It’s one of the biggest data privacy laws in over 20 years. The European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. These regulations will impact businesses that utilize personal data of EU citizens, even if the company does not have a physical presence in Europe. This means that the GDPR will be applicable for US websites as well.
If you are a US company with a website and you receive traffic from European Union visitors, regardless whether you market your products or services to European markets, listen up.
Here’s what every US business needs to know about the new data privacy rules, GDPR requirements and deadlines.
What is GDPR and Why Should I Care?
GDPR, which stands for General Data Protection Regulation, was passed back in May 2016. In an effort to establish “digital rights” for European Union citizens, the EU gave websites two years to comply with the new set of personal data protection and privacy rules.
GDPR Goes Into Effect May 25, 2018.
No matter where you are based, the GDPR will apply to any organization that collects and stores personal data* on European Union users on their website as of May 25, 2018.
What Does Personal Data Include Under GDPR?
According to the European Commission, personal data* includes, “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
- Identification information: name, telephone, physical and email address and government ID numbers
- Website data: location, IP address, cookie histories and RFID tags
- Health, mental and genetic data
- Biometric data
- Racial, cultural or ethnic data
- Political opinions
- Sexual orientation
- Tagged photos
How will GDPR Impact US Websites?
Considered data controllers, all US business websites that collect personal information will be held accountable for any data collected, processed or dispersed on an EU citizen.
If an infringement of a customers’ information occurs on a US website or a breach of security is not reported correctly, organizations could risk steep financial and legal penalties. If you don’t do anything to comply, you’re looking at potential fines of up to 4% of annual global revenue or 20 million euros ($23,714,240 U.S. dollars), whichever is greater.
Steps to Ensure GDPR Compliance for US Websites
As you can imagine, compliance will be difficult for small (even large) U.S. businesses who operate websites and may receive web visits from European residents.
GDPR requires companies that collect personal data on their websites to first ask for consent.
For example, let’s say you run an advertisement promoting a white paper. But in order for users to access your piece of content, you ask them to complete a form with their name and email address.
What can be done with this captured data?
In a business to business (B2B) scenario, you can use the email to send the white paper, however, you must give the recipients the option to opt-out of future emails, include a privacy notice on how their data will be processed and link to your GDPR compliant privacy policy as well.
You no longer have the right to keep their details on your US website since the “transaction” has been fulfilled by sending them the white paper. Unless you make some changes…
Thankfully we have some tips to help you get started with GDPR website compliance right away:
- Edit all forms by asking for their company name and adding a description of what the user is signing up for
- Ensure all forms and other data collection methods on websites are explicitly opt-in (note, a tick-box must not be pre-ticked)
- Make it easy for users to opt-out or unsubscribe
- Add a cookie alert banner
- Update privacy policy/ terms and conditions to reference GDPR terminology
If you already have a form that has a pre-ticked box, you’ll need to update that before May 25 to reflect the above.
Now, what about all that personal information that’s already stored within US. websites?
By law, organizations are not allowed to market to anyone on that list who did not explicitly agree to be marketed to. So, before May 25, send all of your contacts an email with a form asking them to re-consent to receiving your newsletter and product or service offerings.
As you can see, this transition is going to be tricky. If you need help making your US websites GDPR compliant, get in touch ASAP to see how CMDS can help.
The post GDPR for US Websites: Here’s What Businesses Need To Know About Site Compliance appeared first on CMDS.