The General Data Protection Regulation from the European Union takes effect on May 25. The law is sweeping, with massive fines for noncompliance. It affects most every company worldwide, large and small.
It’s also confusing.
There is no better authority in the U.S. to explain the GDPR to ecommerce merchants than John Di Giacomo. He is founding partner of Revision Legal, a leading Michigan-based internet law firm. He is, additionally, a contributor to Practical Ecommerce.
What follows is the entire audio of my recent conversation with him and, also, a transcript of it, edited for length and clarity.
Pamela Hazelton: What is the GDPR?
John Di Giacomo: The General Data Protection Regulation is a second attempt at creating a European-wide data protection policy. Back in 1995, the European Union — which in some ways is ahead of the U.S. on this issue — established the E.U.’s Data Protection Directive. That was created to normalize the way that data processing was handled across the European Union. The problem was that it was a directive, not a regulation. It was a document that defined concepts, which had to be implemented by European Union member states.
In May 2016 the E.U. released the GDPR. It’s a regulation, not a directive.
The scope of this data protection law extends further than the Directive. It applies not only to businesses located within the European Union but also to businesses outside of the European Union that process or collect personal information from European residents.
Hazelton: Does it apply to businesses even if they do not accept orders from Europe?
Di Giacomo: Yes. The GDPR applies to any business that collects information from persons living in the European Union or monitors their activity. If your website tracks the activity of individuals located in E.U. — through cookies or beacons, for example — or if those individuals are signing up for a newsletter, then you fall under the ambit of the GDPR.
If you have a website that’s open to anyone, you are probably subject to the GDPR. It becomes a major compliance issue for businesses in the United States and elsewhere.
Hazelton: Prominent service providers such as Google, GoDaddy, and Microsoft claim to be compliant with the GDPR. But what about less prominent vendors, such as email service providers? Are merchants responsible for the actions of those companies?
Di Giacomo: Yes. There are some pain points that I see. They include content delivery networks and hosting services. But the key one is the customer relationship management software — CRM. Merchants might face compliance risk from actions such as targeting European residents who, before the implementation of GDPR, provided consent, but now, post-GDPR, that consent may not be relevant because it was not provided in an explicit manner.
Based on what we are seeing from our analysis for clients, a lot of these service providers aren’t as compliant as they say they are.
Hazelton: If somebody signed up for my email list a year ago, pre-GDPR, do I have to reconnect with him and make sure he still wants to be on the list?
Di Giacomo: Yes. It’s not only your job to reconnect with him, but the data that you currently have may not be GDPR compliant. Data that is collected under the GDPR has to be proportional, meaning that it has to be only used for the specific purposes for which it was collected. Moreover, it has to be stored for only as long as necessary.
Under the GDPR, consent has to be given freely. It has to be informed consent, and it has to be unambiguous. What that means is that it needs to explain to the user in clear and plain language, and cannot be hidden.
Hazelton: Does this mean that email marketers should use a double opt-in or just informed consent on the screen?
Di Giacomo: It depends on the type of data that’s being collected. Make sure that the consent is easy to read. Make sure users who are consenting know what they are consenting to, and the purpose they’re consenting to.
For example, if they’re signing up for an email newsletter, the consent should say something like “You are signing up for an email newsletter. You agree, and you know that you’re doing this. Your email will be stored for this purpose. We will continue to target you.”
Then the consent also has to have references to new data-subject rights of the individuals under the GDPR. Among those are a right to receive a copy of their personal data and a right to confirmation as to whether their data is being processed.
Hazelton: What are the penalties for noncompliance?
Di Giacomo: The penalties are up to €20 million or 4 percent of the company’s annual global revenue — whichever is more. So it’s massive.
Hazelton: For a single occurrence?
Di Giacomo: For single occurrence. The GDPR has a proportionality clause, however. So the assessed penalties (and the enforceability of the penalties) is difficult to estimate because it is based on a factual determination.
A lot of U.S. merchants are asking us, “Why should I care about this? They’re never going to enforce against me.”
While I understand the perspective, the European Union is taking this very seriously. We will likely see wide-scale enforcement against U.S. companies that are collecting information from E.U. residents.
If you have revenue, or payment accounts, or other assets located within the European Union, a data-protection authority could seize your assets or levy against them. For cases that apply to ecommerce owners, companies such as PayPal and Amazon have presences in, for example, Luxembourg that store money on behalf of their users. So it is a real issue for companies in the United States that are utilizing those services.
Hazelton: What can merchants do for a quick fix?
Di Giacomo: A quick fix is probably to look at your internal policies, and make sure that you are at least heading in the right direction. Internal policies include how you collect data, how you store it, and whether you store it for the limited purpose you’ve requested.
Document your contracts with vendors. For example, if you are sending data to an email-marketing vendor, make sure your contract provides for protection of data.
A small business could be asking, “I only make $500,000 a year in revenue. How am I going to comply with this?” My response is let’s see how it plays out. A $500,000 business is probably not the chief target. The E.U. is already looking at companies such as Facebook and Amazon, and the GDPR is a means by which it can start to rein in some of the alleged abuses from those companies.
Hazelton: Say I’m using Facebook for the commenting system on my website. Could that be a problem?
Di Giacomo: Yes. If Facebook is processing data from your direction as a “data controller” (to use the GDPR term), then you can be held jointly and severally liable so that you could be as responsible as Facebook.
Hazelton: Anything else?
Di Giacomo: Data protection will be addressed in the United States eventually. Now is the time to start thinking about it. Take the GDPR seriously. It’s better to prepare now versus solving a compliance failure afterward.