GDPR: It’s here, Are you Ready?

Attention all companies doing business in the European Union. GDPR, it’s here, are you ready?

General Date Protection pPlan

If you market or conduct business on the web you probably already know the importance of having a privacy policy. Specific laws and regulations relating to privacy policies can apply if you obtain or store credit information, driver’s license information, or market to minors. If you do business in California (even through the internet) California law requires certain disclosures be made in your privacy policy. Companies that are often utilized in the operation of your website may also require privacy policies. For example, if you use tools like Google Analytics you are required to have a privacy policy describing the use of “cookies” and an opt out procedure.

Along with all of these domestic requirements, we now have a new European Union law known as the General Data Protection Regulation (“GDPR”), which generally provides that if you collect or store personal data from European citizens (which may include IP addresses your computer automatically collects), you are required to have certain items in your privacy policy.  The GDPR became effective May 25, 2018 and violators may be subject to fines.

In order to collect data from Europeans under the new GDPR you must have actual active consent. You likely cannot rely on the standard practice in the U.S. of having a generic statement that continued use of the website is deemed to be consent to collect or store the data of your website users or customers. In addition to the active consent requirement, if you change your use of personal information under your privacy policy, under the GDPR you must notify the users individually and directly, rather than simply placing a new policy on your website.  If your European user wants to have their data provided to them (to see what it is you have collected), you must provide it.  Likewise, you must be able to delete their information upon request.  You must provide a method for the users to make inquiries about your use of their data, and a procedure for users to file a complaint. GDPR also requires notification to users of any breach of certain types of data within 72 hours of discovery.

While applicable to any company, if you do business in Europe it is especially important for you to have your privacy policy up to date. You should ascertain what personal data you currently collect and store,  how you collect it, and who you share it with. You should make sure your site is up to date with proper technology, such as having proper consent mechanisms in place (active click on consents) and consider the additional implications of requiring consent from users who are implementing “do not track” software when they visit your website. You should also make sure you have the appropriate data breach protocols in place that contemplate the short window before disclosure will be required by GDPR.

We can help you with these matters and other IP and intellectual property issues. Call contact Gerald McDonald at 937-223-1130 or via email at gmcdonald@pselaw.com PSE.

AUTHOR: Jan Burden
JBurden@pselaw.com