If your email inbox hasn’t been flooded with updated privacy policies from Facebook and other major American companies with whom you have a relationship since May 25, then you probably don’t have email. On that date, the European Union’s (EU) sweeping new privacy regulation, known as the General Data Privacy Regulation (GDPR), took effect.
The American companies that have been sending you their amended privacy policies have been doing so because they do business in Europe and thus are subject to GDPR with respect to their collection and processing of personal data of EU residents. In many cases it will be easier for those firms to adapt their data practices to the dictates of the GDPR for the U.S. as well, rather than only for Europe. To this extent, GDPR could become the de facto data privacy standard in the United States, which lacks a national consumer privacy law.
Whether or not that happens, any U.S. firm that interacts with consumers in the EU needs to take GDPR seriously because the EU’s enforcing authorities take it very seriously. They have made that clear by imposing penalties of up to 4 percent of global revenue or $20 million, whichever is greater, for violations – and are already investigating complaints made by privacy watchdogs operating as their eyes and ears.
If your marketing reaches into the EU and you haven’t yet brought your privacy policy into GDPR compliance, ample guidance on the provisions of the 88-page regulation is available from the UK’s Information Commissioner’s Office (ICO) by clicking here – or as numerous private sources, as a quick Google search will attest. Before you or your counsel hit the keyboard, though, there are two fundamental tenets of GDPR that are critical to understand.
The first is that the essence of the regulation is based on the principle of the “fundamental rights and freedoms” of the individual, the most sacred being the “right to be forgotten.” This encompasses the right to have your data deleted (or corrected or moved to another platform) and not to be monitored and tracked. The second, a corollary to the first, is that you must have a “lawful basis” to process personal data.
The most obvious lawful basis, of course, is consent. Under GDPR (unlike in the U.S.), this consent must be affirmative, unambiguous opt-in consent. If consent serves as the lawful basis, then in addition to mandating clear and unequivocal opt-in, GDPR also:
- Requires consent to be separate from other terms and conditions.
- Generally prohibits consent from being a precondition of signing up to a service.
- Bans pre-checked opt-in boxes.
- Requires granular (separate) consent for distinct processing operations.
- Grants a specific right to withdraw consent, which right must be disclosed and easy to exercise at any time.
- Requires record retention to demonstrate consent.
Other lawful bases for collection and processing of personal data recognized by GDPR are:
- Compliance with a contractual obligation, i.e., to supply requested goods or services.
- Compliance with a legal obligation, such as an EU law requiring the processing of data for a particular purpose.
- Vital interests, i.e., processing personal data if necessary to protect a life.
- Legitimate interests, i.e., a genuine and legitimate reason (including direct marketing or other commercial benefit) to process personal data, unless outweighed by harm to the individual’s “fundamental rights and freedoms.”
“Legitimate interests,” including, for example, the need to process data in order to provide enhanced goods and services and targeted, interest-based ads to consumers, can be a justification for data processing for businesses that find it hard to meet the opt-in standard for consent. Because legitimate interests are balanced against and cannot be outweighed by individual interests, however, any business relying on a claim of legitimate interests to process personal data must be prepared to show that the interests are indeed legitimate and essential to its business model and do not compromise the individual’s fundamental right to privacy.
Unlike consent, therefore, reliance on legitimate interests to process personal data will always be open to scrutiny and challenge by GDPR-enforcing authorities. In evaluating claimed legitimate interests, they surely will look at how fair, transparent and accountable a business’s data practices are to consumers, including, most critically, how respectful they are of the “right to be forgotten,” as judged by the degree of responsiveness to consumer requests for access, deletion, correction, and movement of their data.
If you are or could be subject to GDPR and still need to update your privacy policy, careful consideration of the lawful basis you choose to process data, and implementation of procedures to expeditiously and efficiently process “right to be forgotten” requests, should be top of mind. While there are many other details related to GDPR compliance that must be taken into account, getting these two crucial items right from the start, and consulting appropriate counsel, will make the task of updating and executing your privacy policy much easier.