In May 2018, the EU’s General Data Protection Regulation (GDPR) will bring about one of the greatest changes to data security in the digital era. While it is designed to protect European citizens, it may affect some U.S. businesses. In response, some of our customers have asked us about recent Google notices they have received regarding the European GDPR compliance.
GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. U.S. companies with a web presence should be paying attention to resulting practices and we advise you to consult your legal team if you have any additional questions or concerns.
We reached out to our legal team for insights regarding this new regulation. Below you will find a summary of the regulation and additional information.
Is the GDPR applicable to my website?
The General Data Protection Regulation will apply to U.S. companies under certain circumstances. BigWing is not in a position to make a determination on behalf of its clients as to whether any individual client (or any website or app of that client) may be subject to the GDPR. If you have any doubts, we strongly recommend that you contact an attorney to discuss this further. However, we asked our attorney to provide a general overview of GDPR applicability, which we have included below (although the following should not be construed as legal advice).
A U.S. entity may become subject to the GDPR if it engages in the “offering of goods or services” to individuals in the EU (whether or not payment is required) or “the monitoring of behavior” of individuals while in the EU (specific text set forth in Article 3 of the GDPR).
1. Offering Goods or Services in the EU
If your website engages in transactions with individuals in the EU, it is possible that the GDPR may apply to your company. However, the GDPR indicates that “the mere accessibility” of a website in the EU alone would not be sufficient to make the GDPR applicable to a U.S. entity. Rather, there would need to be something more to indicate outreach to the EU, including, for example, the following:
- Use of a language or currency generally used in one or more Member States with the possibility of ordering goods and services in that other language
- The mentioning of customers or users who are in the EU to make it “apparent that the controller envisages offering goods or services to data subjects in the Union”
- The payment of money to a search engine to facilitate access by EU individuals
- Where EU member states are listed to be targeted by name (for example, when you designate countries to be targeted in a Google Ad words campaign)
- Mentioning telephone numbers with an international code
- Use of a top-level domain name in the EU (such as .de or .eu)
- Other factors taken in combination such as the “international nature” of the relevant activity (e.g. certain tourist activities), the description of “itineraries…from EU to the place where the service is provided or a mention of “international clientele composed of customers domiciled in various Member States”
Accordingly, if a website does not typically engage in transactions in Europe, or in European currency, does not intentionally target Europe, does not contain European language, does not contain an EU cookie banner/consent process, and otherwise does not appear to be intentionally targeting customers in Europe, then the GDPR is not likely to be applicable to them based on the offering of goods or services to EU individuals. However, a website may still fall within the scope of the GDPR based on “the monitoring of behavior” in the EU.
2. Monitoring Behavior in the EU
The “monitoring” about which the GDPR is concerned includes actual monitoring of EU individuals’ behavior on the internet to the extent that “their behaviour takes place within the Union.” Specifically the Commission has stated that “[i]n order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet, including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviours and attitudes.”
Regarding what must be present to develop a profile of a user, there does not necessarily need to be a person’s name. Recital 30 of the GDPR states: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” Based on this, merely serving ads to people in the EU without more would not trigger the GDPR, but actually creating a profile of individuals located in the EU and then tracking them, engaging in retargeting to them based on their online activities, etc. could trigger GDPR applicability with regard to those individuals.
Based on this, merely serving ads to people in the EU without more action would not trigger the GDPR, but actually creating a profile of individuals located in the EU and then tracking them, engaging in retargeting to them based on their online activities, etc. could trigger GDPR applicability with regard to those individuals.
Following are some resources you may find helpful in evaluating GDPR applicability and reviewing GDPR obligations in the event it is applicable to your company:
- This article from the International Association of Privacy Professionals may be helpful to enable companies to determine if the GDPR is applicable to them
- European law firm Bird & Bird offers this comprehensive resource
- The Direct Marketing Association provides some general information available to everyone and more detailed information available only to DMA members.
- The UK Information Commissioner offers a website with guidance for companies subject to the GDPR:
4. GDPR Undertaking
GDPR compliance is a significant undertaking, involving documentation of data processing activities, determining the legal basis for processing, developing procedures to comply with data subject rights/requests, providing updated notice to individuals, conducting privacy impact assessments and much more. Failure to comply with result in significant fines (if required), so please conduct your assessment and plan accordingly if you must comply with the GDPR.
BigWing’s advertising efforts do not extend to the EU and the actions of BigWing alone would not cause your company to fall within the scope of the GPDR. However, it is possible that some of our clients may be subject to the GDPR based on the criteria described above. We strongly encourage you to determine this as soon as possible.
Please be aware that merely offering an opt-out solution and/or cookie banner alone will not be sufficient to achieve compliance with the GDPR if your company is subject to its requirements.
Action: Even if you are not based in the EEA, please consult your legal department or advisors to determine whether your business will be in the scope of the GDPR for any reason, including when using Google Analytics, Analytics 360 and/or AdWords/Bing ads, etc.
Disclaimer: BigWing is not providing legal guidance with this post.