Does the GDPR Potentially Apply to Your Business?
The GDPR applies not only to businesses situated in an EU member state. It also applies to businesses and other organizations outside the EU, including in the United States, that receive and retain personal data of persons in the EU to offer them goods or services, whether they pay for them or not, or to monitor their behavior within the EU in some way. The mere accessibility of an ecommerce website to visitors in the EU is not, standing alone, sufficient to subject the website’s operator to GDPR jurisdiction. However, if the site contemplates offering goods or services to individual customers in the EU, then it is most likely subject to the GDPR. Factors considered indicative of offering goods and services to EU customers include referring to customers or users in the EU on the website or other promotional materials, enabling payment in one or more EU member state currencies or offering a version of the website in a language spoken in an EU country (but not in the organization’s home country, i.e., English for US businesses.) If your business may satisfy the above criteria, then you need to consider the rest of this article.
- The right to access the personal data the organization is processing, as well as to receive information about the particulars of the processing activities;
- The right of an individual in the EU to have the personal data concerning him or her be corrected or updated;
- The “Right to Erasure,” sometimes called the “Right to be Forgotten,” which enables individuals in the EU to require the deletion of their personal data under certain circumstances “without undue delay.” Circumstances that may trigger this right include the data’s retention becoming no longer necessary for the purposes for which the data was collected;
- The right to withdraw a previously given consent to the use of personal data;
- The “Right to Object” to use of an individual’s personal data for some types of “profiling” or automated decision making. This includes the right to be informed if the data subject’s information will be used for automated decision making or profiling;
- The “Right to Portability” in certain circumstances, which includes the right to get a copy of stored personal data an individual has provided and to transfer the data, unimpeded, to another organization;
- The right to complain to a local data protection authority in the EU if a data subject believes that his or her data is being unlawfully processed.
How Must “Consent” to the Use and Retention of Personal Data be Obtained from EU Data Subjects?
The GDPR provides that to be valid, consent must be a “freely given, specific, informed and unambiguous indication of the [individual’s] wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Accordingly, the types of passive consent schemes typically used on US websites and in US privacy policies—most often a statement to the effect that use of the website constitutes consent—will not comply with the GDPR. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. There is, however, still considerable uncertainty over exactly what is necessary to obtain GDPR-compliant consent.
Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.” In addition, individuals in the EU have the right to withdraw their consent at any time, and organizations must make it as easy to withdraw consent as it is to give consent.
Cookies present a special case, and are regulated under a different legal regime in the EU – the ePrivacy Directive. Many sites are using a separate window to advise that cookies will be used and to ask for consent by checking a box.
It is also technologically possible to have the website present the GDPR-compliant consent measures only to visitors from IP addresses within the EU. However, the cost and burden of this may make presentation to all visitors the better solution. In addition, a number of states (notably California) are beginning to pass new, enhanced data privacy statutes that introduce measures similar to some or all of those in the GDPR. Accordingly, it may make sense to begin obtaining GDPR-compliant consent from all visitors.
Your attorney should advise you on the optimal way to approach GDPR consent requirements for your website, so that GDPR-compliant consent is recorded without undue interference with your branding and commercial goals.
What are the Risks of Non-Compliance with the GDPR?
 Consent is not the only available basis upon which an organization may lawfully process personal data. Other potentially available bases include (a) the processing is necessary to perform under a contract with the EU individual in question, and (b) processing is necessary for the legitimate interests pursued by the organization or by a third party.
For more information on the topic discussed, contact:
Cyber & Privacy Alert is a newsletter by Tannenbaum Helpern’s Cybersecurity & Data Privacy practice that covers emerging legal and business developments affecting cyber and privacy risks and regulation, and their impact on businesses.