What the New Data Protection Rules Mean for Businesses Outside of Europe


Thomas A. Pendleton is a partner at MacDonald Illig Attorneys and has been representing businesses, nonprofit corporations and individuals in a wide variety of legal matters for more than 25 years. He concentrates his practice on business matters, including preparing agreements and commercial litigation.

Use of the Internet allows companies to accumulate vast amounts of data about individual consumers such as credit card information, e-mail addresses, personal preferences and demographic information. The accumulation of this data is a frequent target of hackers and other thieves who want to use it for improper purposes. Governments have been actively imposing obligations upon businesses to inform consumers about the personal data the businesses are collecting, obtaining the consumers’ consent to do so, and notifying the consumers if the security of this data has been breached.

What is GDPR and Why It Matters
The European Union (EU) recently adopted the General Data Protection Regulation (“GDPR”). Even if your company does not have any direct business operations in the 28 member states of the European Union, you should be aware of the GDPR’s requirements. Any company that has a presence on the Internet and markets its goods or services to consumers or businesses over the Internet must comply with this regulation.

Companies likely to be subject to the GDPR are U.S.-based hospitality businesses, travel companies, software services and e-commerce companies. Furthermore, any U.S. company that has identified a market in an EU country and has localized Web content should review its Internet operations.

Generally speaking, the GDPR applies if the U.S.-based company collects personal data or behavioral information from someone in an EU country. This collection could occur as part of a marketing survey. Personal data includes a name, address, IP address, genetic data and biometric data.

In order to be subject to the GDPR, a company must target a person (“a data subject”) in an EU country. Generic marketing does not count. For example, if a German citizen uses Google and finds an English-language webpage written for US consumers or business customers, the German citizen is not covered by the GDPR. However, if the same website is written in German and there are references to customers within the European Union, then the webpage would be considered to be targeted marketing and the GDPR applies. Likewise, accepting Euros as payment and having a “.de” suffix (the Internet suffix for Germany), would be additional evidence in favor of applying the GDPR.

If the GDPR applies to a company’s Internet marketing operations, a person’s consent must be “freely given” specific, informed and unambiguous. This consent can be obtained from a “check box” without a default “x” in it, accompanied by clear language about what will be done with any e-mail addresses obtained. It is not permissible to ask the user to click on a link to a long “terms and conditions” document filled with legalese.

If a person signs up for a service or buys a product, the vendor must obtain explicit permission for each type of use of personal data. For example, a separate check box is required for: 1) using an e-mail address for e-mail promotions, and 2) sharing that e-mail address with third-party affiliates.

Once the data is collected, U.S. companies will have to protect it under the GDPR’s rules. One of the requirements is to notify a user within 72 hours of a breach or disclosure of medical or financial information, or identifiers involving children. This notification must be sent directly to the consumer, not simply broadcast in the news media or over social media. The relevant regulatory body must also be notified.

A brief article of this nature cannot cover all of the intricacies of the GDPR. If you believe that your company may be subject to the GDPR now or in the future, contact Tom Pendleton at 814/870-7756 or