’t market to those countries, so the EU believes that GDPR does apply to your site.
That said, is it likely that the EU will identify and go after a US-based site that happens to receive a few visits per year from EEA citizens? Probably not, but the verdict is still out. Is it possible that the EU will identify and go after a site that sells tens of thousands of dollars’ worth of goods to EEA citizens per year? It’s possible, but it’s not clear how the EU would collect any fines. (Which can be up to Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher.) So, it comes down to each business’ willingness to accept risk, calculated against the cost to comply with GDPR. It may also come down to how you want your brand to be perceived in handling customer data.
Should My Website Comply With GDPR?
Again, this a decision that you have to make for your business, but our team can give you examples of how other US-based websites are choosing to deal with GDPR compliance. Clearly, there are benefits and costs to compliance:
Aside from minimizing the possibility of a receiving a fine from the EU, one significant benefit of updating your site to comply with GDPR is to get ahead of the curve in terms of data transparency. Although internet users in the US aren’t as vocal about their privacy concerns as EU citizens, stories about the use of personal data are becoming more and more common. It is not inconceivable that US consumers could suddenly change their opinion on the importance of data privacy, and start rewarding sites that are transparent about their use of data.
There are two main costs to complying with GDPR: the cost to update your site’s privacy notice and to make coding changes to the site, and the probability of lower conversion rates due to the opt-in consent requirements for contact forms and ecommerce sales. These costs will vary depending on each site. In addition, US-focused sites can decrease the potential for lower conversion rates by showing the consent boxes only to visitors from the EU.
If you are interested in learning more about GDPR, or are eager to make your site GDPR compliant, the Path team can help! Please contact a Path digital media strategist to set up time to chat.