GDPR imposes very tight regulations around how businesses can use or store personal data on EU citizens. These are vastly stricter than anywhere in the US or even in many European countries up to this point, so most companies can reasonably assume they’re out of compliance unless they’ve made specific efforts to comply.
Because the regulations are complicated and touch so many aspects of a business, they are typically expensive to fully implement and may interfere with traditional assumptions of how marketing can be done (of course the latter aspect is the whole point of the law from the EU’s perspective). Furthermore, some key aspects of the law are vaguely worded and haven’t yet been clarified by the EU, so it can be subjective whether you’re actually in compliance even if you put an effort in to do so. Hopefully the EU authorities will eventually clarify more of this, but a lot will probably get shaken out in the courts via precedent as cases are brought under the law.
For a good high-level review of what GDPR requires, take a look at ZDNet’s five step list for marketing teams. It’s important to note, though, that ZDNet’s list is very much a summary, as the actual rules are quite a bit more complex. If you need to look closer, Ecommerce Guide has prepared an in-depth dive into GDPR particularly as it relates to ecommerce.
Potential fines for noncompliance under the law are absolutely massive (up to 4% of global revenue: note that’s revenue, not profit, and applies to global, not just EU revenue). That said, many have pointed out that these are maximum fines and, in many cases, will probably be lower. There’s always the gamble, though, that a judge could impose up to the maximum.
Since the law is based on EU citizens’ data, not EU companies, it technically applies to companies anywhere in the world. Here’s the biggest caveat, though: nobody really knows how they will attempt to enforce this on companies that don’t have formal business operations in the EU. There is the possibility that they can try to enforce it through existing international treaties, but that would be up to the discretion of the government with jurisdiction. It’s hard to predict how cooperative the US government will be since it has not explicitly spoken to the issue, but the current executive administration is not in favor of strong regulation, which could suggest they’d push back against attempted enforcement. Again, it’s a gamble and not something that can be relied on long-term.
As the compliance deadline approached we’ve seen several categories of responses for US companies without European nexus:
- Proactively comply, either segmenting EU citizens or extending protections to all users.
- Stop offering services to EU citizens entirely.
- Do nothing ahead of time, rolling the dice and waiting to see what enforcement ends up looking like (i.e., will it actually be enforceable on US companies, what will the penalty levels actually be, and what sizes/types of companies will actually be targeted for enforcement)?
For those companies fully outside the EU, the decision is ultimately one each company has to make individually based on business risk and their own position on privacy ethics and marketing consent.