"U.S. companies should be paying attention and changing practices now and not waiting to become a headline down the road"
Yes, The GDPR Will Affect Your U.S.-Based Business
Coming in May 2018, the EU's General Data Protection Regulation will bring about the greatest change to European data security in 20 years. If you’ve only been following the headlines, you’re probably aware of the “right to be forgotten,” 72-hour breach reporting, stronger consumer consent and high fines.
Of course, an EU-based company or multinational corporation that does business in the EU is, we hope, well on the way to complying with the GDPR. But what about U.S. companies that have no direct business operations in any one of the 28 member states of the European Union. They have nothing to worry about, right?
Not true.
Any U.S. company that has a Web presence (and who doesn’t?) and markets their products over the Web will have some homework to do.
A very important change in the GDPR that hasn’t received the attention it deserves has do with the geographic scope of this new law.
To quickly summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.
The second point is that a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects "personal data" -- EU-speak for what we in the U.S. call personally identifiable information (PII) -- as part of a marketing survey, then the data would have to be protected GDPR-style.
U.S. companies without a physical presence in an EU country collect most of the personal data belonging to EU data subjects over the Web. Are users in, say, Amsterdam who come across a U.S. website automatically protected by the GDPR?
Here’s where the scope of requirements becomes a little more complicated.
The organization would have to target a data subject in an EU country. Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.
Territorial Scope
Targeted Marketing And The Web
17