EU GDPR: Consumer Rights and Privacy Protections
Disclaimer: This article does not constitute legal advice.
The changes and updates in privacy policies help businesses avoid numerous consumer complaints, especially on websites like Yelp, PissedConsumer.com and BBB.org. While this is considered to be well-reasoned, there’s really a simple explanation: the GDPR.
What is the GDPR?
The General Data Protection Regulation (GDPR for short) is a regulation from the European Union (EU) that came into effect on May 25, 2018.
In basic terms, the GDPR includes regulations designed to protect consumers’ privacy and give them more control over the data companies collect about them.
How Are Consumers Protected by the GDPR?
Here are some of the specific things the GDPR does to protect consumers in the EU:
- Consumers have the right to know how their personal data will be processed and used.
- Consumers have the right to see what personal data companies have about them.
- Consumers must actively provide consent for the collection of their personal data.
- Consumers can revoke consent after giving it.
- Consumers can request their personal data be deleted in certain circumstances.
Types of Data Collection Covered by the GDPR
What exactly does that include? Here are some potential examples to be aware of:
- phone numbers
- email addresses
- birth dates
- other location data
- information about someone’s physical appearance
- ID numbers
- IP addresses
- tax information
- religious or political affiliations
- medical histories
- genetic data
Is Your Business Compliant with the GDPR?
Not sure if your company is GDPR compliant? While these circumstances don’t guarantee full compliance, they’ll give you an introduction into what GDPR compliance requires:
- only possess individuals’ personal data if they obtained consent or have a legitimate business interest (such as collecting a delivery address to deliver something a customer ordered);
- notify individuals about how their data will be collected and used;
- remove individuals’ personal data when it is no longer necessary for the reason the business collected it;
- keep all personal data secure;
- notify consumers if their personal information is exposed in a data breach;
When a business is not compliant with the above, it may result in hundreds of customer complaints on GDPR violations. Not only do these impact reputation, but you can soon find yourself in a bad situation resolving those issues.
A Note on GDPR Consent
Under the GDPR you need a consumer’s “active consent” before collecting, processing, and storing their personal data. For example, if you use a form on your website to collect personal information like name, address and email address, you might have a checkbox that gives you their consent.
Active consent would mean that checkbox is blank / un-checked when the consumer first sees it. They have to actively click to check that box and give you their consent. If it’s pre-checked, that would not be GDPR compliant.
If your notice simply says “by using this website, you consent to us using cookies…” that would not be GDPR compliant. You would need a button or some other active behavior on the part of your visitors.
Does the GDPR Apply to U.S. Businesses?
The GDPR doesn’t only impact businesses based in the EU. It covers businesses collecting personal data about anyone in the EU.
That might be intentional, such as your business running a European portal. Or it might not be intentional on your part – like people in EU countries subscribing to your company’s email list.
Blocking EU Customers & Visitors
Some U.S. publishers weren’t ready for the GDPR changes, so they blocked all EU users. In theory, this is a good idea if you need to buy some time to become compliant. But it doesn’t necessarily mean you would be off the hook.
Because the regulations are so new, you’ll find a lot of conflicting information about what impact the GDPR may have on companies in the U.S. and elsewhere outside the EU. But here are some important points:
- The GDPR applies to data collected from people while they are in the EU (not necessarily EU citizens interacting with your business from outside the EU).
- Your U.S. business could be liable if you have any EU presence (such as running campaigns targeting people in the EU, having an EU office, or storing data in the EU).
- While it’s unclear how penalties could be assessed on non-EU countries, those fines are hefty and worth keeping in mind: top-level fines can run to the greater of 4% of a company’s annual revenue or €20 million.
Despite EU companies having years to prepare for GDPR compliance, many companies outside the EU simply haven’t heard much about it. If you aren’t compliant yet, now is a good time to conduct a full privacy audit.
I'm a Head of Marketing at PissedConsumer.com, a review platform and consumer advocacy website. I’ve worked in the marketing area for over 14 years and have gained extensive experience in communication with businesses, customers, and media representatives. Aside from helping customers be heard, I also intend to help businesses improve their...