Although the GDPR came into force in almost two years ago and is one of the most exhaustively discussed pieces of legislation in the world, many people still find it confusing.
That’s not surprising. The GDPR is densely written and complex, and it’s a full 261 pages long, comprising 99 “Articles” and 173 “Recitals.” It’s a difficult document to understand.
If you own a business that’s based in the US, the question you’re probably asking yourself is, “Do I actually need to understand the GDPR?”
After all, it’s a European Union regulation. Does it apply to American businesses at all?
The quick and easy answer is that, no matter where your company is based, there’s a good chance that some aspect of your business is affected by the GDPR—especially if you have a substantial online presence.
Read on to learn more.
Although the GDPR is a European Union regulation, its reach is not limited to European companies.
Article 3 of the GDPR defines its scope and jurisdiction. The regulation applies to any business, no matter where it is located, that engages in either of the following:
In other words, if you sell products or services to people in the EU or you collect data about their activities, the GDPR applies to you, even if your business is based in the US.
Notably, because the GDPR uses the term “data subjects” and not “citizens” or “residents,” it protects the data of anyone who happens to be in the EU—even people who are there temporarily. If one of your American customers travels to Europe and you collect data from them while they’re abroad, that data falls within the GDPR’s purview.
Let’s look at the two conditions outlined in Article 3 in more depth, starting with the first one.
What exactly does it mean to offer a good or service to someone in the EU?
“Goods" are pretty straightforward. If your business ships physical products to the EU, the GDPR applies to you. There isn’t much ambiguity there.
"Services" are murkier. If the services that you provide are limited to your city or region—for instance, if you run a vet clinic in Buffalo, NY—you’re obviously not offering them to EU subjects.
But what if you offer a service on your website? What if your vet clinic operates a blog, and you occasionally provide pet care advice to people who comment on your posts?
For that matter, what if you operate an online business that serves customers from all over the world?
If people in the EU occasionally stumble across your site and use your services, even though you never directly advertise to them, does that mean you’re affected by the GDPR?
Recital 23 of the GDPR clears things up a bit. It notes that "the mere accessibility of [a] website in the Union" is not enough for it to be subject to the regulation. The owner of the website or business in question must "envisage offering services" to EU subjects.
In plain English, this means that your intent matters. Are you expecting people from the EU to use your services?
More to the point, if a third party looked at your website, would it seem like you expected people from the EU to use your services?
If you can say “no” to the above, then there’s a chance that the GDPR doesn’t apply to your business … under the first condition that we discussed above.
But remember, there are two conditions.
Even if you aren’t “offering goods or services” to people in the EU, the GDPR still affects you if you’re engaged in “monitoring their behavior.”
In practice, that means collecting data that could be used to identify them and describe their activities.
If you don’t have any European customers, then you probably do not collect data from anyone in the EU in the course of doing business.
But there’s a good chance that your website does.
To begin with, around 65% of websites run analytics software—tools that keep tabs on which pages their users visit, how long they spend there, and so on.
If you have a blog attached to your site, you probably ask your users for their personal information when they comment on your posts. If you have a mailing list, you collect their information when they subscribe.
Even if you don’t do any of that, you probably keep a record of your visitors’ IP addresses.
It's rare for a website to not collect any data about its users.
Unless you built your website from scratch, there may be data collection software running on it that you’re not even aware of.
If you collect data about individuals—like browsing and purchase histories that you use to customize your site’s user experience—you’re definitely monitoring people, and you need to comply with the GDPR.
If you limit yourself to raw stats (for example, what time of day your site receives the most traffic) and it wouldn’t be possible for anyone to trace the data points back to individual users, you might be okay.
However, the exact line is fuzzy. No one is completely sure yet when “data collection” turns into “monitoring.”
In contrast to the "offering goods and services" condition that we discussed above, when it comes to “monitoring behavior,” your intentions do not matter.
If you monitor your users and any of them happen to be based in the EU, their data is protected and the GDPR applies.
This is why a number of prominent websites have resorted to blocking visitors from the European Union. One of the only foolproof ways to make sure you never inadvertently monitor any EU users is to make sure you have no EU users at all.
If it seems like it’s tough to keep your business from being affected by the GDPR, that’s because it is.
To avoid being subject to the regulation, you have to be scrupulous about:
If your business doesn’t operate internationally, the first condition is relatively easy to satisfy, but the second one is harder. You can’t control whether people from the EU visit your website—without blocking them, anyway—and it can be tricky to ensure you’re not monitoring their behavior.
Whether your goal is compliance or to avoid being affected by the regulation at all, it pays to do your homework. In the next few years, there will almost certainly be exciting court cases that clarify some of the gray areas that we discussed above, and ideally your business won’t be involved in any of them.