We now live in the GDPR era. It’s a new landscape of consumer privacy protection. Even though it’s based in the European Union, this new landscape will be felt around the world. Living with GDPR means learning about GDPR. That means creating new policies and procedures for consumer communications.
The EU’s General Data Protection Regulation (GDPR) standardizes and strengthens privacy regulations. It applies across all European member nations. That means it protects any EU citizen. Any company marketing to, selling to, partnering with or producing from the EU have to comply. Consent is central to the regulation. It sets a high standard for consent with fines as great as 20 million euros or four percent of total worldwide annual revenue, whichever is larger.
So GDPR is here. Not only is it here, but it brings with it a new wave of privacy regulations and directives.
Many of these are already in motion. The ePrivacy Regulation is coming up in the EU. California already passed the CCPA (California Consumer Privacy Act), set to go into effect in 2010. Other states are getting ready to follow suit. It’s very important to understand not just GDPR, but how this new landscape is going to shift privacy rights around the globe. Since most of these other new regulations are modeling after GDPR, let’s take a deeper dive.
GDPR requires that companies earn explicit consent for personal data collection. That means showing a check-box for consumers to check on purpose. Pre-checked boxes don’t count. All that identifiable personal information, regardless of where it is used, has to be protected. Proof of that protection has to be verified. The regulation even states that the protection of personal data is a fundamental human right. That means people in the EU have the right to
In such cases, the burden of proof lies with the company. That means the company has to be able to prove that they honored the customer’s request. Accurate record-keeping is critical.
Overall, GDPR gives consumers meaningful leverage. Leverage against the companies that collect and use their personal data. For example, people in the EU can request an explanation from companies about:
GDPR also gives consumers leverage for litigation and penalties to companies who don’t comply.
As companies feel the early effects of GDPR, there will be an early wave of litigation. This will help with clarification and set precedents for how enforcement. But as this happens, another EU regulatory change comes closer to realization. Often referred to as the “cookie law,” the 2002 ePrivacy regulation is about to be updated.
Experts predict the new ePrivacy will complement and extend GDPR. At the same time, it will focus on cleaning up privacy and security policy discrepancies between EU member nations.
Right now, online communications providers (like Gmail, Skype, Facebook Messenger, etc) have different requirements than traditional telecommunications providers. Under the updated ePrivacy, they’ll all fall under the same stringent requirements. ePrivacy will require prior consent to communicate. That means each individual account holder for texts, online messages, or emails will have to agree to contact. In short, it will be another transfer in power from company to consumer. The consumer will have to give permission before their email or direct messages are contacted.
This makes enterprise businesses with global customers, suppliers, operations or partners definitely vulnerable. We’ll see how severe the fines and penalties are in the wave of litigation that’s coming soon. That will set precedents how how the EU will enforce the GDPR, but it’ll also show how serious the fines will be. Remember, they could be as high as 4% of total global revenue. But even more important, GDPR and ePrivacy represent a long-term global trend. This wave of new privacy regulations shows no signs of slowing.
For more information, read our whitepaper about “Earning and Maintaining Consent in the GDPR Era.”