U.S. Marketing Problems Under The GDPR
On May 25, 2018 the General Data Protection Regulation went into effect. The serious impact of this was immediately clear when the L.A. Times did not publish its European versions that day – apparently not yet certain that they were in full compliance with the new law.
The EU is serious about sanctions. In July 2017, the German Data Protection Authority noted that their then current maximum fine under the Data Protection Authority guidelines was EUR 300,000, but its fines under the new EU GDPR would be up to EUR 20,000,000 ($23,440,000) or 4% of an organization’s worldwide annual turnover. And, since the GDPR is a law versus “guidance,” everyone expects the new penalties to be broadly enforced.
Under the GDPR all organizations that process EU resident data are required to make significant changes in data subject consent, adopt privacy by design, have a plan for data breaches and several other provisions. A revised approach to EU marketing is now required.
New questions - including marketing questions - have come up for U.S companies:
• How does a company know if the GDPR applies to them?
• If it does, how significant are the potential sanctions and will theyrealistically be imposed?
• Is a U.S. company that signed up under the EU-US Privacy Shield still protected under the GDPR?
• How much flexibility can U.S. companies expect from the EU authorities under the GDPR?
• How does Cloud Computing handle the GDPR?
Marketing After the GDPR
The GDPR applies to U.S. companies marketing to the EU and to those companies that have EU members or that process EU subject information about Europeans in the U.S. The new privacy laws have significantly stricter enforcement provisions. Make that draconian enforcement provisions. They also recognize that they need to update their communication and outreach processes to comply with current laws.
Online member directories need to be analyzed to determine whether the GDPR will require an opt-in or opt-out protocol with respect to EU listed members. They would to be able to follow an opt-out procedure, i.e., members would be included unless they clicked a box to remove their listing. They are concerned that an opt-in system would require a much different process to gain consent.
For example, an organization’s annual business conference creates a special problem. Normally, attendees may be asked to provide their background information as part of the procedure for obtaining an attendee badge. Attendees understand that this information will be provided to exhibitors and be used by the company putting on the conference. However, this creates a special problem for U.S. companies now that the GDPR has gone into effect. The company needs to know whether they need to disclose to its meeting attendees that when badges are scanned by an exhibitor they will be sharing their contact information with those exhibitors. They currently do not tell delegates anything regarding this issue.
As of May 2018, the GDPR requires U.S. companies to establish an opt-in mechanism for sharing information via badge scanning with a lead retrieval device. Under the old Directive it was implied that if someone allowed an exhibitor to scan their badge they were allowing that exhibitor access to their contact information. As discussed below, that is no longer the case.
U.S. companies processing personal data is lawful only if, and to the extent that, it is permitted under EU data protection law. Consent provides a lawful basis. Without lawful consent, the processing of personal data is unlawful, and runs the risk of incurring substantial fines. Rec. 40; Art.6 (1). Organizations do not rely on consent are not directly affected by the consent requirements
The GDPR requires that U.S. companies create consent mechanisms to ensure that:
• Data subjects are clearly informed of the processing to which they are consenting;
• The consent mechanism is genuinely voluntary and “opt-in” in nature;
• Data subjects are permitted to withdraw their consent easily; and
• U.S. companies cannot rely on silence or inactivity to collect consent (e.g. pre-ticked boxes do not constitute valid consent).
The Requirement that consent must be “informed” is intended to ensure that data subjects understand the risks associated with the processing of the personal data. Rec.32; Art. 4(11), 6(1), 7.
The information to be provided to data subjects should include:
• The identity of the controller (and, where appropriate, its representative);
• The purpose for which the data will be processed;
• Any further information that is necessary to enable the data subject to understand the processing to which they are being asked to consent (e.g. the third parties with whom the data may be shared;
• The existence of the right to object to processing and the right to be forgotten; and
• The existence of the right to withdraw consent.
"Clear Affirmative Action"
As reflected above, under the GDPR, consent must be provided in the form of a clear, affirmative action of the data subject. The consent itself must be something that the data subject has said or done to indicate that they agree to the processing of the personal data. Reg. 32, 43: Art.6 (1)(a). Art. 7(4). This agreement can take any appropriate form (e.g., a signature, a tick-box, a verbal consent, etc.), but it must be affirmative in nature – mere silence, passive acquiescence or failure to opt-out does not constitute valid consent under the GDPR. Under the Data Directive no specifics were given as to the methods that could be used to obtain valid consent – leading too much latitude by the data controller and extensive opt- out mechanics. That latitude has now been removed by the GDPR, Reg. 32.
“Withdrawal or refusal of consent”
Data subjects have the right to refuse to consent, and the right to withdraw consent they have given. Rec. 42, 65; Art.7 (3). Following any such refusal or withdrawal of consent, organizations should be wary of proceeding with the proposed data processing activity. If, following withdrawal of consent, the organization continues to process the data subject’s personal data in reliance on another lawful basis then that further processing may call into question that validity of the consent (and any similar consent provided by other data subjects).
Note however, the new GDPR Reg. 42, 65 and Art. 7(3) does not affect the lawfulness of processing based on consent before its withdrawal. This indicated that consent obtained by prior agreements with the U.S. companies would not be subject to the more rigid current GDPR Requirements.
U.S. companies should also know what they need to do to be sure that they are not illegally spamming their clients and membership. They need to question whether they can re-engage a member who has previously opted-out to email correspondence. Under the GDPR U.S. companies cannot email a member who has previously opted-out of the email option.
However, if the member decides to attend a U.S. company’s function then the above discussed consent procedure would allow the U.S. companies to re-engage the member and ask for his consent via meeting registration or similar – where they can ask members again if they wish to receive emails from the U.S. companies.
U.S. companies would like to send out specific emails to people that may have some marketing elements, such as asking them to participate in a luncheon or a function. They would like to know if this implicates the GDPR.
So long as no personal information is requested, the GDPR would not be triggered. However, if the email invites the person to provide the U.S. companies with personal
information in response - such as signing up for the lunch or asking for more information - then the GDPR would be triggered and an opt-in mechanism would need to be established.
The GDPR also compels additional accountability Requirements, including:
• Strict data protection policies; Rec. 74; Art. 24;
• Enhanced record keeping obligations – especially all records of consent received by the U.S. companies; Rec. 78; Art.25; Rec. 82,89; Art. 30;
• A mechanism to notify members within 72 hours of a data breach unless the breach is unlikely to impact the rights and freedoms of the individual. 73,85-88; Art. 33&34;
• Requirements for data protection impact assessment for elevated risk activities; and
• Requirements for stronger security measures matching the risk of data breach and potential harm to individuals.
The GDPR is here to stay and it’s a law not a recommendation. U.S. companies cannot dismiss its potential impact.
This article is for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this article or any of the e-mail links contained within the site do not create an attorney-client relationship between Cook Consulting Group and the user or browser.