What does GDPR mean in the United States?
The General Data Protection Regulation (GDPR) was created by the European Union (EU) in order to empower users to have more control over their personal data online. This regulation created data protection rules for all companies operating in the E.U., protecting all E.U. residents.
So what does this mean for U.S. based companies? More than you might think.
GDPR covers all companies operating in the E.U., and from an internet and data perspective, those companies are all over the world. U.S.-based companies should operate as if they are operating in the E.U. (even if they think they are not) because:
- U.S.-based websites can be accessed from Europe
- All E.U. residents are covered by this regulation, regardless of location. An E.U. resident in Boston has the same rights as they do at home in Brussels.
In many cases, however, it will be unattainable for the company to achieve perfect compliance. There are levels to GDPR compliance, and different companies should have different levels of compliance dependent on their means. A small nonprofit does not have the means to perfectly comply with the GDPR, but an international company based in the US with the appropriate means should be perfectly compliant.
American Compliance to GDPR
There are certain compliance levels that all websites should attain, and they are relatively simple changes that any website manager should be able to make in 1-2 business days. At the bare minimum, all websites should:
- Update their Privacy Policy / Terms & Conditions to explain how they are collecting and using data
- Notify users of the changes via email
- Add a notice to your site explaining to users that you are collecting some of their information and allow them to opt-in to the data collection
Before mapping out a plan for compliance, it’s important to answer the following questions:
- What percentage of your traffic is E.U.-based? This can be found via Google Analytics Geo Reports
- What information are you tracking on the user? Do you have pixels on the website which track any Personally Identifiable Information (PII)?
- Do you have on-site e-commerce functionality?
- What third-party integrations with marketing platforms do you employ?
Every Controller, or website manager, should answer these questions when implementing data protections for their users. Your responses to these questions should determine your level of compliance with the GDPR. Together, we can identify general buckets of compliance for different types of American companies.
Local Nonprofit
Let’s say you work for a nonprofit based in Massachusetts. Your work focuses on aiding Massachusetts residents only and doesn’t intentionally engage any European residents.
However, will anything change after you answer your GDPR questions? Note: the answers are of the author’s creation and are not specific to a single company.
- What percentage of your traffic is E.U.-based?
- 5%
- What information are you tracking on the user? Do you have pixels on the website which track any Personally Identifiable Information (PII)?
- Google Analytics tracking in place for anonymous website data
- Do you have on-site e-commerce functionality?
- Using a third-party platform to handle donations
- What third-party integrations with marketing platforms do you employ?
- There are no third-party integrations to marketing platforms, only to donation platform and MailChimp email sign-up
These answers may be considered harmless to a user, but there still are minimum changes that should be made to this website.
First and foremost, the Privacy Policy needs to be updated to reflect the use of an anonymous behavior tracking tool like Google Analytics. This should be followed up with a notice to all users via email referencing the change.
Second, a notice should be implemented on the website instructing users that there is anonymous tracking on the website. It is perfectly fine in this instance to have a message similar to:
This website uses cookies to track behavior data. This data is 100% anonymous and safeguards are in place to ensure data security. By continuing to browse this site, you are consenting to our use of cookies. Read our Privacy Policy to learn more.
Finally, a team-member needs to be appointed Data Protection Officer at the organization, with their contact information available on the Privacy Policy page. This person should serve as an activist for the user to ensure proper data protection, and serve as the representative of the company in order to field concerns and requests for data.
National Company
Now let’s say your company has multiple offices and remote workers across the country. You sell products only in North America and whenever you receive a lead from outside of your region, you politely decline or refer the lead to an industry peer.
How does this company stack up when answering the same questions?
- What percentage of your traffic is E.U.-based?
- 11%
- What information are you tracking on the user? Do you have pixels on the website which track any Personally Identifiable Information (PII)?
- Google Analytics tracking in place for anonymous website data
- dWords to track user data to show ads on different websites + Collecting PII via third-party marketing platform
- Do you have on-site e-commerce functionality?
- Yes, the website is equipped with e-commerce
- What third-party integrations with marketing platforms do you employ?
- Yes, a third-party marketing platform is present, along with a third-party email service
Compared to our previous nonprofit example, this company is collecting more user information, and while they may not be operating in the E.U. intentionally, they are collecting enough PII that additional compliance is required.
The additional compliance is required because all E.U. residents, regardless of location, have unconditional user rights (which we covered in Part 1). An E.U. resident can be shopping on your website in the U.S. and file a complaint with their Supervisory Authority in the E.U. if there is improper data collection taking place.
So what should this company do?
First, they should complete all of the same steps as the nonprofit above: update their Privacy Policy and notify users of the change, add a privacy notice when the user logs onto the website (more on this in a second), and appoint a privacy officer.
However, there is one substantial change regarding the consent to tracking. The nonprofit employed a tactic called consent by default, which is only acceptable if you are not tracking any PII. Since this website is tracking Personally Identifiable Information, all trackers should be set to opt-out by default.
This can be managed by wrapping all tracking pixels in a conditional wrapper so user tracking will not occur until said user has opted in to tracking. This is best presented to the user in a privacy notice:
Our website uses cookies to enhance your user experience. You will be able to browse the site whether or not you accept cookies. Please refer to our Privacy Policy for more information.
Within this message, the user should be presented with the options; “Accept”, “Reject”, or “Read More” to go to the privacy policy where they can learn more about the tracking.
After the user accepts or rejects cookies, they must also be able to change their selection in the future. If using a plugin or module to handle this, we recommend using GDPR Cookie Consent on WordPress, and <a href=”//www.drupal.org/project/eucookiecompliance” target=”_blank” PIIEU Cookie Compliance on Drupal, both of which can help provide options for a user to change their preferences. If you are not using a module, we recommend adding a preference checkbox to the Privacy Policy page which, using JavaScript, can adjust the users’ consent.
International Corporation
Should there be a difference in compliance between a national an international company? The short answer is no.
There should not be any difference between their levels of compliance because if the national company is operating under the impression that their users can be European residents, then they will be totally compliant.
An international company based in the United States is likely already on top of their compliance solutions, but if not, they should begin them immediately. How do their answers to our questions stack up?
- What percentage of your traffic is E.U.-based?
- 45%
- What information are you tracking on the user? Do you have pixels on the website which track any Personally Identifiable Information (PII)?
- Google Analytics tracking in place for anonymous website data + AdWords to track user data to show ads on different websites + Collecting PII via third-party marketing platform
- Do you have on-site e-commerce functionality?
- Yes, the website is equipped with e-commerce
- What third-party integrations with marketing platforms do you employ?
- Yes, a third-party marketing platform is present, along with a third-party email service
The only difference between our national and international companies is the amount of direct website traffic they are receiving from the E.U..
We recommend that the international company completes all of the recommendations mentioned for the national company, with one significant addition: discuss it with compliance attorneys.
An international company more than likely has the resources to perfectly comply with the GDPR, but before any action takes place, it is strongly recommended that you consult with your legal counsel about your plan and implementation.
Next Steps: Building a GDPR-compliant website
It is established that different US companies will have to attain different levels of GDPR compliance, so now we need to formalize our compliance plan and implement our solutions.
The implemented solutions will be custom to every website based on what user data they are tracking and their means for compliance. Supervisory Authorities are not looking to bankrupt a nonprofit over perfect GDPR compliance; they are looking for gross negligence of the law. Making the simple changes discussed here will put your website in a better place for compliance.
How should we build out our new compliant websites? That will be discussed in Part 3, How to Build a GDPR-compliant website.
Our GDPR series:
- Part 1: What is GDPR? A “relatively” simple explanation
- Part 2: What does GDPR mean for US-based websites?(this post)