Effects Of GDPR Extend Beyond EU to NC Companies

By Anderson Ellis

Have you ever used a search engine to look for something, only to find that every subsequent website is advertising that item on sale? Have you ever mentioned some far-flung vacation locale to a friend, only to receive an unsolicited advertisement on your smartphone about cheap flights to that place? These targeted ads are the result of data-mining – the process by which websites you visit collect, store, and use your personal data to customize advertising in the hopes that you will click and buy. Most online users have become so accustomed to this practice that they barely bat an eye. But the value of personal data, and the scope of which it is being collected and stored, caused the European Union to recently enact strict privacy regulations (the General Data Protection Regulation, or “GDPR”), which are causing ripples for North Carolina companies far from European shores.

History

After years of negotiating, the EU passed the GDPR on April 14, 2016, with an effective date of May 25, 2018. This two-plus year compliance runway proved difficult for many companies, as the requirements were, at times, unclear and burdensome, especially upon the largest companies. By the time the deadline rolled around, many large and small companies found themselves scrambling to ensure they were compliant. Even now, your corporate clients may awaken nightly in a cold sweat, desperately worried about the expired GDPR deadline.

What

Generally speaking, the GDPR is a data protection and privacy regulation that controls the collection, use, retention, and exporting of the personal data of EU residents. The regulation gives primary control over personal data to the owners of such data, and grants rights to view, amend, or delete such data.

To qualify, the collected personal data has to belong to a living person, and be able to identify its owner. Typically, some sort of identification number or other reference to a person’s identity must be inherent in the collected information. Information about deceased people, non-human entities, or collected anonymously is not regulated by GDPR.

A non-comprehensive, but quick and easy, list of examples of qualified personal data would be:

  • Name;
  • Email address;
  • Bank account number;
  • Social Security number; or
  • Age, gender, race, or origin personal information.

Who

While the GDPR is a European regulation, it purports to apply to any company which (a) is located in the EU, (b) offers goods or services to EU users, or (c) collects data from EU users. EU users are defined as those individuals physically located in the EU, and not EU citizens whose information is collected while they are not in Europe.

There has been some regulation interpretation that seems to more narrowly limit the scope of a qualified interaction. For example, purchasing advertisements targeting users in a specific European country, having multiple forwarding URLs with European suffixes, or accepting payment in foreign currency would likely be interpreted as a specific attempt to attract and access EU users. Having a website that is simply accessible in a European country may not. But the reality is that any company with a web presence marketing itself or its products online should closely examine whether GDPR applies to it specifically.

How

The GDPR changed prior EU law by requiring companies to do (or not to do) certain things if they choose to collect user information. Most companies will be GDPR-compliant if they adhere to a few key conditions:

First, obtain consent. User consent to have personal information collected and kept must be specifically requested by the company, in easy-to-understand language, and “freely given, specific, informed, and unambiguous” by the user, to quote the GDPR.

Second, provide access when requested. A user may request that a company provide them with a run-down of their personal data collected and stored, and the company must provide it to them free of charge, with an explanation of how the data is being used.

Third, delete when asked. Users have a right to have their collected personal data deleted by the company upon request. This “right to be forgotten” may be invoked for any reason at any time after collection.

Fourth, give notice of a breach quickly. Data breaches can happen even to those companies that are most prepared. Under the GDPR, once the company has notice of a data breach, it has only 72 hours to report the breach to the affected customers and to a reporting agency. In the EU, each country has designated their own reporting agency; in the US, this requirement is unclear, and following the procedure established by individual states should suffice for now (In North Carolina, refer to N.C. Gen. Stat. Chapter 75, Article 2A, specifically § 75-65).

Fifth, consider appointing (or hiring) a Data Protection Officer. Depending on size and scope of data collection practices, a company may or may not be required to employ a DPO. However, every company would be smart to have someone assigned to handle requests and issues arising under the GDPR, whether or not that is their exclusive responsibility. The company should make sure that this person, their contact information, and a description of their duties to the user is clear at the point of data collection.

Sixth, cover your bases from the beginning. Companies should design their advertising and online presence, particularly that which interacts with European users, mindful of the requirements of GDPR to avoid future issues. This may include secure and encrypted data storage, clear website language, proactive user engagement (pop-ups), and an easily accessible procedure for users to exercise their rights.

Why

Protecting the personal information of current and potential customers should be a high priority for any reputable company. While the GDPR can create headaches (and wallet-aches) for most companies, those that are fully compliant stand to garner goodwill from their customers for their diligence. Those that are not compliant may seem less reputable, or that they are abusing their customers’ data.

Realistically, though, the reason to be compliant is to avoid monetary penalties that can be assessed for noncompliance. One of the more shocking pieces of the GDPR, fines can be levied at the greater of €20 million (or 4% of the company’s annual revenue) for major violations, and at the greater of €10 million (or 2% of annual revenue) for minor offenses. These numbers are staggering to all but the largest companies, and although it is unclear whether GDPR enforcers would attempt to collect fines from American companies operating without a European counterpart, the possibility alone will cause heartburn for many business owners.

Conclusion

For companies that regularly engage in deep data-mining of online users, the GDPR is a 180-degree change in how such business is to be handled. For others, it will be a confusing maze of “does it or doesn’t it apply to me” analyses. Either way, whether in the EU or Western North Carolina, most companies will require a once-over of their online security processes and privacy statements to make sure they don’t run afoul of its requirements. The GDPR appears to be only the next step, albeit a large one, in the ever-evolving frontier of consumer data protection.