Would you like some milk with your cookies? 5 months post-GDPR

published in McAfee & Taft tIPsheet | November 5, 2018

Have you noticed the increase in banners and pop-ups on websites you visit asking about cookies (and not the chocolate chip variety)? Those website treats are brought to you courtesy of Europe’s General Data Protection Regulation (GDPR).

The GDPR is a European Union (EU) privacy law that went into effect on May 25, 2018. It concerns the handling of personal information of data emanating from the EU and replaced EU’s previous “Privacy Directive.” The United States currently lacks federal law similar to the GDPR; however, if you have a sweet tooth for privacy laws, then you need only wait until January 1, 2020. That is the date California’s recently passed Consumer Protection Act of 2018 (CCPA) takes effect. The law is inspired by the GDPR and differs substantially from current privacy laws in the United States.

Although the CCPA is specific to California residents, and the GDPR is specific to EU data, the internet is more than capable of traveling across state and international borders. So, although the enforceability of the GDPR and the soon-to-take-effect CCPA to businesses outside of the EU and California is questionable, U.S. companies would be wise to review current privacy practices and policies, particularly data collected from individuals online.

For example, the GDPR is not textually limited to organizations operating in the EU, and, under its terms, applies to any organization that “offers” goods or services (paid or free) in the EU that “processes” “personal data” about “data subjects” within the EU. While merely making a website available in the EU should not rise to the level of being an “offer,” accepting currency of an EU member-state or offering a translated version of your website for a specific EU country could be found to be an “offer.” Likewise, the CCPA may apply to a non-California company merely because a California resident used that company’s website or if a company meets certain thresholds defined in the statute.

What’s the significance of these laws to U.S. companies? The potential for hefty fines that can reach as much as the higher of $20 million or 4% of total global revenue under the GDPR and up to $10,000 per violation under the CCPA, as well as non-monetary sanctions, such as injunctions. Both the GDPR and the CCPA also provide a mechanism for individuals to bring a private right of action for damages. So, companies should begin to conduct regular privacy checkups to avoid a privacy cavity.

Featured Industry