Effective May 25, 2018, the European Union General Data Privacy Regulation (GDPR) comes into force, affording enhanced protection to the personal data of EU citizens no matter where in the world that data is located. Thus, any business that collects data from any EU citizen is required to comply, regardless of where the business is based. This regulation could have significant impact across all major industries given the degree to which businesses (of all sizes) conduct sales and communicate with a global client and customer base online.
Infringements to the regulation could have significant financial penalties for many organizations, depending upon the type and scale of the infringement. The EU may apply fines of up to €20M or 4 percent of an organization’s total worldwide annual turnover — whichever is larger.
The GDPR ensures that the same protection of personal data is afforded to EU citizens, regardless of where their data is processed or stored. This means that GDPR compliance has multiple dimensions and is not limited by physical geography; organizations in North America, Asia, and other continents must comply if they store and process EU citizen data. Organizations that hold data on EU citizens will need to thoroughly understand their compliance requirements, regardless of which country their operations or data centers are physically located.
Retail businesses collect significant quantities of data on their customers — indeed, for every online order, a business collects the customer’s payment information, address, email address, and often a phone number. Businesses also collect information through loyalty cards, online user accounts, and third-party fulfillment and profiling systems. All of this personal information will be protected by the GDPR.
The GDPR is all about the data of consumers, not the company. Companies with networks containing customer data are liable if they:
This means that a business residing in the United States, Canada, or anywhere else in the world that deals with the data of a customer in the EU will still be affected by the GDPR. And that means businesses offering goods and/or services online won’t be exempt from the GDPR — whether the business is an international conglomerate or a small, family-run business.
The GDPR will inevitably result in tension with U.S. companies who seek to comply with U.S. discovery obligations while maintaining compliant data processing and retention policies for the data they hold of EU individuals. Although there has been a longstanding tension between EU legislation regarding privacy rights and U.S. e-discovery obligations, the GDPR and “various EU country-specific data privacy laws make even more challenging when faced with collection, processing, review, and production tasks along the e-discovery lifecycle.” Companies should be mindful of enforcing data retention policies to be in accord with both the GDPR and the U.S. discovery obligations to ensure they will not be subject to penalties under either law.
With respect to penalties, U.S. companies will face penalties for non-compliance with the GDPR as well as sanctions for non-compliance with new U.S. discovery rules. To alleviate these potential conflicts in data retention and discovery, attorneys will need to carefully plan their data collection and data requests during the early stages of litigation to avoid a conflict between a US court order and the stringent GDPR requirements.
Comparing the GDPR’s heavy fines with U.S. court sanctions, an increasing number of U.S. companies may decide to pursue early settlements or risk sanctions in the US to avoid the steep fines for GDPR violations. This cost-benefit analysis of choosing settlement versus pursuing litigation may be an attractive option for companies facing litigation that is not considered a serious threat to the company or its way of doing business.
The cost-benefit analysis should be based on the conflicts between U.S. discovery and specific GDPR provisions which are further examined below.
But all this hinges on whether there is EU citizen data ordered to be produced. An EU citizen could be living in the United States on a visa and give a U.S. address, but that person is still an EU citizen and is afforded the rights and protections of the GDPR.
Especially within the retail and e-commerce sectors, capturing and using customer data plays a significant role in product marketing decisions, as well as underpinning the product journey from seller to consumer. Businesses will need to comply with the GDPR in order to continue selling and trading to customers based in the EU. The following are some of the key changes the GDPR will introduce and what that means for retail businesses.
Many of the most recent data breaches have involved the retail industry. The GDPR will require that companies report data breaches to regulatory bodies within 72 hours. This requirement is notably stricter than similar laws in the United States, which provide for a “reasonable” notice period. This is more accommodating based upon the circumstances, unlike the GDPR’s strict “one size fits all” rule. So that business are not caught off-guard in the case of a breach, they should have a response plan in place (including plans for insurers, PR, and suppliers), and should also take steps to minimize the risk of a breach in the first place.
Many businesses use customers’ personal data for marketing purposes, including to inform customers of new deals and offers. Under the GDPR, businesses cannot use customers’ information for marketing purposes without first obtaining each customer’s affirmative consent. Unlike in the United States, it is insufficient to note in the business’ online terms that customer information may be used for marketing, or even to include a pre-checked box stating that the customer agrees to receive marketing emails. Instead, the consumer must affirmatively opt-in to receive such emails, for example, by checking a box or typing in their email address.
The GDPR will regulate the profiling of individuals, where data is collected in an automated format and used to build perceived customer preferences. For retail, this usually takes the form of loyalty cards, targeted advertising, etc. Businesses are also required to obtain express consumer consent to use customer information for these purposes. Businesses must also give consumers the opportunity to object or refuse profiling. If your profiling is done through website cookies, consent may already be in place.
Although we have provided a general overview of the GDPR’s new requirements, businesses should consult counsel experienced in this area to ensure they are prepared to fully comply. Again, failure to satisfy these new and unusually strict requirements can be very costly for businesses — both in the form of the GDPR’s high penalties, and in the forms of bad PR or lost sales.
For more information on the impact of this development on your business, contact: