What exactly is GDPR, and if you have a US-based business with a website, why should you care about the upcoming deadline of May 25, 2018? I recently talked to a few businesses, and they didn’t know anything about it. And, they’ve never heard of it. As someone who is involved daily with digital marketing and search engine optimization of websites, I have to tell you that if you’re an EU-based business then you’ll need to comply with the new GDPR regulations by May 25, 2018. If you’re not in the EU, then you actually should care about it, as it will have an affect on your website–at a minimum, your Google Analytics data.
What is GDPR?
To answer that question, it’s best answered by my friend Jenny Halasz, who wrote an article about it in Search Engine Journal:
“GDPR is short for General Data Protection Regulation, and it’s going into effect on May 25, 2018 in the European Union and the associated countries. Its purpose is to finally make good on a legal question from several years ago about how data is used and whether individuals own the data that they create by interacting with websites online. The courts ruled that individuals are the owners of their data, not the corporations (or websites) that collect the data. Therefore, it must be deleted on a regular basis so that customers don’t have to constantly contact websites they may have visited and ask them to delete their data.”
While the GDPR is specific to businesses with websites in the European Union countries, most websites don’t currently block visitors from visiting their websites from EU countries. Even US-based businesses should consider whether or not they need to delete that data or not. Of biggest concern at this point is how Google Analytics deals with the data that’s collected, and if a setting isn’t changed in the GA account by May 25, they could lose all of the Google Analytics historical data older than a certain number of months, which is 26 months.
After consulting with a few of my legal contacts, they basically told me that the biggest concern for US-based companies is that someone in the US could sue a business with a website for not complying with GDPR-like regulations. In my professional opinion, even though a US-based company doesn’t do business in the EU, they do get EU-based website visitors. We don’t know how EU regulators are going to enforce these regulations at this point. Regardless, US-based companies with websites should be aware of GDPR, and consult their legal team before deciding whether or not they will retain the data or not.
For US-based websites, there are choices, as I personally see it:
- Do nothing, and keep retaining the data. Set Google Analytics so you retain all of the historical data.
- Comply with GDPR regulations and delete all data older than 26 months.
- Completely block all traffic and visitors to your website that come from European Union countries, telling them they can’t access the website.
- If a visitor comes from an EU country’s IP address, you could redirect them to a landing page telling them that you don’t comply with GDPR, so you’re not letting them access your website.
- If a visitor comes from an EU country’s IP address, you could have a popup come up or a message on the website that tells them that you DO comply with GDPR, and you don’t save data older than 26 months.
Those are few options—at this point, for US-based business I recommend that you DO continue to collect the data via Google Analytics and update the GDPR settings. You can find out more information here: https://support.google.com/analytics/answer/3379636. Here’s a screen shot of what the Google Analytics settings looks like:
GDPR Questions and Answers for US-Based Companies
Here is a list of several different questions and answers, along with data points that explain the GDPR implications for US-based companies. However, even if you are outside the US, then you still will want to understand these points.
Does GDPR affect US companies? YES
- If your company has an online presence, a website that can be accessed by any person in the world (which you more than likely do), then you need to be very aware of what’s going on with GDPR. (via Business.com)
- Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
- Gartner predicts that almost 50 percent of U.S. businesses will not be able to comply with GDPR in time.
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
- Data breach within 72 hours
– Option for Class Action lawsuits
– Suspension of personal data processing in case of non-compliance
– In addition to fines up to 2% of annual revenue or €10 million for technical infringements
- Non-compliance with fundamental principles and rights
– 4% of annual revenue
– or €20 million
- Agreement Between the UNITED STATES OF AMERICA and the EUROPEAN UNION – This gives the EU the ability to sue US companies (Reference – Article 3(F)
- Evidence of past US settlements over Privacy Shield
- Past lawsuits in the EU over privacy and the right to be forgotten
- Corporate tax cuts bringing $ back to America
- Recent blow up of privacy and censorship via Facebook, Google, and Twitter
A PwC survey showed that 92 percent of U.S. companies consider GDPR a top data protection priority.
What types of PI data is included in GDPR?
Thee are certain types of PI data (personally identifiable data) that is included in GDPR. Here’s more info about the Personally Identifiable data involved in GDPR.
What are the fines for not being compliant?
What are fines for being non-compliant with GDPR? They are pretty large.
Do US companies need to worry about EU enforcement? YES
What US-based Companies Should Consider
If you are a US-based company, what other things should you consider?
Keep in mind that I’m not a lawyer—so I do recommend that you consult with your legal team before making any changes related to GDPR. And, if you decide to block EU visitors, there are ways to do that–and I can help steer you in the right direction. Or, if you have questions about GDPR, and whether or not you’re compliant or not, let me know and I can help.