According to Medium.com, the strictest data protection act in the world is the EU’s GDPR. As of May 25, 2018, the General Data Protection Regulation (GDPR) went into effect regarding customer data collection. If an individual who resides in the EU visits your website in the U.S. and you collect personal identifying information from them, then you need to be GDPR compliant or face fines. According to Intersoft Consulting “fines must be effective, proportionate and dissuasive for each individual case.” In the most severe cases fines can be in the tens of millions of dollars. Google, the first U.S. company to be fined under the GDPR, was fined $57M.
In a nutshell “the GDPR is designed to protect EU citizens’ personal data from misuse.” Wikipedia asserts that “According to the European Commission personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Why would a U.S. company need to obey the GDPR?
The Internet is worldwide, and citizens of the EU may visit your website. If data is collected your company is required to follow the rules of the GDPR.
Similarly, California has passed its on privacy law, The California Consumer Privacy Act (CCPA). The CCPA went into effect January 1, 2020. The law allows consumers to opt out of the sale of their personal data. By opting out they may sue any company that has failed to implement “reasonable” security practices allowing consumer personal information to be sold or pirated.
There is a plethora of information on the Internet on both these laws. You can find check lists, sample privacy statements, and detailed information on both. You would be well advised to either get help from or run a draft by your attorney before posting it on your site.
More states have implemented their own privacy laws, so be vigilant.
What is General Data Protection Regulation (GDPR) and What Does it Have to do With Me?
On May 25, 2018, the General Data Protection Regulation (GDPR), a new European law, went into effect. The GDPR is designed to protect EU citizens’ personal data from misuse. While it primarily applies to European Union (EU) countries, under certain circumstances it will also apply to many other countries, including the United States (US). Unlike preceding EU directives, this is an enforceable regulation and non-compliant companies can face stiff fines.
Here are some links to online resources:
SAS – Five Steps to Sustainable GDPR:https://www.sas.com/en_us/insights/articles/data-management/5-steps-to-sustainable-gdpr-compliance.html
Firemon – GDPR is Nothing to Fear: https://bit.ly/2CSdGXv
Do I Need to be GDPR Compliant?
Simply put, yes. While the laws governing GDPR are based in the EU, if your website has visitors from the EU, and you collect personal data of any kind, your company falls under the jurisdiction of the GDPR; this is especially true for eCommerce sites. Failure to comply can lead to fines of tens of millions of dollars.