Oooey, gooey, chocolate or fruity, (sadly) those aren’t the kind of cookies we’re talking about. We’re talking about the kind that websites use to track your activities on their site, and sometimes on other sites as well.
If you’ve done any internet surfing lately, you’ve likely seen more popup notices than usual, stating that the site uses cookies. You may also have received emails or other notices asking you to accept a new Terms of Use or Privacy Policy for a site that you have an account on. That’s because of a new privacy law in the European Union (EU).
Following a number of significant data breaches around the world, in May 2018, the EU enacted the General Data Protection Regulation (GDPR). The Regulation applies to anyone who collects any type of personal data from residents of EU, including the data that cookies collect.
While its intent is similar to BC’s Personal Information Protection Act (PIPA), the GDPR is more protective and more specific in a number of areas. These include “affirmative consent” for data collection (hence the cookie notices), stringent storage requirements, and the right to “be forgotten.”
While I have to say that we are not legal experts, here’s our understanding of the central issues.
EU Business Activity: If you have an office or agent in the EU, offer products or services to people in the EU, or monitor the behaviour of individuals in the EU, the new law applies to you. This means that if you sell anything to anyone in the EU, you need to ensure that you are fully compliant with the GDPR, and it may be worth your while to engage a lawyer to assist, to avoid significant fines.
If you do not currently fall under that definition, ensure that your home page states your business area; and be aware of the issues below.
Cookies and Analytics: Most websites use cookies to track users by their IP address. Some sites personalize information based on previous use of the site, and information such as referral source and pages viewed, are used in analytics. The use of cookies and analytics should already be in your Terms or Use or Privacy Policy on your site; however, many users would not think to go looking for these documents, the links to which are often in small print in the footer. Under the GDPR, an IP address is personal information, and you have to get affirmative consent for collection. What many sites have done is to display a brief message that links to more detailed information. This example says, “We use cookies to give you the best possible experience on our site and to analyze traffic. By continuing to use realtor.com/international, you agree to our use of cookies. View our Privacy Policy for more information.”
Beyond this, if you do not do business in the EU, don’t have anyone from the EU signed up for your newsletters, and do not buy, sell or trade data, your PIPA-based Privacy Policy should suffice.
If EU Traffic Increases (or you want to expand into the EU): It’s a good idea to keep an eye on your analytics to monitor traffic from EU countries. If that number becomes significant, or if you are getting inquires, or people from the EU signing up for your newsletter by providing an email address, you will need to meet some additional GDPR requirements.
Legitimate business activities, including things like email marketing, are permitted under the GDPR, but how you store and use the personal information you have to do that is more onerous than PIPA. There are also additional requirements for such things as notifying customers if there is a breach of data, within 72 hours.
Bottom Line: If you are fully compliant with PIPA and do not do business in the EU, just make sure that you have a “cookie” notice and keep an eye on your analytics. If you do or want to start selling in EU Countries, have a compliance officer or a lawyer advise you.