Many small business owners recall the uncertainty surrounding the European Union’s (EU) implementation of the General Data Protection Regulation (“GDPR”) in May 2018. Over two years after the EU adopted the GDPR’s language in 2016, businesses finally faced the regulation’s requirements amid a haze of ambiguity. Most businesses felt woefully unprepared to deal with potentially heavy violations, and many drafted new privacy policies in an attempt to meet the new standard. The problem: the EU’s lack of clarity and how far it would take these novel regulations.
So, what do we know one year later? The short answer is the EU’s focus may have been narrower than we anticipated. With their initial rollout of proceedings, regulatory bodies brought claims against a number of online behemoths, including Facebook, Twitter, and Google, within the regulation’s first couple of days. A large number of data privacy experts predicted such activity would trickle down to smaller companies accessing citizens of the EU, with significant potential fines. Companies began to self-report data breaches at staggering rates, hoping to act within the GDPR’s 72-hour reporting window. Companies requested online visitor consent in instances where those users had already granted the companies access. However, the expected claims against smaller entities have yet to arrive.
Since the initial fears surrounding the GDPR, the EU released helpful guidance for businesses located outside of the governing body’s jurisdiction. The guidance provided that companies located outside of the EU must directly target individuals or entities within the EU to be subject to the GDPR’s regulations. Short of directly offering goods and/or services to the EU, US-based companies seem to be outside the purview of the regulations. Much of the guidance focuses on circumstances surrounding intent: if a company is expressly targeting EU-based individuals or businesses, that company is much more likely to be subject to the GDPR. However, if a company operates a website that merely experiences the occasional EU visitor, it need not worry about GDPR penalties.
This is not to say that US or Wisconsin-based businesses no longer need to pay attention to customers’ or online visitors’ personal information. The GDPR triggered a strong reaction from businesses, potentially overwhelming EU regulators. That surge of reporting and reacting may soon subside once the law becomes more familiar to those tasked with enforcing it. Further, the GDPR acts as something of a precursor to California’s Consumer Privacy Act (“CCPA”), set to become effective January 1, 2020. Application of the CCPA appears to be much narrower than the GDPR (applying to businesses with annual gross revenue above $25 million, amongst other factors). Nevertheless, like the GDPR, the CCPA’s scope extends beyond California’s physical borders, and has US-based regulators to enforce it.
The takeaway is this: one year later, the GDPR does not seem quite as scary to small businesses in the United States. However, it does appear to be the first wave of privacy-focused regulatory measures, starting in California with potential federal legislation to follow.
Following best practices now, such as monitoring and updating privacy policies, appointing an information officer to act as point person in the event of a data breach, and being mindful of where any information you collect on your website is going and where it is stored, will pay dividends in the future.