You've probably heard of the dreaded four-letter word – GDPR. Companies around the globe had been preparing for the May 25th implementation date for quite some time. But U.S.-based companies with no apparent EU presence may not have thought twice about whether the data protection law across the pond even applies to them. Let’s face it, we have enough federal and state laws here in the U.S. to worry about. But now that the GDPR dust has settled a bit, these U.S. companies may want to take a closer to look to confirm they aren’t captured within GDPR’s sweeping scope.

In this first installment of GDPR SIDEBAR, we address the fundamental threshold question of whether and to what extent a U.S.-based company must comply with the GDPR. [click here for a primer on GDPR]

If you are a U.S.-based company, you may want to take a second look and ask yourself the below questions:

  • Do one or more of your platforms or ecommerce sites follow or track European Economic Area (EEA) users as they browse the Internet (e.g., tracking them over time and across various websites – *think, interest-based advertising*)?
  • Does your company have a physical office, subsidiary, or other establishment(s) located in the EEA that collects, receives, transmits, uses, stores, or otherwise processes personal data[1] (even if the processing does not occur in the EEA)?
  • Do one or more of your platforms or ecommerce sites offer[2] and/or target goods or services for sale to persons in one or more Member States in the EEA (irrespective of whether the goods or services are paid for or offered for free)?
  • Do one or more of your platforms or ecommerce sites offer your services or website in the language of an EEA member state?
  • Do one or more of your platforms or ecommerce sites accept currency that is generally used in one or more EEA Member States?
  • Do one or more of your platforms or ecommerce sites offer to ship products to buyers in one or more EEA Member States?
  • Do one or more of your platforms or ecommerce sites hold events in the EEA and/or target registration to persons in one or more Member States in the EEA?
  • Do one or more of your platforms or ecommerce sites monitor[3] the online activity of persons in one or more Member States in the EEA (in so far as their online behavior takes place within the EEA)?
  • Do one or more of your platforms or ecommerce sites collect geolocation information (either general or precise geolocation) about users in one or more Member States in the EEA?
If you answered “YES” to any of the above questions, then your business, or one or more of your platforms or e-commerce websites, may be subject to the requirements of GDPR.[4] (It’s ok, take long…deep…breaths. We’re here to help.) Just because the May 25th implementation date is already upon us, this doesn’t mean that all hope is lost. You can still take the necessary steps to satisfy GDPR compliance requirements.

Stay tuned for more installments of GDPR SIDEBAR.

***

[1] “Personal data” is defined in Article 4 of GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

[2] Under Recital 23 of GDPR, the offer has to be more than “the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established.”

[3] Under Recital 24 of GDPR, the term “monitor” generally refers to tracking individuals on the internet and any subsequent use of the data to profile an individual.

[4] Even if your company is a small or medium-sized business that processes personal data as described above, you must comply with the GDPR. However, if processing personal data isn’t a core part of your business and your activity doesn't create risks for individuals, then some obligations of the GDPR will not apply to you (for example the appointment of a Data Protection Officer).