GDPR: Are you compliant?
The EU (European Union) GDPR (General Data Protection Regulation) becomes law on May 25, 2018. Are your businesses and websites ready?
Anyone who collects, and/or uses third-party services(1) that collect, linked(2) or linkable(3) PII(4) ("data") from citizens of EU member countries(5) risks heavy(6) fines if found to be in violation of the GDPR when it becomes law.
1. examples: Google Analytics (or similar program); email management services (GetResponse, Aweber, MailChimp, Mad Mimi and others); comment platforms (Disqus, Jetpack, Livefyre, Facebook comment system, WordPress comment system and others); and any program that tracks a visitor's browsing activity, such as embedded videos (without the tracking feature turned off,) ads and social share buttons
2. examples: name, email address, geolocation data such as country, state, zip code
3. examples: IP address, unique device ID numbers
4. personally identifiable information
5. including countries that leave the EU as a result of Brexit, unless those countries make new laws after they leave the EU
6. up to 10,000,000 pounds (~$12,576,000 USD) or 2% of global annual turnover for the preceding financial year, whichever is higher, for most violations and up to 20,000,000 pounds (~$25,152,000 USD) or 4% of global annual turnover for the preceding financial year, whichever is higher, for the rest
The GDPR is a monumental improvement over EU's current "Data Protection Directive 95/46/EC." The Directive had each member country write its own laws*. The GDPR will replace the Directive with one set of laws that applies to all member countries and the citizens of those countries.
* all of which, we are currently legally required to be in compliance with if we gather (or use any third-party service(s) that gathers) any information from any citizen of a EU member country
____________________________________________________________
EU Member Countries
Austria: EU member country since: 1 January 1995
Belgium: EU member country since: 1 January 1958
Bulgaria: EU member country since: 1 January 2007
Croatia: EU member country since: 1 July 2013
Cyprus: EU member country since: 1 May 2004
Czech Republic: EU member country since: 1 May 2004
Denmark: EU member country since: 1 January 1973
Estonia: EU member country since: 1 May 2004
Finland: EU member country: since 1 January 1995
France: EU member country since: 1 January 1958
Germany: EU member country since: 1 January 1958
Greece: EU member country since: 1 January 1981
Hungary: EU member country since: 1 May 2004
Ireland: EU member country since 1 January 1973 (note: Roughly 1/6 of the island of Ireland is a separate country, Northern Ireland, which is also part of the UK.)
Italy: EU member country since: 1 January 1958
Latvia: EU member country since: 1 May 2004
Lithuania: EU member country since: 1 May 2004
Luxembourg: EU member country since: 1 January 1958
Malta: EU member country: since 1 May 2004
Netherlands: EU member country: since 1 January 1958
Poland: EU member country: since 1 May 2004
Portugal: EU member country: since 1 January 1986
Romania: EU member country: since 1 January 2007
Slovakia: EU member country: since 1 May 2004
Slovenia: EU member country: since 1 May 2004
Spain: EU member country: since 1 January 1986
Sweden: EU member country: since 1 January 1995
United Kingdom (England, Wales, Scotland (collectively, Great Britain,) and Northern Ireland): EU member: since 1 January 1973
https://europa.eu/european-union/about-eu/countrie...
____________________________________________________________
Even if you were to block all of the countries of the EU from your website(s,) you wouldn't be immune from complying with the GDPR. That's because the GDPR protects the citizens of each of its member countries no matter where they're physically located when they access your site.
I wish the U.S. would follow the EU's example and give us one set of laws for all of its states (and territories.) I can tell you from personal experience, creating business practices and policies to comply with one set of laws - even a gargantuan one like the GDPR - is much easier than ensuring compliance with patchwork sets of laws.
The odds of relatively small-income bloggers, affiliates and internet marketers (like most of us) being noticed by EU governing bodies are probably slim, even if we violate the GDPR.
Are the odds of us escaping notice for violating any of California's multiple privacy rights laws - which protect its residents regardless of where they're physically located - or the laws from elsewhere in the world also probably small? My guess would be: "probably not."
What you choose to do and how much risk you're willing to take is up to you.
Me, I decided it was in my best interest to make sure my business practices and policies and my sites' Terms of Use, Privacy Policy and other related legal pages are in line with the GDPR and with other related laws around the globe.
I also decided it was in my best interest to keep up with privacy rights laws as they evolve and as new ones come into effect.
____________________________________________________________
There are many data gathering and data protection laws in the world and new ones come into effect fairly frequently. The list below is far from complete: not even all of California's relevant laws are listed. If you decide to protect your business from possible fine-induced bankruptcy, this short list provides a good starting point for research.
Data Protection Directive 95/46/EC (203-page pdf): http://www.echr.coe.int/Documents/Handbook_data_pr...
GDPR (88-page pdf): http://ec.europa.eu/justice/data-protection/reform...
GDPR Portal: http://www.eugdpr.org
US Federal Law, including COPPA and CAN-SPAM in Subchapter C, Affiliate Marketing in Subchapter F and other laws that apply to all of us. (updated annually): [This blasted link refuses not to break. Here it is, divided into parts. If you're interested, you can copy/paste them together]:
https:
//www
.ecfr.
gov/cgi-bin/text-idx?SID=aa078420a11c10ee30297b9dc8b70e5f&c=
ecfr&tpl=
/ecfrbrowse/Title16/16cfrv1_02.tpl
California Civil Code section 1798.29 (data breach): http://leginfo.legislature.ca.gov/faces/codes_disp....
California Civil Code section 1798.82 (data breach): http://leginfo.legislature.ca.gov/faces/codes_disp....
California Civil Code sections 1798.80 - 1798.81 and 1798.84 (disposal of customer records): http://leginfo.legislature.ca.gov/faces/codes_disp...
California Civil Code sections 1798.83-1798.84 (Information-Sharing Disclosure, "Shine the Light"): http://leginfo.legislature.ca.gov/faces/codes_disp....
Online Privacy Protection Act of 2003 - California Business and Professions Code sections 22575-22579 (applies to all websites and web services "that collect personal information on California consumers"): http://leginfo.legislature.ca.gov/faces/codes_disp...
California Business and Professions Code Sections 17529 (anti-spam): http://leginfo.legislature.ca.gov/faces/codes_disp...
California Business and Professions Code Section 17538.45 (anti-spam): http://leginfo.legislature.ca.gov/faces/codes_disp...
The California Online Privacy Protection Act (CalOPPA) (28-page pdf): https://oag.ca.gov/sites/all/files/agweb/pdfs/cybe...
REMINDER: This list is incomplete.
____________________________________________________________
> All questions in this post are rhetorical, but you can answer/discuss them in comments if you want.
> I can NOT give anyone advice on how to comply with data gathering and data protection laws, or answer questions a lawyer should answer.
> My website has been "on hold" (zero content added) for months, while I found and researched privacy rights laws and did my best to become compliant with them all. I wish you all the very best of luck, but I need to get busy building out my site. So, I'm not taking time to mention or link to any other relevant laws, neither here nor in comments. If you search for them, you'll find them.
Sharon
DISCLAIMER: The contents of this post are for information only. I am not a lawyer and nothing in this post constitutes legal advice or legal council, nor grants nor implies the establishment of any legal relationship between myself and anyone else.
Posted: late night Monday, April 17, 2017 in my part of the world / Tuesday morning, April 18, 2017 in others
UPDATE April 19, 2017: Just wanted to add mention of the EU's Privacy and Electronic Communications Regulations (PECR.) proposal.
https://ec.europa.eu/digital-single-market/en/news...
Recent Comments
11
This is a post that needs to get out to more members. We have one business registered in Germany and hired a firm to make sure we are in compliance with all EU requirements...
The rules change often and to protect ourselves from the wolves we felt it was a necessary expense. Their job is to make sure that all of our T&C, Privacy, Cookie, and even FB policies are being adhered to.
They even have some unique special requirements for Germany that you will find nowhere else. It is violations of these many requirements that will cost you real money. It is not unusual to get a bill in the mail from the Government if you do not.
I have bookmarked this post. It is a wild world out there, and with so many ways people are using to make money online, not following the law (i.e. EU, US, or copyright law) is one many folks are using to get some of your money...
Cheers!
Dave : )
...
Thu. Oct 5, 2017
Thank you, Dave: that's very high praise, coming from you!
You're so right, privacy rights laws do change often. Copyright laws change, too, but not as frequently.
In addition to that, there are so MANY sets of privacy rights laws! It's hard to find them all and - unless you're a lawyer with a specialization in that field - you can never feel confident you've found them all.
I'm glad you were able to get a firm to handle compliance for you. It's a nightmare trying to do it on your own.
As if that isn't troubling enough, there are the vultures you mentioned: those who make a career of finding small-time privacy rights or copyright violations and suing, hoping the person will settle out of court rather than risk being on the loosing side of a trial.
I'll have to look back over my notes and make sure I included the relevant German laws when I wrote my legal pages. It's getting time for me to review all the laws anyway. I think that's something I'd better do about every six months.
Thanks for the reminder!
Sharon
but of course these laws don't apply to massive companies like google and facebook who use our mics and cameras to spy on us, collect data about us and advertise to us on a daily basis.
The other day, while on skype with a friend, I mentioned I had just got bitten by a mosquito bite on my ankle and it was itchy.
Now this is NOT a coincidence mate, I kid you not.
10 minutes later I was on YouTube, and suddenly I was seeing anti-mosquito related products advertised before all the videos I played.
And to top if off, when I went on facebook, there they were, anti mozzy this and anti mozzy that.
I've never seen so many ads about mozzies, lamps, sprays, wrist bands, etc etc, all over the place.
So, it's okay for them to do that, but they want to crush the little guy out of business through regulation and ridiculous requirements to adhere to stupid new rules that they are going to change at a whim anyway.
I am not impressed at all.
This is very useful info Nana. I have been looking for some suitable and pragmatic solutions but it appears that everything is "up in the air" at present. There is not an easy way to include some sort of info on our Privacy Policy Page that covers everything, so not sure how to sort this out.
Anyone who might have some ideas, please share them!
...
Thu, Aug 3, 2017
Hi, Ana.
I'm delighted you're searching for information on this topic and I'm so very glad you found my post useful!
You're absolutely right: short of hiring a lawyer who specializes in privacy rights laws, there's no easy way to guarantee compliance with them all.
Because I initially didn't know the names of any privacy rights laws except "Shine the Light," I spent every spare moment I had for months, finding them and working them into my Privacy Policy.
(I'm still not certain I found all of them.)
_____________________
tl;dr:
I recommend, at minimum, making your site's Privacy Policy compliant with the GDPR and US federal and California's privacy laws.
It's possible your site could have a Privacy Policy that doesn't meet legal requirements - or even have no Privacy Policy at all - and you'd never get into any legal trouble over it.
_____________________
Long Version
I can't give advice, but I can offer an 8-part suggestion:
1. Write a draft of your Privacy Policy that's compliant with the GDPR. (This, alone, would put you miles ahead of what many website owners bother to do.)
2. Compare the relevant subchapters of the Electronic Code of Federal Regulations (e-CFR, linked in my post under: "US Federal Law") to your draft. If the e-CFR gives any protections not given in the GDPR, add them to your draft. (This would put your Privacy Policy leagues ahead of those of most website owners.)
3. Compare CalOPPA and the relevant sections of California's "Online Privacy Protection Act of 2003" and Civil Code to your draft. If any protections are given that aren't in your draft yet, add them.
4a. (Optional, IF you feel comfortable taking the risk): consider yourself done with privacy rights research for now. The draft you'll have made by this point is better than all but a tiny handful of Privacy Policies on the web.
4b. If 4a made you uncomfortable, continue researching privacy rights laws from around the world and adding to your Privacy Policy if necessary.
5. Edit your draft to make it easier to read and understand.
6. Publish the resulting Privacy Policy on your site(s.)
7. Check for new and revised privacy rights laws every six months.
8. Edit your Privacy Policy if/as needed.
Had I been aware of these laws when I first began drafting my Privacy Policy, I would have chosen option 4a. I estimate it would have taken me about two weeks to decipher the legalise in the documents I listed in 1-3, "translate" it to layman's terms and have a Privacy Policy I was comfortable with.
Important facts to consider:
1. So long as your site:
a. isn't generating 10s (maybe even 100s) of 1000s* of dollars per year; and
b. has a published Privacy Policy that addresses the protections specified in "Shine the Light" and CalOPPA,
it's possible you'll never have to deal with legal issues over non-compliance.
2. It's possible you'll never have to deal with legal issues over non-compliance even if your Privacy Policy doesn't meet legal requirements, or even if your site has no Privacy Policy.
3. Many website owners choose to address the privacy rights of California residents in a dedicated section of their Privacy Policies.** Some add a section for citizens protected by the GDPR. In other words, these website owners don't give any visitor any privacy rights they can legally withhold.***
* I'm sure there are more, but I, personally, know of one multinational, multimillion dollar company that's been operating for years with a Privacy Policy that doesn't come close to being compliant with privacy laws. Since they get by with it, what are the odds small fry like us would get hit?
** I've even seen websites with two Privacy Policies: one for California residents only, and the other for everyone else.
*** I see this most often on "big business" sites, so it must make great economic sense.
Good luck! I hope you quickly find a satisfactory point between "not compliant" and "overkill." (I think I wound up at the last point, lol.)
Sharon
Many thanks for your advise Sharon.
After reading your original post last week, I decided to ask a question on the WA Email marketing site and you can see the answers here Upcoming eu data protection law.how to do it? As Nathaniell advises, we will have some suitable plugins to install nearer to the future, so we might stop panicking at present.
Cheers,
An@
...
Fri, Aug 4, 2017
Thank you for that link, Ana: it was an interesting read!
Plugins that would make compliance easy would be AWESOME!
See more comments
Thank you for the clear, comprehensive, important and intelligent discussion of this important subject.
...
Sat, Feb 24, 2018
Thank you, Randell!