Over the past few weeks, client’s have been asking why their inboxes have been inundated with emails from websites, some of which I haven’t visited in years, informing them of changes in their privacy policy. Why the sudden concern for privacy? Effective May 2018, the European Union’s General Data Protection Regulations (GPDR) came into full force, instituting some of the strictest internet privacy laws to be drafted. Although the GPDR technically only applies to EU Member States, most websites are choosing to make the new privacy measures applicable to all users, regardless of residency. The GPDR is a huge victory for privacy advocates and includes a robust set of consumer protections including:
- A data breach must be disclosed no later than 72 hours after it was first discovered.
- Contain a privacy policy which clearly articulates what data is collected, what it is used for, and how long it is retained.
- Users have the right to request a copy of data related to themselves and to request websites to remove their data (the right to be forgotten).
- User data should not be kept longer than what is reasonably necessary.
I have a Website outside of the EU, do I still need to comply?
If your website specifically targets consumers in the EU or you have a physical presence in a member state, than yes you must comply. However, the GPDR does contain exceptions for websites which do not specifically target EU consumers. For further clarification and guidance, we recommend consulting your legal counsel.