If you haven’t yet stopped to read about the GDPR (General Data Protection Regulation), you probably have heard the term thrown around. Even though the GDPR is a regulation for the EU (European Union) – it does have some implications for US based businesses. We’re going to take a minute to explain what this means to you, as a US based company. Please always keep in mind that Your Store Wizards are not lawyers. We do our best to notify our clients of potential up and coming developments, but if you have more detailed questions, always seek the advice of a legal professional.
The GDPR officially goes into effect on May 25, 2018.
If you are a small US based company, your chances of fined for a GDPR violation is very slim. But, this being said, as US based businesses, we should make every attempt to follow the law if we do business with EU countries. This “regulation” is extremely strict, with fines up to $23 million USD, or up to 4% of company revenue, whichever is larger. You can see that the regulation specifically is written to keep larger companies in check, you should still comply with this regulation to the best of your abilities.
Let’s Start With the Law Itself
The General Data Protection Regulation (GDPR) is a regulation in EU law for data protection and privacy for all individuals who reside in the EU countries. It addresses the export of personal data outside of the EU. The purpose of the GDPR is to give EU citizens and residents control over their personal data and how it is used through unifying one regulation throughout all of the EU.
According to the EU – personal data is any information relating to an individual, regardless of professional or private public life. It consists of a person’s complete digital footprint. It can be anything from a photo of their dog, posts on social media or even a person’s IP Address.
There are 6 main principles of the GDPR
- Data shall be processed in a lawful, fair and transparent manner.
This basically means you need to be honest about what you are collecting data for.
- Data shall be collected for specified and legitimate purposes.
You can’t lie about how you use the data you’ve collected.
- Data collection needs to be limited to what is necessary for the purpose.
No more offering “free gifts” to try to learn more about your customers. If you are offering a free pen for an email address, you can only collect the necessary information to deliver the pen.
- Data shall be accurate and kept current, and also corrected.
This doesn’t mean much to the average small business. This is directed for larger companies that collect large amounts of data.
- Data shall be kept “no longer than is necessary”.
i.e. – purge old data. You are not allowed to keep it with the hopes of using it in the future.
- Data shall be processed in a manner that ensures appropriate security.
You should already be SSL (if you’re not – not only are you violating this law, Google is soon to drop you from the organic search results and penalize you by showing your customers a message that your site isn’t secure).
You are most likely PCI Compliant already. Any data needs to be secure.
What Do I Need to Do as a US Based eCommerce Business?
We’re going to make this as simple as possible. This is one crazy long law that most small businesses do not have the time to learn.
- If you are simply a US based eCommerce business, you must comply with this law if you are doing business with someone who is based in the EU. Is it enforceable? Yes, but most likely not if your company is small enough.
- Do not add European Union customers to your email marketing lists automatically. You must get a separate consent to market to them. For example, if you were to host a webinar, you cannot email European people after the webinar unless you expressly gave them a checkbox explaining to them that opting in gives permission for them to be contacted.
- These rules apply to existing email lists. If you send marketing emails, check with your email provider such as MailChimp, Klavio, etc. Most email marketing companies have been ready for the implementation of GDPR for a long time and have all necessary tools for you to be compliant.
What is the name of the entity that is collecting the data?
Why is your entity collecting the data?
What legal reason do you have to collect the data?
Are you sharing your data with other companies (be careful drop shippers!!!)
How is the collected data going to be used?
How long will you store their data for?
What rights does the individual who’s data you’ve collected have?
How can the individual who’s data has been collected raise a complaint?
What Should I Do?
You have four options. Before you feel nervous, let us describe them in a little more detail.
- Do Nothing – Since the law is designed to only protect people who reside in the EU (European Union), there is a slim chance of any harm coming to your US based company unless you are a larger entity that is specifically targeting EU customers in a less than desirable manner.
- Sign Up for Cookie Popup Warning – Your Store Wizards offers a simple, but effective solution of providing your customers with a popup message that notifies users that cookies are used on your website. Also, while not GDPR compliant, it is a great first step. To learn more, click here.
- Sign Up for Cookie Opt Out Through Your Store Wizards and Cookiebot – Your Store Wizards has partnered with Cookiebot. Cookiebot is a full GDPR solution that will allow your customers to view the cookies used on your website (if they choose) which will then allow the customer to decide if they choose to continue browsing your website. To learn more about Cookiebot and Your Store Wizards, click here.
As always, please remember that this article is only written for your informational purposes and is not legal advice. For legal advice, you should always contact a legal professional. We’re always available to help answer questions the best we can. For more information, contact us.