About
The General Data Protection Regulation (GDPR) is a set of privacy laws from the EU that became enforceable on May 25th, 2018 and is perhaps the most important update to privacy law in the 21st century. It has a global reach that extends to businesses engaged in collecting or processing the personal information of people within the EU.
One of the major points of interest with this new set of privacy laws is its scope in that it affects businesses worldwide, whether or not that business is itself located within the EU.
Because the GDPR is one of the strongest examples of privacy law in the world, compliance with it means compliance or near-compliance with the majority of other privacy laws currently existing globally.
If your goal is to reach a global audience, the GDPR and CalOPPA are the golden standards for having both strong and legally compliant policies and procedures.
Even if you are not currently required to comply with the GDPR (if you serve only an American audience, for example), going the extra mile to become compliant now means you will be able to extend your market to the EU whenever that becomes advantageous to you.
It also enhances your credibility to say that you are compliant with the best and most contemporary set of privacy laws in the world.
While the GDPR is a sterling example of privacy rights in the modern age and a step forward by holding everyone to the same standards, it can also be a burden to those who need to update and change their procedures in order to become compliant.
Business owners, developers, marketers and companies worldwide will need to familiarize themselves with the GDPR so that they can review and most likely update their current policies and procedures in order to meet the new requirements.
While the average internet user might not notice some or any of the changes created by the GDPR, developers will certainly see the differences and it's important to understand the reasons behind the requirements.
As a business owner, you are likely to encounter situations where you need to ensure that you are compliant with the GDPR as you are reaching out to a global audience that could include people located within the EU.
Some of the things you'll need to plan for include (but definitely aren't limited to):
- Getting appropriate consent when required
- Allowing for opt-outs and revoking of consent
- Adequately disclosingyour privacy practices
- Making it easy for your users to contact you to exert their rights under the GDPR
See if you can guess which of the examples below are subject to the GDPR:
An ecommerce store operating in the United States that ships to the European Union | ? |
An app developer with users who reside in the EU | ? |
An online business that does not allow EU users to make purchases | ? |
A website that does not allow EU visitors to register personal accounts on the site, but serves personalized ads to all visitors through Google AdSense (for example) | ? |
A website that markets only to users in the US and blocks IP addresses from outside of North America | ? |
Let's explore each one in detail with explanations.
Example #1
An ecommerce store operating in the United States that ships to the European Union.
In example #1, it should be fairly obvious that the ecommerce store would be subject to the GDPR. In order to serve customers in the EU and ship products to them, the store would need to collect and process the customers' personal information such as names, shipping addresses and payment information at the very least. This would constitute as the handling of personal data of EU residents, so the store would fall under GDPR jurisdiction.
Example #2
An app developer with users who reside in the EU.
In example #2, the answer is a strong "probably." It is possible that the developer could release an app without collecting or processing any sort of personal information, but this is unlikely. Be aware that personal data collection and processing is not strictly limited to situations where the data is used for marketing or database building.
The reasons for personal data collecting and processing are immense and include anything from personalized ads and behavioral tracking to social media accounts that include your name and birthday.
Even a simple gaming app might ask for your email address to make an account, track your location, or have you select a username (which could be considered a unique identifier under the GDPR). More often than not, apps process personal information on some level.
Example #3
An online business that does not allow EU users to make purchases.
In example #3, the business would probably not be subject to the GDPR.
The scope of the GDPR actually makes it somewhat difficult to avoid falling under its jurisdiction, but a business can arrange things in a way to make themselves only available to certain regions.
If the business can show that it made an effort to deny access of its products or services to the European market, and in no way marketed to them or attempted to collect or process their data, it should be exempt from GDPR compliance.
Example #4
A website that does not allow EU visitors to register personal accounts on the site, but serves personalized ads to all visitors.
In example #4, the website is making a similar attempt as the business in example #3, but by serving personalized ads and not blocking traffic from the EU, personal data is likely to be processed. This is a good example of why it is difficult to avoid the scope of the GDPR.
Even though the website in this case does not allow EU residents to register, these users can still access the website. If while on the website a third-party service collects information about their habits on the web to populate ads on the website, that would be processing the users' information.
It doesn't matter that the website itself is not doing the processing but is using a third-party ad service to do so instead. This indirect method of data processing would still make the website subject to the GDPR.
If the website did not have personalized ads or other features that processed personal data (for example, analytics suites for behavioral tracking), or cater to residents of the EU in any way, it may escape the jurisdiction of the GDPR.
Example #5
A website that markets only to users in the US and blocks IP addresses from outside of North America.
In example #5, it is more clear that the website is trying to block EU traffic and only cater to the American market.
Depending on the methods and effectiveness of blocking visitors from the EU, the website owners should not have to comply with the GDPR if they are making no attempt to serve residents of the EU and actually taking steps to make sure that those residents won't be served.
Goals of the GDPR
The GDPR seeks to be an easily understandable, complete, and strong set of privacy laws to protect the privacy of those under its jurisdiction. Some of the core concepts at the heart of the GDPR are privacy for individuals, transparency on the part of businesses and developers, and more user rights/choices.
The GDPR aims to give individuals a high level of control over their personal information to ensure it is used safely, appropriately and in ways that people are comfortable with.
Today, possibly more than ever, it's important for individuals to control their personal information across social media, ecommerce, and email. The GDPR strives to both inform and protect these individuals while empowering businesses to create strong and secure procedures to ensure that the data they collect and process is handled safely and responsibly in order to limit the chance and threat of data breaches.
Under the GDPR, businesses are required to disclose virtually everything about what data they collect, why they are collecting it, and what will be done with that data. This coincides with the idea of transparency by letting data subjects know exactly what happens with their personal data. This way, the data subjects can choose whether or not they agree with or wish to be part of certain data handling processes.
This level of transparency ensures that data controllers are only using data in ways that their users have agreed to. It also holds them accountable for any misuse of personal information outside of the agreed-upon terms.
Gone are the days of collecting, scraping, and buying masses of data for marketing and other purposes. Transparency and user consent are cornerstones of the GDPR than ensure safe and fair usage of personal data.
In addition to requiring developers and businesses to be transparent in their data collection and processing, the GDPR clearly defines the rights that users have regarding ownership of their personal information.
For example, individuals have the right to request that a data controller provide them with all of the data that they hold about them, the right to request that processing of their data be ceased, and even the right to request that the data be erased completely if they wish.
User rights such as these ensure that, under the GDPR, individuals essentially own their personal information and it can't be used against their wishes.
As with most sets of laws, the GDPR is a long and sometimes confusing document. However, great care has been given to make the GDPR about as approachable as possible, doing away with much of the cumbersome legalese of other laws.
However, while the GDPR was written to be easy to understand by the average individual, it's still a lot to digest and some concepts can be difficult to understand at first.
This book will not only get you up to speed on the GDPR as a whole, but will specifically cover how it affects business owners and the steps they need to take to become compliant.
Privacy, Transparency and User Rights
These are the cornerstones of the GDPR.
By focusing on the privacy of users, there is less risk to data subjects by minimizing the amount of personal data that is collected, stored, processed, and shared. In fact, the GDPR adopts the concept of "Privacy by Design," where businesses are expected to consider privacy at every step of a project. Not just at the end.
By using transparency as the foundation for data controllers and processors who are handling personal data, users can act as the policing force that monitors data controllers and ensures they are handling personal data responsibly. With security measures taken wherever possible, data subjects have much less to worry about when sharing their personal information.
The GDPR also gives the authorities better access to data controllers and data processors so that they can keep an eye on things and easily follow up on objections and inquiries from data subjects. The GDPR gives users an arsenal of rights to protect their personal information and ensure that data controllers and processors are handling it properly.
We will cover these rights in detail in Chapter 6, but here's a quick rundown of the eight fundamental rights of data subjects under the GDPR.
Note that not every business will need to comply with every right. For example, the right to data portability only applies to data processed based on either consent or a contract, and that's processed using automated means. You can see how this leaves a lot of data that won't have to be made portable.
While these rights exist for users in general, make sure to become familiar with the specifics of each right so you know when and if it's something you must provide to your users.
The Right | What it means |
Right to be informed | Users have a right to know all about how you're processing their personal data. This is accomplished by having a thorough Privacy Policy. |
Right of access | Users have a right to request information from businesses about their personal data that the business processes. |
Right to rectification | Users must be able to correct and update inaccuracies in their personal data. |
Right to erasure | Also known as "the right to be forgotten," it means that users have the right to have their personal data erased and cease its processing under certain circumstances. |
Right to restriction of processing | Users have the right to limit or postpone the processing of their personal data in some scenarios. |
Right to data portability | Users have a right to the personal data that they provide to a controller and can have it transmitted to another controller if they wish in certain circumstances. |
Right to object | Users have the right to challenge or object to data processing where they believe it is improper, unlawful, or simply unwanted. |
Right to human intervention | Users have the right to not be subject to automated decisions that could be harmful and can request human intervention. |
By empowering data subjects with these rights, the GDPR can better ensure that their privacy is protected and their personal information is used fairly.
Of course, all of this is made easier by requiring data controllers and processors to be transparent in their data collection and handling procedures. Essentially, everything that happens with a data subject's information should be declared in one way or another so that the individual knows precisely what is happening with their information at any given time.
The GDPR and CalOPPA
The GDPR borrows much from the California Online Privacy Protection Act of 2003 (CalOPPA). It duplicates and reinforces many of the revolutionary regulations introduced by California's groundbreaking set of privacy laws.
In fact, compliance with the GDPR often means you may also be compliant with CalOPPA. These regulations share a lot in common, including their far reaching jurisdictions that extend worldwide.
Let's take a brief look at some of the concepts of CalOPPA that the GDPR has adopted.
Global Reach
One of the reasons that the GDPR is such a big deal is because it reaches far beyond the borders of the European Union. Instead of regulating the activity of businesses and websites only operating within its geographical area, the GDPR regulates any entity which collects or processes the personal data of those within its geographical area.
This worldwide reach was first implemented by CalOPPA which required any entity that handles personally identifiable information (PII) of California residents to have a CalOPPA-compliant Privacy Policy in place (among other requirements).
As most websites receive visitors from the US, and California residents are likely to be included in that traffic, it quickly became clear that businesses worldwide needed to take notice of CalOPPA.
While burdensome to many companies, CalOPPA ensured that the rights and privacy of the residents of California would be respected without geographical loopholes that could jeopardize security.
The GDPR adopted a similar policy, ensuring that individuals located within the EU remain protected any time their personal information is collected, processed, or shared.
Privacy Policies
California was the first state in the US to enact a law requiring websites to have a Privacy Policy in place. This requirement applied to any website that collects personally identifiable information from residents of California.
The primary focus of CalOPPA is to encourage transparency by setting some standards for Privacy Policies.
CalOPPA is less focused on regulating how and why websites collect and process data, and instead focuses more on ensuring that Californians are informed about what is happening to their personal information so that they can choose whether or not to give it.
Under CalOPPA, a Privacy Policy must:
- Be posted conspicuously on a main page and include the word "privacy"
- Disclose what categories of personal data are collected
- Disclose what categories of third parties the personal data may be shared with
- Disclose the procedure for notifying users of changes to the Privacy Policy
- Include the date when the current version of the policy went into effect
- Include the procedure by which users can review and request updates to their stored personal information
- Disclose whether Do Not Track requests are honored
You will find many of these requirements in the GDPR, along with some additional, more advanced requirements.
Under the GDPR a Privacy Policy should be easy to access, read, and understand, and should include the following:
- The identity of the data controller (and the Data Protection Officer, if applicable)
- What personal data is collected
- How it is collected
- Why it is collected (for what purpose or purposes)
- The legal basis for collecting the data
- The source of any personal data not collected firsthand
- How long data will be retained
- The rights users have regarding their personal data
- How to submit complaints
- Proof of proper security to protect private data
- Disclosure of whether data is stored, shared or processed outside of the EU, as well as security measures in place for those circumstances
- Disclosure of if you handle any special categories of data, as well as the security measures in place to protect that data
- Disclosure of with whom personal data is shared (third parties, partners, etc.)
- Date when your Privacy Policy was last updated
- Any consequences of refusing to provide data (limited site functionality, etc.)
- Disclosure of any automated decisions or profiling that may take place
As you can see, the requirements for Privacy Policies under the GDPR focus much more on the content of these policies.
PII and Personal Data
Personally identifiable information or PII under CalOPPA can be defined as "any information which could be used to identify a certain individual or de-anonymize anonymous information".
That information only theoretically needs to have the potential to identify someone, even if it would be difficult to do so.
For example, a phone number is sometimes used as a unique identifier tied to certain accounts. If that number is also listed in a contact directory or on social media, then you could use that number to discover the name and identity of that individual. Therefore, a phone number is considered PII.
The GDPR defines personal data in a very similar manner. Article 4 defines personal data as:
"...any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
The GDPR gets a bit more specific and clarifies some uncertainty about what can be considered "identifiable."
For example, the predecessor to the GDPR was unclear about whether things like IP addresses or location data were considered personal data. The GDPR makes it clear that they are, in addition to many other things.
Here is a list of some things that qualify as personal data or personal information under the GDPR:
- Email addresses
- Mailing addresses
- Phone numbers
- Physical descriptions
- Demographic information
- Age or date of birth
- Social security numbers
- Driver license numbers
- Names
- IP addresses
- Location data
- Zip codes
- Medical history
- Financial information (such as salary)
- Unique identifiers (student and other ID numbers)
- Religious beliefs
- Political affiliations
- Occupations
This list is by no means exhaustive, but instead contains some common types of information that can be considered personal data under the GDPR.
Cross-Compliance
With the GDPR building upon many of the concepts of CalOPPA, becoming compliant with the GDPR puts you in very good standing under CalOPPA, as well. They share many similarities, requirements, and principles, with only a few things left out of the GDPR.
Unfortunately, the road to compliance from CalOPPA to the GDPR is not as short.
The GDPR builds upon many concepts of CalOPPA and also evolves many of them, delving deeper into the processes and procedures of data controllers and data processors. While being compliant with CalOPPA certainly means you are closer to privacy compliance under the GDPR, there are many more steps needed to become fully compliant with all aspects of the GDPR.
If you are aiming for compliance with both CalOPPA and the GDPR, you should review each set of laws and compare them individually to your operation. Nothing in either set of laws should interfere with the other, though some requirements may be set to a higher standard in one case versus the other. Comply with the most stringent requirement in situations of overlap to ensure your methods are adequate or better for both sets of laws.
Below is a chart outlining some common business activities and each law's general requirements so you can see how they differ in a practical way:
Activity | CalOPPA | GDPR |
Jurisdiction | Affects any entity that handles personal data of residents of California. | Affects any entity that handles personal data of users in the EU. |
Collecting/processing personal data | Practices must be disclosed in the Privacy Policy. |
Must have legal basis. Practices must be disclosed in the Privacy Policy. |
Privacy Policies | Privacy Policies are required and must contain certain information and be easily accessible. | Privacy Policies are required and must disclose additional information and be easy to read and access. |
Collecting email addresses from users to create an account with you and sign them up to your marketing emails | No specific requirements. | Must have an additional checkbox or "I Agree" button that users must click to show they are informed that they'll also be signing up for marketing emails. |
Serving personalized ads | Must disclose this in Privacy Policy. | Must get active consent from users. |
Using cookies | Must disclose this in Privacy Policy. | Must get consent before cookies can be placed on devices. |
Penalties for Failure to Comply With the GDPR
The maximum penalty for breach of privacy laws has been increased under the GDPR to the higher of €20 million or 4% of annual global turnover. A fine of this magnitude would be reserved for only the most egregious breaches of privacy, but goes to show that it is vitally important to understand when it is and is not lawful to process the personal data of residents of the EU.
Article 82 states that individuals who have suffered damages from a breach of the GDPR are entitled to compensation from the data controller and/or data processor. While it does not go into detail about how much compensation could be required or give any examples of such a case, it simply states that this would be handled in court.
Here's how the GDPR phrases it:
- Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
- Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. 2A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
- A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
- Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
- Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
- Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).