Like many of you, I have heard a lot about the General Data Protection Regulation (GDPR). Some may be asking isn't GDPR a European Union (EU) regulation? Well, it is; however it can affect US organizations. We all know that a small text file, known as a cookie, is created by a website and is stored on our computers. One way we have all seen a change is that we know websites are now asking us to attest the acceptance of cookies more frequently. Just today, I have had to accept 5 or 10 times. Recital 30 of GDPR states that a cookie, or other identifier, uniquely attributed to a device, and, therefore, capable of identifying an individual or treating them as unique even without identifying them, is personal data.
You may wonder, why do I have to consent so much; that answer is in Recital 32 of the GDPR. Recital 32 advocates that consent for cookies needs to have a clearer opt-in, or at the very least a soft opt-in, to ensure that landing on a site for the first time cookies should be blocked until the user takes some action that they understand cookies are being set.
Now that we understand a bit more about the cookie requirements, let's take a quick look at how GDPR may affect a U.S. organization. GDPR regulation applies to:
- The processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the Union or not.
- The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- Offering of goods or services, regardless of whether a payment of the data subject is required, to such data subjects in the Union; or
- Monitoring of their behavior as far as their behavior takes place within the Union.
- The processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Simply put, it applies to all companies processing, holding, or controlling the personal data of data subjects residing in the European Union, regardless of the company's location.
You may be asking, is my organization a data processor or a data controller? GDPR defines the controller as a natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The processor is a natural or legal person, public authority, agency or another body that processes personal data on behalf of the controller. A simpler way of saying it is, a controller is a group that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity, which processes personal data on behalf of the controller.
Let's get a bit more granular with our look at GDPR and U.S. based organizations. The GDPR states, "applies to organizations located within the EU, but also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects." It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company's location.
We must next look at Recital 23. Recital 23 states, "In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the European Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."
The key is that it applies to EU data subjects and applies to all companies processing or holding the personal data of data subjects residing in the EU. To assist in determining whether GDPR affects your organization, you need to ascertain if your organization is offering services to data subjects in the EU or offering services only to US citizens that open accounts in the US and then travel abroad.