Will Companies ‘Brexit’ EU Over GDPR?

Companies may begin blocking European Union resident website access in response to onerous privacy regulation.

The European Union (EU) passed a law in 2016 that requires greater data transparency for Europeans visiting websites. Data in this context represents personal information. General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018, extending the scope of EU data protection law to all foreign companies processing data of EU residents. The complete legal document is 261 pages.

Significant penalties for non-compliance. A strict data protection compliance regime includes severe penalties of up to 4% of worldwide turnover or €20 million ($23.9m USD), whichever is higher. This is the maximum fine that can be imposed for the most serious infringements (e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts).

There is a tiered approach to fines (e.g. a company can be fined 2% for not having their records in order [article 28], not notifying the supervising authority and data subject [individual] about a breach or not conducting impact assessment). It is important to note that these rules apply to both controllers and processors—meaning ‘clouds’ (remote server providers) are not exempt from GDPR enforcement.

If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not the UK retains the GDPR post-Brexit.

Any data breach that is likely to “result in a risk for the rights and freedoms of individuals” must be reported within 72 hours of its discovery. No one really knows how GDPR will be enforced on American soil, and we likely will not know until we see the first test case. For multinational companies with divisions in Europe, the supervisory authorities can hold the EU representatives accountable.

Why GDPR is Good

Think of GDPR like the Health Insurance Portability and Accountability Act (HIPAA) for webmasters. In principle, most consumers want to know if their private data is being used in a manner that will harm them. Sometimes data is covertly used in ways that may not be harmful but could be considered annoying. Other times data is used in ways beyond the scope of average understanding to improve the user experience while visiting a website.

What types of privacy data does the GDPR protect?

• Basic identity information such as name, address and ID numbers
• Web data such as location, IP address, cookie data and RFID tags
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation

What Comprises the European Union?

Map of European Union Countries

Why GDPR is Problematic

If any European residents access your site, you must comply. Global companies often depend on sales or visits from EU residents. Even if a company located outside the EU does not sell products to EU residents, their websites are governed by how EU visitor data (like email addresses) are collected, stored and used. It applies to all companies processing and holding the personal data of subjects residing in the EU, regardless of the company’s location.

Only 0.3% of US companies responding to a Netsparker survey said that they do not need to make any changes, which we presume means that they were already GDPR compliant even before GDPR was announced.

GDPR readiness is expensive. The Propeller Insights survey from March 2018 indicates that most companies will spend less than $1 million to bring their companies into compliance. In fact, 36 percent of the respondents said they would spend between $50,000 and $100,000, and 24 percent will spend between $100,000 and $1 million. Only about 10 percent expected to spend more than $1 million for GDPR compliance.

Cookies cannot completely be eliminated. A primary method of interacting with visitor data is by means of cookies, or little bits of temporary data stored somewhere. They are a convenient, often necessary way to maintain state and data in web applications. This is one way a website keeps track of which items are in a visitor’s shopping cart or preferences during a session. If someone asks a webmaster to prevent cookie storage, how is the user identified to fulfill the request?

Cookies are stored locally on a client-side computer, usually in clear text initiated by a server-side computer. If a client computer is accessed by multiple people, one person might look through another’s cookie folder for things like passwords or long-life session IDs.

The use of SSL/TLS can prevent wireless packet interception by encrypting network packets. This is the reason why many e-commerce, social media and other sites are switching to secure HTTPS for all browsing, not just during private data transactions. Some browsers require a password to view or delete cookie information.

End users may need to consider installing cookie encryption software.

Snapchat stopped retaining location data for users in Europe. A user might request that no cookies be used when they visit a site. (More practical request is that non-persistent cookies be used.)

Minimally, such a site must store a cookie ID to comply with the request. An ID number is less useful to third parties than, say, email address and other personal contact information. Until browser developers encrypt cookies, end users may consider installing cookie encryption software. But GDPR does not impose this requirement on end users.

Websites may become more restrictive. Another workaround—still involving cookies—is to store a persistent cookie ID on the client computer that is used, in conjunction with a password to access data stored remotely. Websites could force all users to log in before shopping, perhaps even suppressing display of prices or disabling the Add to Cart button until a visitor logs in.

Logging in allows the site administrator to identify the user and their specific privacy options. Amazon and social media sites already require a login for full access to services. Ahead of this mandate, ClinicalPosters has been asking customers to establish login accounts and making it optional during checkout. Mandatory checkout login is likely. Not everyone likes to log in, but GDPR could make it more common across the Internet.

Blocking Europe is not foolproof. Websites have global access. Data controllers and webmasters must ultimately decide whether it is in the best interests of the company and end users to blacklist European visitors and/or comply with GDPR. A site can pair a proxy server like CloudFlare with geolocation data to block EU member-state access. In this case, the goal of greater transparency effectively leads to limited Internet access for European citizens.

Traveling EU residents, remote Internet providers or device settings can circumvent geolocation data restrictions. GDPR is for EU residents, not devices and extends beyond online shopping. There is a chance that EU residents bypassing website cloaking still require GDPR compliance.

Blocking countries may be a consideration to significantly reduce incidences of possible claims, but do not forget about EU customers or email subscribers that may have already signed up for your products or services. Compliant sites may reap the benefits of more customers in the less crowded market.

Third-party plugins complicate compliance. Long gone are the days when websites store everything on one server. Reliable site maintenance depends upon Internet service providers with redundant co-location data backups. Various payment platforms like PayPal, Google Pay, Amazon Pay and Apple Pay involve third-party data access. Simplifying user logins through social media integration likewise authorizes an outside party to interact with customer data.

GDPR does not apply to a natural person’s “social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.”

Email services like MailChimp and Constant Contact store customer contact information to mediate SPAM law compliance. Blog commenting may be facilitated by a third party, like Disqus. Persistent cart capabilities allow shoppers to harmonize shopping carts from multiple devices. eBay and Pinterest can be integrated with e-commerce websites.

Embedding a Twitter link on an article requires an understanding of their data usage policies. Some companies (like Amazon and Twitter) utilize targeted remarketing that follows a user with advertisements after leaving a website. (ClinicalPosters has disabled Twitter tracking on its website.)

If you do not want Twitter to show you interest-based ads on and off of Twitter, there are several ways to turn off this feature:

• Using your Twitter settings, visit the Personalization and data settings and adjust the Personalize ads setting.
• If you are on the web, you can visit the Digital Advertising Alliance’s consumer choice tool at optout.aboutads.info to opt out of seeing interest-based advertising from Twitter in your current browser.
• On your mobile device, enable the “Limit Ad Tracking” setting in your iOS phone’s settings, or the setting to “Opt out of Ads Personalization” in your Android phone settings.

Major e-commerce platforms like Shopify, BigCommerce, WooCommerce or Wix are enhanced by third-party plugins that interact with data in different ways. Some aggregate and track user behavior to help site owners better manage inventory or marketing response. An omnipresent example is Google analytics. Each third party may rely upon one or more additional parties to deliver their service. Amazon Web services or Akamai offer cloud servers, DDS protection, Ai logistics, data compression and more.

It is conceivable that data could be moved from an e-commerce platform into Microsoft Excel spreadsheets or Intuit QuickBooks. It is not unreasonable for a single site to have data dispersed among a dozen or more partnering service providers or locations. PayPal disclosed over 600 data points. The following are details from Article 29 Working Party Publishes Guidance on Consent Under the GDPR. Data may not be processed unless there is at least one lawful basis to do so:

1. The data subject (individual) has given consent to the processing of personal data for one or more specific purposes.
2. Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
3. Processing is necessary for compliance with a legal obligation to which the controller is subject.
4. Processing is necessary to protect the vital interests of the data subject or of another natural person.
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.

The relative ease to launch a website with a shopping cart or blog has caused many to pop up and begin gathering email addresses and followers. The GDPR will give everyone pause before establishing an online presence. Those with malicious intent are in the minority. Most are companies simply outsource technical aspects for efficiency.

It is not that companies do not wish to share data usage policies with end users. The scope of third-party applications is so broad that tracking the flow of data becomes a challenge. In this respect, GDPR is a wakeup call to streamline data policies.

What is Required to Comply?

Suppose a site owner is not comfortable blocking nations and wants to welcome EU visitors. What does compliance involve? EU visitors, and by extension everyone, must be presented with a comprehensive and concise explanation of how data is used. In the past similar interest was satisfied by a non-interactive privacy notification. That does not go away; it may become more robust. But a separate GDPR document may be necessary.

A designated Data Controller should read the lengthy GDPR document in its entirety. Statements of GDPR compliance must be received from all third parties. This needs to be aggregated into one document presented to visitors. Furthermore, visitors must be given the option to opt-out of various data usage.

Deselecting one type of usage like cookies, analytics, data backup or email may have a cascading effect on the overall delivery of services. The end user is notified when omission affects efficacy of requested service. Additionally, EU visitors can request a detailed copy of specific data a website and its partners have about them. Upon request data must be destroyed or deleted from specified locations.

Consent must be granular and given separately for each data processing operation, and there should be no detriment to the data subject if the data subject elects to withdraw his or her consent.

Compiling all the details is difficult enough. Establishing micromanaged interactive disablement with audit trail methodology is a technical dilemma. Site owners (compliance officers) must maintain a record of all authoriza­tions and methods of compliance.

How does this apply to bloggers? If you have a comment section on your blog or collect email addresses to send newsletters, you are responsible for visitor data. Likely this is something handled by third-party plugins. The good news is that most of them are already working on GDPR compliance. (See box entitled: GDPR Compliance Resources From Popular Companies.) Find out how they are using such data and disclose this to visitors at the point of collection.

If you are not comfortable with the security and/or manner in which any data is being used, discontinue using the offending plugin and, if necessary, select another plugin/Internet service provider that complies with GDPR. Give users the option of excluding unnecessary data collection and outline procedures for complying with customer personal data requests.

How Might Compliance Look?

To get an idea of how compliant websites might look, visit some already live sites with hosts or operations within the EU. GDPR migration assistance services can also be purchased from companies that have already assisted websites throughout Europe. Since each website is different, there is no one-size-fits-all solution.

Checkboxes or pop-up information boxes may be used within forms requesting personal data. Some websites might display a small pop-up box that notifies visitors that cookies are used on the site. This box can include a link to a comprehensive disclosure that may include links for data requests or interactive opt-out form. MailChimp might be a viable partner for collecting subscriber emails and with required notifications and checkboxes.

How To Begin The Process

1. Conduct a visitor data audit.
2. Create a visitor data policy.
3. Establish fixed time for maintaining data.
4. Collaborate with vendors over GDPR compliance.
5. Install visitor notification alerts.

Send a re-validation email before May 25, 2018 to mailing list subscribers if you are uncertain whether you can provide support for consent. Useful but non-essential processes that make data more difficult to track or secure should be eliminated.

When in doubt, leave it out. Once an audited system is in place, any new third-party features need to be monitored and be compatible with existing policies. Dynamic policy changes may require frequent visitor notification of revised policies.

E-commerce and blogging platforms like Shopify could do more to help customers prepare for GDPR. Shopify has produced a 27-page GDPR white paper (April 20, 2018). Basically, it outlines Shopify’s commitment to internal compliance, its roll in data security, and that it will provide merchants with unidentified tools.

In conclusion the white paper states, “While Shopify’s operations will comply with the GDPR, and Shopify will provide tools to help its merchants comply, it is the responsibility of each merchant to ensure that its business is compliant with the laws of the jurisdiction in which it operates.”

More fields are required within customer account pages to display actionable user preferences. Comprehensive data collection and protection disclosure should be required of third-party plugin developers. Hosting platforms are in the best position to display appropriate notification (with site owner modification) or provide tools to handle compliance actions like audited compilation, archival and disposal.

It is the responsibility of each merchant to ensure that its business is compliant with the laws of the jurisdiction in which it operates.

Evidon launched a unified solution to help organizations achieve compliance with the evolving ePrivacy Regulation (ePr of Cookie Law) and the GDPR. Called the Universal Consent Platform, it allows companies to deploy a single, user-centric transparency and consent solution for compliance with both the ePrivacy Regulation and European Union GDPR across desktop, mobile web and in-app.

Up to and beyond the deadline, expect to see more companies offering services to assist with compliance. Amazon has a growing library of books for sale on the subject. Look for webinars advertised on social media. Above all else, if you have not already done so, begin working on your GDPR strategy today.

Reference added on February 6, 2020 following the U.K. exit from EU. Modified May 10, 2018 to add language for bloggers. This document is subject to revision as new information becomes available.

References

1. GDPR FAQs. eugdpr.org/gdpr-faqs.html Retrieved 7 May 2018
2. PwC Data Protection. pwc.com/us/en/services/consulting/cybersecurity/general-data-protection-regulation.html Retrieved 7 May 2018
3. GDPR Final Text. (PDF) Brussels, 6 April 2016, europa.eu/doc/document/ST-5419-2016-INIT/en/pdf Retrieved 7 May 2018
4. MarTech Today’s Guide to GDPR. martechtoday.com/guide/gdpr-the-general-data-protection-regulation Retrieved 7 May 2018
5. General Data Protection Regulation (GDPR) requirements, deadlines and facts. csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html Retrieved 7 May 2018
6. What is the European Union? schengenvisainfo.com/eu-countries/ Retrieved 7 May 2018
7. General Data Protection Regulation. en.wikipedia.org/wiki/General_Data_Protection_Regulation Retrieved 7 May 2018
8. Netsparker Surveys US Based C-Levels on GDPR Compliance. netsparker.com/blog/web-security/gdpr-compliance-2018-survey-results/ Retrieved 7 May 2018
9. Encrypting Cookies in the Browser. teamtreehouse.com/encrypting-cookies-in-the-browser Retrieved 7 May 2018
10. How to Block Entire Countries from Accessing Your Website. sitepoint.com/how-to-block-entire-countries-from-accessing-website/ Retrieved 7 May 2018
11. Cloudflare. cloudflare.com Retrieved 7 May 2018
12. How Europe’s new privacy rule is reshaping the internet. theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice Retrieved 7 May 2018
13. Article 29 Working Party Publishes Guidance on Consent Under the GDPR. huntonprivacyblog.com/2017/12/15/article-29-working-party-publishes-guidance-on-consent-under-the-gdpr/ Retrieved 7 May 2018
14. GDPR and How Compliance Can Improve Your Email Marketing. blogs.mailerlite.com Retrieved 7 May 2018
15. UK: Understanding the full impact of Brexit on UK: EU data flows. blogs.dlapiper.com/privacymatters/uk-gdpr-brexit-flowchart/ Retrieved 7 May 2018
16. Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now. (PDF) ico.org.uk /media/1624219/preparing-for-the-gdpr-12-steps.pdfRetrieved 7 May 2018
17. Evidon Universal Consent Platform. evidon.com/solutions/gdpr/ Retrieved 7 May 2018
18. What Proof of Compliance will GDPR Regulators be Looking for? secureworks.com/resources/vd-gdpr-proof Retrieved 7 May 2018
19. Key GDPR components. youtu.be/srh2hpz-1CU Retrieved 7 May 2018
20. Facebook CEO questioned by Senator about user privacy. youtu.be/TX8MSZy5I3I Retrieved 7 May 2018
21. GDPR: Setting Priorities Now. youtu.be/uWqcg87GeZs Retrieved 7 May 2018
22. 6 GDPR Compliance examples. youtu.be/bVap-DYWKjg Retrieved 7 May 2018
23. Adding a Pop up info box. youtu.be/Kru2R5OjGaA Retrieved 7 May 2018