GDPR regulations

Privacy Concerns For Influencers and Other Online Businesses

In Online Business Necessities by Shannon Montgomery

Privacy policies are old news-ok, not old news, they’re still relevant you and you still need one for the reasons I explained in this post and now more than ever you are going to want to make sure your privacy policy is up to date, and get your online business and website prepared for something new

Enter the GDPR

The General Data Protection Regulation (GDPR) is a new law coming out of the European Union that will provide better protection of individual’s personal information through the implementation of some strict requirements for companies that possesses personal data of people living in the EU.

The GDPR will take effect on May 25, 2018, and the penalties for non-compliance are steep. The maximum fine is €20 million. I’m not a mathematician but that is quite a lot.

This regulation has been in the headlines for a while now, so hopefully, most big businesses and multi-national corporations are more than compliant at this point, because May 25th is fast approaching. But what about the US-based companies that aren’t directly connected to any one of the 28 member states of the EU? Don’t think you have to worry?

Think again.

If your company has a web presence at all and markets your products or services over the internet you are going to want to look into this a bit more.

What are we talking about here? When would this apply?

No financial transaction needs to take place in order for the GDPR to apply. If personal information or data of an EU resident (not necessarily a citizen) is collected or processed by a US-based business then the GDPR will apply.

Personal data or personally identifiable information as we call it here in the States is any type of information that could be used to identify someone. This can be direct information like email addresses, or indirect information like cookies and location data.

There are some slight nuances to this in that it seems like you won’t fall under the GDPR strict requirements if you’re not directly marketing to EU residents. For example, if someone in Denmark Googles a term and comes across your coaching businesses website that is written in English, primarily directed at US consumers then you are likely not going to need to worry about the GDPR. However, if your site is marketed to consumers all across the globe, ie offers various language settings, targets ads outside of the US, take costumers out of the US, uses testimonials or references their EU client base, then the GDPR is going to apply to you. And to get as techy as I can, if your business accepts any currency of an EU state, and can be reached from another country in that country domain suffix then you will certainly fall under this regulation.

If your business has found a great market in an EU country and has localized content, then you will want to review how your website is operating.

How to get compliant if you need to

The main point to remember is that you are going to need to get explicit consumer consent before taking any personal data from a user. The GDPR states this consent must be “freely given, specific, informed, and unambiguous.”

For example, let’s say your business collects email addresses for mailing lists, promotions, and general customer research. If you are collecting emails of EU residents you need to have a checkbox that allows the person to decide yes or no on giving their email, paired with an easy to understand explanation of what you will do with that address. No legalese and no sending them off to some other screen full of terms and conditions to read through that are so long they just say yes because no one has time for that.

The process gets a bit hazier if you sell products or services. You will need to obtain permission for each type of processing done on the personal data, and you need to make sure any third parties you are working with (PayPal, Stripe etc.) are compliant as well. If you’re sharing personal information with any third parties, the consumer must be able to consent to each party receiving your information.

There’s just a little bit more…

You are also responsible for the protection of any data that you collect, and you must protect it in accordance with the GDPR rules. If you already follow existing data security standards, you should be fine. But then again, Facebook…so…make sure you’re up to speed on that.

If there is a data breach whether accidental or unlawful and the disclosure of personal data is the result, if any EU resident’s data is affected, either the EU regulator or the resident themselves must be notified within 72 hours. The type of data released will determine who must be notified.

Better safe than sorry

I know this seems like a lot. You may not even have a privacy policy right now (fix that) and now there is this new regulation with the potential to cause serious trouble for some US businesses. But you’re just the influencer selling coaching, or the YouTube kid selling t-shirts doesn’t matter. Although it is unclear how the EU will come after US business that violates the GDPR, it is clear that they will. You do not want to be a headline as the first business punished by the EU for violating it’s privacy regulations. So, talk to your team, do some research and make sure what you’re doing is in compliance. And, if the EU is changing privacy regulations to this level, I can only imagine the US isn’t far behind so why not be on the forefront of change?

Have more questions? Shoot me an email at Shannon@montgomerypllc.com and we can talk about it!

 

Please note that this is not meant to be legal advice for you or your situation, this is merely some legal research and knowledge on the given topic.