But as Bob says, “the times, they are a-changing.” Consumers have begun to demand more privacy protections and the federal government and California have gotten in on the act by demanding stronger protections and clearer language. And now, the strongest internet privacy regulations of all will go into effect on May 25, 2018. But this time, they’re from the European Union.
So why would this affect U.S. companies? Because under these regulations, even if you’re not based in the EU, you’re still subject to the new regulations if you do business in the EU or even if you just collect any personally identifiable information from EU citizens.
These regulations, the General Data Protection Regulation, commonly referred to as GDPR, represent a major shift in the privacy rights afforded to individuals and put much stricter requirements on companies that collect and use personal information. The regulations work to now put the burden of privacy on the companies collecting information instead of the users providing their personal information. Failure to comply with these regulations can cost violators up to €20 million (nearly $25 million), or 4% of global revenues – whichever is greater.
Companies must also have methods of gaining consent from their customers. This consent must be granted by way of a “statement or clear affirmative action.” In other words, silence, pre-checked boxes, or inactivity will not be considered valid consent under the GDPR. Customers will have to physically check a box or perform some other action to verify that they consent to the use and collection of their information. Additionally, while companies will be required to explicitly ask for consent, they must make it easier for customers to withdraw that consent as well.
- A detailed explanation of the company
- Specific reference to who will be given access to any customer data
- What the data will be used for and how it will be stored
- Instructions for how to download records of any customer data and how to delete that data from the database
- Information on how any breaches will be reported
- Clear and transparent notice on how customer data will be used
- A method for gaining affirmative consent from customers before collecting their information
- A simple way for customers to withdraw consent
How it could affect your business processes:
Most importantly the GDPR requires that you provide a “reasonable” level of protection for personal data. However, it does not define what constitutes “reasonable,” making the standard somewhat uncertain. Until the GDPR governing body has levied fines against a few companies for violating this, it will be somewhat unknown what will be considered reasonable. This is an issue to watch.
Next, under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. The notification must be made within 72 hours of the company first becoming aware of the breach.
The GDPR also requires you to be prepared to do a few more things that you may not currently be doing:
- You now need to protect customer IP addresses and web cookies at the same level of security that you would use for social security numbers and physical addresses.
- In order to send a marketing email or obtain web cookies, you need documented proof of the customer’s consent to that use.
- It must be as easy to withdraw consent as it is to give it.
- You must allow users to obtain their information from you quickly and also be able to delete a user’s info upon request.
- If you are a non-EU company but process the data of EU citizens, you will need to appoint a representative in the EU.
- You will be required to have a designated Data Protection Officer who can erase all personally identifiable information upon request by a customer.
- Provide a reasonable level of protection for personal data
- Notify users within 72 hours of a data breach.