Some of you may have heard of the General Data Protection Regulation (GDPR) enacted in the European Union (EU) in 2016. On May 25, 2018, those regulations, which govern the personal data of EU citizens, will go into effect.
In short, the GDPR gives EU citizens certain rights relating to the collection and use of their personal information, which can include name, email, phone number and even the IP address of their their computer or internet service provider. These regulations extend to ALL websites, apps and business who collect any data from EU citizens, but especially to those who are based in, have offices in or do extensive business with citizens of the EU.
In practical terms, this means your website may require certain changes to be in compliance with these new regulations, whether or not your business resides in the EU.
At this point, no one has all the answers when it comes to businesses in the United States. We are not attorneys and cannot offer you advice on whether or not your business must be in compliance with these regulations. We can say if you have an office in the EU or do extensive business there, you should consult your attorney for guidance on these issues as soon as possible to avoid any problems. Here are a few things the GDPR will require from your website.
Privacy Policy
Regardless of where you or your business is located, your website should have a Privacy Policy that explains what information it gathers and how it is used. The GDPR requires that it is in plain language and easy to understand. Get one of these and add it to your website.
Information Collection
If you collect ANY information on your website including customer data, forms, purchases, analytics or even cookie data for website and server performance, you must disclose that collection and allow EU citizens to opt out if they so choose. While many businesses in America who primarily do business here have opted for a simple notification of data collection and a link to a Privacy Policy, EU companies will need to make it easier for visitors to opt out of any and all data collection.
Personal Information Disclosure and Removal
Additionally, EU citizens have the right to see any information you collect on them and request it be removed. That means, you need an electronic version of any data collected and how they can remove it. That includes name, email, phone, address, payment information, IP address and location information.
There is much more to it than this, which is why we recommend you contact legal counsel if you have any questions or concerns. No one is completely certain if or when any of this will be enforced for those of us who do the vast majority if not all of our business with American citizens and businesses. We also feel certain that small businesses with limited data collection will likely never have cause for concern.
However, it is better to arm yourself with knowledge than lawyers, so be smart and do your research.
Obviously, if you have questions, feel free to reach contact us for information on how we can help you and your website reach compliance.
