GDPR, or the General Data Protection Regulation, is a European regulation that governs how the personal data of individuals within the European Union is collected, stored, and used.
Disclaimer: This is not an official EU Commission or GDPR resource. This in no way constitutes legal advice. Any person who intends to rely upon or use the information contained in this document about GDPR is solely responsible for independently verifying the information, and obtaining legal advice if required. To read the official GDPR document, please visit eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN.
Does GDPR Affect US-Based Distributors?
Even if you are only selling goods to individuals or businesses in the United States, U.S. distributors should comply with GDPR if your website is open to visitors from the EU and UK, and that website collects personal information from visitors like email or IP addresses.
To What Extent Do Distributors Need to Comply with the GDPR?
1.) If you are not selling to companies in the EU, but if you have a website that’s open to EU visitors, then you should comply with GDPR if any of the following conditions hold true:
• You have web forms (like contact forms or newsletter sign-up forms, for example) on your website that collect personal information like email addresses or location
• You use Google Analytics, and its tracking code is installed on your web pages
• You use any type of cookies, including tracking codes or the Facebook pixel
• You take payments on your website from people living in the EU
• You allow your customers to create accounts on your website, and some of those customers are residents of GDPR countries in the EU or UK
• You have any 3rd party plugins on your website that transmit personal data
2.) If you are selling to companies or individuals in the EU, then you must comply with GDPR.
If none of those conditions apply, then don’t worry. There’s no action you need to take as of this writing.
The main objective of the GDPR is to protect individuals residing in the EU and UK against the violation of their privacy. It requires personal data to be collected and stored in a fair and transparent manner.
Definitions of GDPR Terms
“Personal data” are things like your website’s visitors’ names, phone numbers, email addresses, and all information related to their religious and political views. It includes their IP addresses, locations, photos, and extends to their health, biometric, and genetic data, as well as their sexual orientation, race, and ethnicity.
“Fair” means that companies process the minimum data they need to be able to provide their services. Certain fields on web forms, for example, “salutation,” that looks for gender, social or marital status like Mr. Mrs. or Ms. are not necessary information for most businesses. So, eliminate these types of fields from your web forms. GDPR encourages companies to collect as little information as possible.
“Transparent” – GDPR requires companies to tell visitors, in advance, what information they are collecting, for what purposes they are collecting it, and for how long they plan to store it. The information must be presented in “a concise, transparent, intelligible and easily accessible form, using clear and plain language.”
How Will GDPR Be Enforced?
The EC has appointed Authorities in each of the EU and UK countries that will enforce GDPR. In the US, they will call upon the FTC to enforce GDPR for US companies who fail to comply.
It is too early to detail the exact process for GDPR enforcement, but at this writing, it is believed that complaints registered against non-GDPR-compliant businesses will be registered then passed off to the respective Authority in the country where the non-compliant business is located.
What Are GDPR Fines?
DPReu.org has defined 2 infringement levels, the lowest of which constitutes up to €10 million, or 2% of your annual revenue of the prior fiscal year, whichever is higher. Worst case scenario, penalties can be up to 4% or €20 million of a company’s annual revenue, whichever is higher.
In Practical Terms, What Do I Need to Do To Comply?
In practical terms, if your company doesn’t specifically target its goods or services to individuals in the EU, it is unlikely that the “GDPR police” will come after you before other larger EU-based companies. However, given the potential of steep fines and the ease of compliance, it is sensible for US businesses to comply with GDPR. Plus, following GDPR creates a better user experience for your website visitors and customers.
Update Your Website and Marketing
explicitly comply with GDPR. For more information, see this blog post.
• Let your website visitors know what cookies your website uses, what the cookies do,
• Add opt-in checkboxes to your web forms.
• If any of your email recipients live in GDPR-affected countries, require them to opt-in
again to your mailing list.
• Delete the contacts and lists you no longer use.
Is There an Easier Way to Comply with GDPR, Without Modifying My Website?
If you own a website or business that only serves customers in the US or Canada, then instead of making all the necessary changes on your site, you might find it easier just to restrict all visitors from all IPs in EU countries if you don’t need website traffic coming from those EU countries.
The easiest way to block traffic from EU visitors is at the web server level, directly through your host. You can also manually enter IP address ranges by country into your .htaccess file. Regardless how you block these countries, make sure you whitelist your host if they have support offices located in the EU.
If you are actively marketing to anyone who is a resident of GDPR-protected countries, then it is recommended that you comply with all required consents outlined in the GDPR.