By now, you’ve probably seen the acronym GDPR show up in your inbox, in addition to popping up on websites left and right. Seemingly out of nowhere, the term has begun cluttering our screens, begging to be noticed and paid attention to.
So, what does it mean, and why has it suddenly become such a huge part of your browsing experience? And, more importantly, how does it affect your U.S.-based website? These are just some of the questions U.S. business owners should be asking as they plan to launch a new site or make updates to an existing one.
What is GDPR?
GDPR is the European Union’s General Data Protection Regulation, which became effective on May 25, 2018. The regulation comes with strict requirements for website administrators that gather personal data from website visitors residing in the European Economic Area (EEA).
Personal data that falls under the protection of GDPR is defined as any information that can be used to identify a person, such as:
- Name/Address
- Health information
- Racial or ethnic origin
- Sexual orientation
- Political views/affiliations
- Religious beliefs/affiliations
- Genetic/biometric data
- Location data
- IP address and/or cookie data
- RFID tags
While the regulation was set for to apply primarily to businesses operating in the EEA, it also indirectly affects US-based companies and other companies that participate in online activities which involve individuals who live in the EEA. If that sounds a bit vague and complex, that’s because it is.
GDPR Checklist for U.S. Website Owners
As a U.S. website owner, here’s a simple checklist to help you determine whether your business must comply to the GDPR requirements:
1. Your company has a physical location in the EEA.
2. Your company offers physical goods and/or provides paid services to individuals who reside in the EEA.
3. Your company tracks or monitors the online activity of residents in the EEA (i.e. targeted advertising campaigns like email marketing, etc.).
4. Your company processes personal data from EU residents as a subcontractor for another organization.
While the above list does apply to many U.S.-based businesses, the simple fact that your website “may be accessible by a person living in the EEA” does not mean you’re automatically obligated to comply with the regulation.
Additional Factors
Additional factors in considering whether GDPR applies to your U.S.-based website include:
- Domain
If your domain includes a two-letter country domain within the EEA (.UK, .FR, etc.), GDPR may apply to your website.
- Accepted Currencies
Do you accept payment in Euros or in other currencies specific to EEA individuals? You may be obligated to comply to GDPR.
- Language Translation
If your site has been translated into a language other than English that is spoken in the EEA, GDPR may apply to your website.
- Shipping Destinations
If you ship products to EEA residents, GDPR likely applies to your website.
- Email Marketing and Targeted Advertising
Email marketing and targeted advertising require the collection and monitoring of personal data, so if you’re marketing to EEA residents in these ways, GDPR will apply to your website.
Tips for Complying with GDPR
If you suspect your website is required to comply with GDPR, here are a few tips to help you comply:
Requirement 1: Limit data usage to the purpose(s) for which it was obtained.
If a user submits their email address or name and address when purchasing a product or service, consent should be obtained before using the personal data for any other reasons (such as email marketing and direct mail campaigns, for example).
Requirement 2: Inform EEA residents about how their data will be used.
Don’t be obscure about how you are going to use a person’s information. Notify the user of how it will be used, who it will be shared with, and for how long the data will be stored. You must also provide the user with the ability to remove their consent for usage of the personal data at any time.
Requirement 3: Consent or “Legitimate Interest” for the use of personal data.
If you are unsure whether a user has consented to the use of personal data, or whether your use of their data is based on “legitimate interest” of the user, it is better to request informed content.
For the full details of data protection in the EU, visit the European Commission website.