Don’t let that legal jargon-y title put you off. We’ve mentioned GDPR (the European General Data Protection Regulation) in the past. It is a European privacy regulation that came into effect on May 25, 2018. Its goal is to force “privacy by design” as the normal state of affairs.
When the regulation came into effect, the general consensus was: “GDPR applies to any company or organization, no matter where it is located, that collects personal data from anyone who lives in the European Union.”
This meant that any American organization who had non-anonymized Google Analytics tracking their users’ IP address, for example, could be subject to the GDPR. Fortunately, the European Data Protection Board (EDPB) has now seen fit to clarify the territorial scope of GDPR (how widely this regulation can be applied).
The EDPB also wishes to underline that the fact of processing personal data of an individual in the Union alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the Union. The element of “targeting” individuals in the EU, either by offering goods or services to them or by monitoring their behaviour (as further clarified below), must always be present in addition.
In plain language, see this example from the EDPB:
Example 3:A hotel and resort chain in South Africa offers package deals through its website, available in English, German, French and Spanish. The company does not have any office, representation or stable arrangement in the EU.In this case, in the absence of any representation or stable arrangement of the hotel and resort chain within the territory of the Union, it appears that no entity linked to this data controller in South Africa can qualify as an establishment in the EU within the meaning of the GDPR. Therefore the processing at stake cannot be subject to the provisions of the GDPR, as per Article 3(1).
Does this mean I’m home free as far as privacy is concerned?
Not by a long shot. Your organization may not be subject to GDPR, so you may not risk the heavy fines associated with falling afoul of it. But you may still be subject to HIPAA, CalOPPA, FERPA, CAN-SPAM, COPPA, GLBA, or many other laws in effect in the United States. Just because you are not subject to the GDPR specifically is no reason to play fast and loose with your customers’ information. It’s all about trust, and you need your visitors, customers, or donors to trust your organization or business and your website. Keeping their private information private is one important way to retain that trust.
Our privacy suggestions outlined here are still a good starting point for how to protect your visitors’ information with privacy by design and common sense data protection. While you are taking these steps, be sure to consult a lawyer to make sure you are doing all you can do and all you need to do to keep your visitors’, customers’, and donors’ personal information safe and secure.
Want more info on GDPR? Check out this post on JD Supra for a legal look at GDPR territorial scope or read the full Guideline 3 about territorial scope here.