Oooey, gooey, chocolate or fruity, (sadly) those aren’t the kind of cookies we’re talking about. We’re talking about the kind that websites use to track your activities on their site, and sometimes on other sites as well.
Following a number of significant data breaches around the world, in May 2018, the EU enacted the General Data Protection Regulation (GDPR). The Regulation applies to anyone who collects any type of personal data from residents of EU, including the data that cookies collect.
While its intent is similar to BC’s Personal Information Protection Act (PIPA), the GDPR is more protective and more specific in a number of areas. These include “affirmative consent” for data collection (hence the cookie notices), stringent storage requirements, and the right to “be forgotten.”
While I have to say that we are not legal experts, here’s our understanding of the central issues.
EU Business Activity: If you have an office or agent in the EU, offer products or services to people in the EU, or monitor the behaviour of individuals in the EU, the new law applies to you. This means that if you sell anything to anyone in the EU, you need to ensure that you are fully compliant with the GDPR, and it may be worth your while to engage a lawyer to assist, to avoid significant fines.
If you do not currently fall under that definition, ensure that your home page states your business area; and be aware of the issues below.
If EU Traffic Increases (or you want to expand into the EU): It’s a good idea to keep an eye on your analytics to monitor traffic from EU countries. If that number becomes significant, or if you are getting inquires, or people from the EU signing up for your newsletter by providing an email address, you will need to meet some additional GDPR requirements.
Legitimate business activities, including things like email marketing, are permitted under the GDPR, but how you store and use the personal information you have to do that is more onerous than PIPA. There are also additional requirements for such things as notifying customers if there is a breach of data, within 72 hours.
Bottom Line: If you are fully compliant with PIPA and do not do business in the EU, just make sure that you have a “cookie” notice and keep an eye on your analytics. If you do or want to start selling in EU Countries, have a compliance officer or a lawyer advise you.