GDPR Update: Should You Be Concerned About the New European Privacy Policy Rules? YES.
Once upon a time Privacy Policies were relatively straightforward. You might have felt that you could be vague about how you collected user info and whether you might sell that info to others. You might have stated that the terms applied even if your customers never read them and felt secure that they would still apply. You might have even have felt like a quick copy/paste job from another website’s Privacy Policy was all you needed to protect yourself. And at one point, the risks with doing these things were relatively low.
But as Bob says, “the times, they are a-changing.” Consumers have begun to demand more privacy protections and the federal government and California have gotten in on the act by demanding stronger protections and clearer language. And now, the strongest internet privacy regulations of all will go into effect on May 25, 2018. But this time, they’re from the European Union.
So why would this affect U.S. companies?Because under these regulations, even if you’re not based in the EU, you’re still subject to the new regulations if you do business in the EU or even if you just collect any personally identifiable information from EU citizens.
These regulations, the General Data Protection Regulation, commonly referred to as GDPR, represent a major shift in the privacy rights afforded to individuals and put much stricter requirements on companies that collect and use personal information. The regulations work to now put the burden of privacy on the companies collecting information instead of the users providing their personal information. Failure to comply with these regulations can cost violators up to €20 million (nearly $25 million), or 4% of global revenues – whichever is greater.
The new regulations can be divided into two areas: 1) changes to what you need to have in your Privacy Policy and 2) changes to your backend processes dealing with the collection and use of personal information.
How it could affect your Privacy Policy:
The key rule in the GDPR is that companies must provide “clear and transparent” notice about how customer data will be used. Now, your Privacy Policy must explain how it collects and uses personal information in a way that is easily understood by users. For instance, if your company retains a customer’s phone number, web cookies or IP address, you must explicitly state why you are collecting that information and exactly how you plan to use it.
Companies must also have methods of gaining consent from their customers. This consent must be granted by way of a “statement or clear affirmative action.” In other words, silence, pre-checked boxes, or inactivity will not be considered valid consent under the GDPR. Customers will have to physically check a box or perform some other action to verify that they consent to the use and collection of their information. Additionally, while companies will be required to explicitly ask for consent, they must make it easier for customers to withdraw that consent as well.
In addition to clear and transparent notice and affirmative consent, the GDPR requires a few new additional terms in your Privacy Policy:
A detailed explanation of the company
Specific reference to who will be given access to any customer data
What the data will be used for and how it will be stored
Instructions for how to download records of any customer data and how to delete that data from the database
Information on how any breaches will be reported
Clear and transparent notice on how customer data will be used
A method for gaining affirmative consent from customers before collecting their information
A simple way for customers to withdraw consent
How it could affect your business processes:
Most importantly the GDPR requires that you provide a “reasonable” level of protection for personal data. However, it does not define what constitutes “reasonable,” making the standard somewhat uncertain. Until the GDPR governing body has levied fines against a few companies for violating this, it will be somewhat unknown what will be considered reasonable. This is an issue to watch.
Next, under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. The notification must be made within 72 hours of the company first becoming aware of the breach.
The GDPR also requires you to be prepared to do a few more things that you may not currently be doing:
You now need to protect customer IP addresses and web cookies at the same level of security that you would use for social security numbers and physical addresses.
In order to send a marketing email or obtain web cookies, you need documented proof of the customer’s consent to that use.
It must be as easy to withdraw consent as it is to give it.
You must allow users to obtain their information from you quickly and also be able to delete a user’s info upon request.
If you are a non-EU company but process the data of EU citizens, you will need to appoint a representative in the EU.
You will be required to have a designated Data Protection Officer who can erase all personally identifiable information upon request by a customer.
Provide a reasonable level of protection for personal data
Notify users within 72 hours of a data breach.
Compliance with these new regulations can be tricky, but a careful refining of a company’s Privacy Policy will ensure conformity to impending requirements.