May 25, 2018
This week, internet users around the world received a flood of e-mails and notifications from companies with updates and changes to their respective privacy policies. The May 25, 2018, deadline to comply with Europe’s new General Data Protection Regulation (GDPR) has prompted companies with any kind of web presence – be it a website, an app or other online resource – to make changes to their interactions with consumers and users of their sites.
The GDPR is a reincarnation of the 1995 Data Protection Directive, which had minimal standards for data processing in the European Union. The new regulation has two main principles: 1) companies will now require users to give consent to collect their data and 2) users will only be required to share data that is necessary to make the company’s services work. The penalty for non-compliance is a hefty fine that amounts to the higher of either €20,000,000 (which amounts to over $23,000,000) or four percent of a company’s global revenue. For mega-companies like Google and Facebook, fines for non-compliance with the GDPR could be billions of dollars.
As a result of the new GDPR, consumers will have the ability to access the private data that companies have gathered on them and find out how it is used. Consumers will also have the ability to demand that companies remove certain personal information from their sites, giving users the “right to be forgotten,” or to permanently delete their accounts. The GDPR has also broadened the definition of “personal information” to include locations, browsing history, IP addresses and other information that was previously unavailable to consumers.
The GDPR is extremely significant, as it applies to companies and websites that process data related to any EU citizen, regardless of where the company is based. Although users outside the EU are not covered by the law, the GDPR will protect the traffic of any user who visits a European country online, even if they are not a citizen of the EU.
The United States does not currently have comprehensive data protection or digital privacy laws, but in April 2018, the Senate introduced a bill to address the same issues targeted by the GDPR. If passed, the Social Media Privacy Protection and Consumer Rights Act of 2018 will require that websites allow users to access personal information that is collected on them. The bill also proposes that companies disclose how personal data collected about users is used and allow users to see who has access to their personal information. Additionally, under the proposed bill the company will be required to alert users of any misuse or abuse of information within 72 hours, which is the same reporting period as the GDPR.
Although the temptation is to ignore or delete the deluge of incoming e-mails, under the GDPR companies are required to obtain users’ consent before storing and using their personal information. In response, some companies have threatened that those users who do not affirmatively ‘accept’ the new privacy policies will be removed from their mailing lists while others have chosen to limit their services only to users outside the EU in order to avoid compliance with the GDPR.
The GDPR has the potential to change the online landscape and provide users with the ability to regain control of how their personal information is stored, used and disseminated by companies with an online presence. If the United States and other countries are successful in passing similar legislation, it could be the beginning of a new digital era, where personal information is protected and companies are conscious of their previously unregulated data collection policies.
This article is intended only as a general discussion of these issues. It is not considered to be legal advice or relied upon. If you need assistance with a particular employment, intellectual property, or corporate issue, including concerning company policies, RPJ Associate Nikita (“Niki”) Bhargava would be pleased to consider providing additional details or advice about specific situations.