EU GDPR’S Impact on U.S. Businesses
What is GDPR?
The European Union’s General Data Protection Regulation (EU GDPR) establishes new requirements on companies that collect, use, and share data about EU citizens. As of May 25, 2018, all companies handling data of EU citizens must adhere to these new data privacy and security measures, regardless of whether the organization is located within the EU or not, or face severe penalties. Several key changes impacting the digital advertising industry include:
- A broader definition of personal data that includes IP addresses and cookie identifiers
- Higher standards for establishing valid consent: Under GDPR, consent must be “freely given, specific, informed, and unambiguous” and made by a statement or by a clear affirmative action. Companies are responsible for demonstrating that consent was given (IAB Europe and its members are planning the creation of a consent management platform).
- Purpose limitation: Personal data may only be collected for a specific purpose and may not be used for any new, incompatible purposes.
- Integrity and confidentiality:
- Right to be notified if data has been compromised – Breach notification and more secure data storage to assess data processes, prevent any breach, and detect/respond
- Right to erase: EU citizens may require companies to delete their personal data at any time if they chose to withdraw their consent.
- Accountability: Companies must be able to demonstrate compliance through data protection impact assessments and other procedures.
- Stricter safeguards for transfers of personal data outside the EU
How will GDPR affect you and your business?
- If your organization collects, uses, or shares personal data of EU citizens, GDPR will likely apply, regardless of whether or not you have physical operations in Europe.
- Fines can be high for non-compliance with GDPR: Serious infringements can result in fines of up to €20m, or 4% of your company’s global annual revenue, whichever is higher. Advertising identifiers are now explicitly within the scope of personal data and companies that collect and use these identifiers must demonstrate a valid legal basis for doing so.
- New obligations for demonstrating valid consent will require companies to go beyond existing “cookie banners”.