The General Data Protection Regulation of the European Union comes into force on May 25th. The law is radical, with massive fines for non-compliance. It affects most businesses around the world, big and small.
It's also confusing.
There is no better authority in the United States to explain the GDPR to e-commerce merchants than John Di Giacomo. He is a founding partner of Revision Legal, a leading Internet law firm based in Michigan.
The following is all the audio of my recent conversation with him and, also, a transcript of it, edited for length and clarity.
Pamela Hazelton: What is the GDPR?
John Di Giacomo: The General Data Protection Regulation is a second attempt to create a data protection policy on a European scale. In 1995, the European Union – which is somehow ahead of the US on this issue – put in place the EU Data Protection Directive. This was created to standardize how the data processing was managed in the European Union. The problem was that it was a directive, not a regulation. It was a document that defined concepts, which were to be implemented by the Member States of the European Union.
In May 2016, the US published the GDPR. It's a regulation, not a directive.
The scope of this data protection law goes further than the directive. It applies not only to companies located in the European Union, but also to companies outside the European Union that process or collect personal information from European residents.
Hazelton: Does this apply to businesses even if they do not accept orders from Europe?
Di Giacomo: Yes. The GDPR applies to any company that collects information from people living in the European Union or monitors their activity. If your website tracks the activity of individuals located in EU – through cookies or tags, for example – or if those people sign up for an information newsletter, then you fall under the blow of the GDPR.
If you have a website open to everyone, you are probably subject to GDPR. This is becoming a major compliance issue for businesses in the United States and elsewhere.
Hazelton: Leading service providers such as Google, GoDaddy, and Microsoft claim to comply with the GDPR. But what about less important providers, such as e-mail service providers? Are traders responsible for the actions of these companies?
Di Giacomo: Yes. There are pain points that I see. They include content delivery networks and hosting services. But the key is the customer relationship management software – CRM. Merchants could face the risk of compliance through actions such as targeting European residents who, prior to the implementation of the GDPR, gave their consent, but now, post-GDPR, this consent may not be relevant as it does not. Was not provided explicitly.
From what we find in our analysis for customers, many of these service providers are not as compliant as they claim.
Hazelton: If someone signed up to my e-mail list a year ago, before the GDPR, do I reconnect with him and m? to ensure that he still wants to be on the list?
Di Giacomo: Yes. It's not just your job to reconnect with it, but the data you currently have may not be compliant with GDPR. The data collected under the GDPR should be proportional, that is, they should only be used for the specific purposes for which they were collected. In addition, it must be stored as long as necessary.
According to the GDPR, consent must be given freely. It must be informed consent, and it must be unambiguous. This means that it must be explained to the user in plain and simple language, and can not be hidden.
Hazelton: Does this mean that email marketers should use a double opt-in or just informed consent on the screen?
Di Giacomo: It depends on the type of data collected. Make sure the consent is easy to read. Make sure consenting users know what they are agreeing to and agreeing to.
For example, if they sign up for an e-newsletter, the consent should say something like "You sign up for an e-newsletter." You agree, and you know you do that. Your email will be stored for this purpose. We will continue to target you. "
Next, the consent must also have references to new data subjects' rights of individuals under the GDPR. These include the right to receive a copy of their personal data and a right of confirmation as to whether their data is being processed.
Hazelton: What are the penalties for non-compliance?
Di Giacomo: Penalties rise to 20 million euros, or 4% of the overall annual business turnover of the company, depending on the amount The highest. So it's huge.
Hazelton: For a single event?
Di Giacomo: For a single occurrence. The GDPR has a proportionality clause, however. Thus, the penalties imposed (and the applicability of the penalties) are difficult to estimate because they are based on a factual determination.
Many American merchants ask us, "Why should I care about them?" They will never enforce against me. "
Although I understand the prospect, the European Union takes this very seriously. We will probably see a large-scale application against US companies that collect information from US residents.
If you have income, payment accounts or other assets located in the European Union, a data protection authority could seize your assets or your levies against them. For cases that apply to e-commerce owners, companies such as PayPal and Amazon have presences in, for example, Luxembourg that store money on behalf of their users. This is therefore a real problem for US companies that use these services.
Hazelton: What can merchants do for a quick fix?
Di Giacomo: A quick fix is probably to look at your internal policies, and make sure you are at least in the right direction. Internal rules include how you collect the data, how you store it, and whether you store it for the limited purpose you requested.
Document your contracts with suppliers. For example, if you send data to an email marketing provider, make sure your contract provides for data protection.
A small business might ask, "I only earn $ 500,000 a year in revenue. How am I going to comply? "My answer is to see how this is going, a $ 500,000 company is probably not the main target, the EU is already looking at companies like Facebook and Amazon, and the GDPR is a means by which he may begin to curb some of the alleged abuses of these societies.
Hazelton: Say that I'm using Facebook for the commenting system on my website. Could this be a problem?
Di Giacomo: Yes. If Facebook processes data from your management as a "data controller" (to use the term GDPR), you can be jointly and severally liable so that you can be as responsible as Facebook.
Hazelton: Nothing else?
Di Giacomo: Data protection will eventually be considered in the United States. Now is the time to start thinking about it. Take the GDPR seriously. It is best to prepare now rather than resolve a compliance failure afterwards.