On May 25, 2018, the European Union’s General Data Protection Regulation (the “GDPR”) went into effect. The GDPR is a new law designed to give greater protection to the personal information of people in the EU by regulating the collection, storage, use, disclosure, processing, transmitting and destruction of their personal information. People in the EU will now have more control over their personal information and, hopefully, their personal information will be more secure.
What does the GDPR mean for people in the United States?
You will receive and need to respond to numerous emails from businesses under the GDPR’s purview (if you have not already been inundated with emails). Businesses like Instagram and Facebook have reached out to their users via email to (1) notify them of changes to its privacy policies and (2) request consent to keep their personal information. You will likely need to agree to these new policies to continue using many services.
What does the GDPR mean for businesses in the United States?
The GDPR is quite broad. A business in the United States must comply with the GDPR if it:
- Has a physical presence in Europe;
- Has employees located in Europe;
- Offers goods or services to people residing in Europe (including over the Internet);
- Collects or handles personal information from people residing in Europe; or
- Monitors the behavior of people residing in Europe (including website analytics).
Because of the GDPR’s breadth, many United States businesses will need to pay more attention to their data policies and practices. This is especially true because failure to comply with the GDPR could lead to steep penalties as high as the greater of 4% of the business’ annual revenues or €20 million.
Even for businesses not subject to the GDPR, its effectiveness is a great opportunity for United States businesses to reassess and analyze these policies and practices—in particular, what, how and why the business collects, stores, uses, processes, discloses and transmits its data.
Can businesses subject to the GDPR still collect your personal information?
Businesses subject to the GDPR can still collect your personal information. However, they generally need a “lawful basis” and your consent in order to do so.
Will laws similar to the GDPR be adopted in the United States?
With the more stringent GDPR coming into effect, you may be left wondering if and when the United States will follow the EU. As of today, the United States has more relaxed privacy laws compared to the EU, and only time will tell whether the privacy laws in the United States will be revised to be as protective as those in the EU.
The GDPR is in effect. What do I do now?
Check your email for announcements of businesses implementing new policies governing their use of your personal information and be conscious of these changes. On a case by case basis, decide how you want to permit particular businesses to use your personal information.
If you are a business owner and are concerned about the GDPR applying to your business, or how your business can comply with the GDPR, please contact Gunster's technology law practice to discuss your next steps.
