If you think because you are a U.S. business doing business ONLY in the United States, that your website doesn’t fall under the guidelines of the European Union’s General Data Protection Regulation (more commonly referred to as the GDPR) — think again.
While it’s true that these Internet privacy regulations were crafted by the European Commission and cover those within the European Union (EU), they don’t only apply to people who are citizens of the EU nations. Nor do they apply only to those doing business in the EU. Rather, the GDPR applies to ANYONE within the EU.
So that means, if an American flies over to France for a well-deserved vacation and, while in Paris, decides to visit your website and then signs up for your free email opt-in offer, the GDPR applies to that person — and by default, to you and your business as well.
You have to remember — the World Wide Web is called that for a reason. Anyone in the world can access your website, and if they are in the EU, they fall under the new regulation.
But I don’t even collect personal data!
Or do you? Most website owners would be surprised by how much data their website collects, without them even thinking about it.
For example, most websites have contact forms. They make sense, because without one, a public email address is an invitation to get slammed by spammers, hackers, and those on their own “phishing” expeditions for personal data. But these contact forms, by default, get names, email addresses, and sometimes more — such as physical addresses and phone numbers. And what a lot of website owners don’t realize is that they also, quite often, gather computer IP addresses.
Do you have an opt-in for your email subscription list? That’s clearly a means of gathering personal data. And in the past, it wasn’t always clear to the individual giving up their personal information how that was going to be used.
Be clear and explicit
Now, thanks to the GDPR, all wording needs to be explicit. Those receiving your opt-in must be told exactly why they are getting your freebie — specifically because they are signing up for your email list. In return, you must get full and obvious consent from those giving up their email addresses to you.
The person giving up his or her personal information must know why you are taking this data and what you intend to do with it — and they have to — upfront — fully understand and consent to the fact that you taking it.
To learn more about the GDPR, visit this article on CNBC that covers not only what the GDPR is, but also the penalties and impact on those business that don’t comply.
DEADLINE: May 25, 2018
The deadline for compliance is May 25, 2018 — only a few days away from the publication of this post. The deadline is important not only because of wording that needs to be updated on most websites, but also because of email addresses that were gathered into mailing addresses BEFORE that date. If any of those emails are from someone who was within the EU when the information was passed along, that email is considered to be in “processing.” You might have noticed that you’ve received a lot of emails lately, asking you to reconfirm your email subscription. THIS IS WHY. “Processing” of information is one of the actions covered by the GDPR. Just storing the information is enough to be considered “processing” of that information. So a good way of making sure that all who are in your email subscription list actually WANT to be in your list is to send out a reconfirmation email to everyone in the list.
How to keep your content and wording in compliance
Of course, we here at LaCroix Creative aren’t attorneys. None of the above should be considered legal advice, and we can’t be held responsible for any legal problems you might incur because of how your website collects information online. However, we can save you both money and time, by drafting website terms, conditions, privacy policies, and disclaimers first, that you can (and should) have reviewed by an attorney.