The GDPR and Mississippi Businesses

Posted by | No Tags | Industry Insights

“We don’t have any European clients. Do we need to address this new GDPR law?” I received this question and others like it earlier this year as we approached the effective date for the European Union’s General Data Protection Regulation (GDPR). In fact, we continue to be asked about it frequently by clients and prospects. What does the EU’s GDPR and its privacy protection requirements have to do with Mississippi businesses? For many, it has absolutely nothing to do with your website or how you operate your business. For others, if you do any business with customers in a EU member nation or if you market products or services to EU residents, it undoubtedly will have an impact.

What is the GDPR?

A few years back the European Parliament and Council established a set of consumer privacy protection guidelines in a law known as the GDPR. This law is applicable to businesses collecting personally identifiable information from residents of European Union countries. Among other things, these guidelines address:

  • What type of consent is required to collect personal data
  • What measures must be taken to protect certain data
  • And What rights consumers have over data that has been collected

The scope of the requirements was so vast that the law did not go into effect until May of 2018, giving businesses over two years to meet the laws’ requirements. You might remember back in late May that you received any number of emails from companies saying they had updated the privacy policy on their website? This was why. Even though you didn’t live in a EU country, the business most likely had customers in the EU and had to address the law’s requirements. Thousands of businesses were making updates at the last minute to avoid potential penalties they could receive for non-compliance. This is when we started receiving some calls.

Does The GDPR Impact My Business?

The GDPR was developed to provide a consistent set of consumer privacy protection laws and standards across all EU members. However, the law also applies to any company doing business with or marketing to residents in the EU regardless of the company’s location. Therefore, if you own an eCommerce site based out of Jackson, MS, but have customers that are residents in a European Union country, then you must adhere to the GDPR requirements. If you do not have customers in the EU and do not target customers in the EU, then the law does not apply to you.

GDPR Penalties

The law provides governing authorities power to investigate potential GDPR violations and work with businesses to take corrective actions. On a case by case basis, the corrective actions may include penalties for non-compliance that can range up to 4% of annual revenue or 20 million euros, whichever is greater. Yikes! (Note: A colleague in the UK recently shared with us that it’s widely believed the authorities will not be overly harsh with businesses unless there is a blatant disregard for the law and its intended protections.)

Impact For Your Website

So, what does this mean for your website if for example you have clients in the UK? Or if you have an opt-in email newsletter that you are targeting to customers that might be residents of an EU nation? The complete answer is best left up to your lawyer, but there are some high-level concepts we will touch on for companies needing to comply with the GDPR law.

Cookies

All websites use cookies. Some help your website function properly, while others are used to track visitor locations, traffic patterns, etc. Under the GDPR, IP addresses and cookie identifiers are considered personally identifiable information. Therefore, if your site uses cookies that track users or their behavior (and there is a very good chance it does…think Google Analytics) then to be GDPR compliant you must get consent from EU residents to allow the cookies to track their use of the site. Most CMS and eCommerce software packages that are commercially used today, have marketplace plugins to help you comply with this cookie consent requirement. Your web developer will be familiar with these tools. It’s important to specifically inform your site visitors what cookies you are using, for what purpose they are being used, and how they can modify their cookie preferences if they so choose.

Opt-Ins

Do you have a form on your website that has an opt-in newsletter invite? For example, when customers place an order on your website, do you have a checkbox for them to sign up to receive a monthly newsletter? If so, that opt-in checkbox can no longer default as checked for “yes”; it must default to blank or “no”, requiring the user to actively check the box to sign up for that communication method.

Any opt in options should be specific, allowing users to provide explicit consent for each type of data permission you are requesting. For example, if you want permission to send both emails and direct mail advertisements to a customer, these should be separate opt-in options for the user to select.

A final point on the concept of contact permissions is that they should not be bundled together with your terms and conditions acceptance. Separate out any active communication opt-ins from the terms of use acceptance on your site.

Right To Be Forgotten

Under the GDPR it must be just as easy for users to be able to withdraw consent as it was to grant it. The language also grants the user the right to be completely forgotten, requiring all personal data to be erased upon request once it is no longer reasonably necessary to conduct the business for which the consent or data was provided. Make it clear to site visitors how this can be done, whether it is modifying cookie preferences, withdrawing opt-in consent, or requesting personal information to be removed.

Terms of Use and Privacy Policy

You’ll need to update your privacy policy and terms and conditions to reflect the required concepts covered by the GDPR. Your lawyer should craft this language, but the language must state specifically what data you are collecting, how you are collecting it, why you are collecting it, and for how long you will be keeping it.

Final Thoughts

By no means is this list of issues complete when it comes to your website and the GDPR. We’ve simply addressed some of the common issues relevant to almost all sites needing to comply with the GDPR. The requirements are vast and actually extend far beyond data you collect on your website. However, the law also reduces requirements on businesses with fewer than 250 employees in certain cases, so certain guidelines may not apply to you. The intent of the law is to protect the privacy of consumers, and that’s a good thing for all of us long term. If you believe your business must adhere to GDPR guidelines, and you are unsure of where to start, familiarize yourself with the GDPR language and consider contacting a 3rd party expert to provide guidance on how to achieve compliance.


No Comments

Comments are closed.