opinion

Data Privacy Is Tightening Up in the E.U.

Data Privacy Is Tightening Up in the E.U.

Have you begun preparing for GDPR? If you are like most, you haven’t even heard of GDPR, but also if you are like most, it is going to affect your business, starting May 25, 2018.

The GDPR, or General Data Protection Regulation, was first introduced to the European Union Parliament in 2012 and passed in 2016 to take effect in 2018.

The GDPR is “the most important change in data privacy regulation in 20 years” and it comprises comprehensive E.U. data protection regulations that are intended to create uniform privacy laws across Europe.

The GDPR is “the most important change in data privacy regulation in 20 years” and it comprises comprehensive E.U. data protection regulations that are intended to create uniform privacy laws across Europe.

The GDPR will probably change the way the rest of the world handles data as it applies to any organization outside the E.U. that offers goods or services to E.U. residents, and that includes doing business online.

Due to its broad reach, it is likely to become a global standard, and even if you aren’t selling to E.U. residents, the companies you do business with may require you to certify compliance in order to maintain business relationships.

The bad news about GDPR.

The bad news is that penalties for non-compliance can be stiff. Supervisory authorities are to impose fines that are “effective, proportionate, and dissuasive”; up to €20 million or 4 percent of global revenue, whichever is higher. You can read this is as: “Make an example out of the ones that don’t comply.”

The highest fines are for not obtaining customer consent when collecting data and lesser fines for not keeping records in order or not following the notification rules in the event of a data breach, but expect fines to be stiff for any violation.

It isn’t just regulators that have enforcement powers, either. GDPR gives E.U. individuals the right to sue for damages in the state where they reside, independent from supervisory authorities.

This means that even if you don’t attract regulator attention, your E.U. customers potentially have the right to damages if you get hacked. Further, the GDPR gives those individuals the right to bring an action against the supervisory authorities if those authorities don’t deal with a complaint against you

It’s not just two teams of FBI agents trying to police all adult websites; the entire population of the European Union has a cause of action if you ignore this regulation.

The good news about GDPR.

The good news is most of the rules make sense and bringing systems up to date won’t be difficult for most businesses.

The regulations are intended to protect individual privacy and were written with input from a broad spectrum of stakeholders, unlike adult entertainment laws that were often written by special interests that really just wanted to regulate porn out of business.

Also good news is that the GDPR applies to just about everyone, so compliance solutions should be widely available.

Compared to the 18 U.S.C. § 2257 regulations that only applied to publishers of adult content, and where only a relative handful of compliance services are available, the GDPR applies to every entity that collects names and email addresses from E.U. residents, so expect more companies and professionals offering solutions.

So what does this GDPR make me do?

The first thing it is going to make you do is update the privacy policy on your website. Under the GDPR, your privacy policy needs to be accurate and explain in clear language what you do with customer data, so a 42-page policy in legalese or copying a privacy policy from another website could really cause problems down the road.

The first thing regulators will look at after a data breach or consumer complaint is your privacy policy, and a policy copied from someone else is almost certainly not accurate for your business. If you have a data breach and the privacy policy you copied from another website says you delete collected information after 30 days but you really don’t, you have some explaining, and some fine paying, ahead.

What you definitely don’t want is to try explain why your privacy policy is not accurate or up to date and includes the contact information for an unrelated business because you didn’t even take the time to insert your own information into the privacy policy you copied from another website.

The next thing GDPR requires is that you obtain informed consent from E.U. residents before collecting their information, and if you are collecting a name, even a fictitious name, and an email address, you are collecting information.

If you are collecting information, your privacy policy must set out exactly what information you will collect, why you are collecting it, and what you plan to do with that information. This means you need to state the obvious: you need to explain to your customer that you need his name, credit card information and billing address because you plan to charge him money for accessing your website or shipping a product.

If you collect other information, like viewing history to create customer profiles, you need to disclose that as well. If you intend to send marketing emails for your own websites or emails for a partner site, that needs to be included in your privacy policy. Basic rule is disclose, disclose, disclose.

There is increased data security and reporting with GDPR.

The GDPR has specific requirements for data processors and defines data processors very broadly. Under the GDPR, “processing” basically means doing anything with customer data, including collecting it, storing it, or deleting it, so everybody becomes a data processor.

The GDPR requires data processors to implement security measures “appropriate to the risk” and implement processes for regularly testing those security measures. Again, using common sense and sound security procedures such as installing firewalls, requiring two-part authentication and IP blocking for server access, will most likely get you across the threshold.

The more sensitive the data you collect, the more secure your systems need to be, but first you need to understand what data you collect and how the GDPR classifies that data to determine how much security you will need for your systems. Layered systems, with greater security for more sensitive data, will likely be necessary even for basic adult online businesses.

There are data breach notification standards with GDPR.

The GDPR also mandates notification after personal data breaches. It defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”

This means a hacker doesn’t need to steal data, just alter it or delete it to trigger notification requirements.

If you discover a data breach, you have 72 hours to notify the supervisory authority, 1) describing the nature of the breach, including the scope of breach, 2) providing your contact information, 3) “describe the likely consequences of the personal data breach,” and 4) what you plan to do about it. If the data breach is likely to result in a high risk to the individuals, which is as simple as there being a high risk your customers’ credit card information could be used for unauthorized transactions, you also need to notify those customers whose data was breached “without undue delay.”

Taking a week to notify customers after a data breach because you didn’t already have a plan in place and had to take time to figure out how to respond probably would be “undue delay.” You will need to know what to do to comply with the notification requirements before disaster strikes in order to avoid “undue delay”, so start planning ahead.

This article barely scratches the surface of the upcoming General Data Protection Regulation.

In many ways, the GDPR mandates common sense approaches to data security, but it is quite comprehensive and requires any entity that collects data from E.U. residents to evaluate how it collects data and what it does with that data.

If your activities fit within the term “data processor,” and most will, you need to create and implement a compliance plan and put together a data breach response plan.

Again, most of this is common sense, but it takes time, money and effort, or the help of trained professionals, to make sure you don’t get caught with your pants down.

Chad Anderson is a solo attorney practicing in copyright, trademark, business relations, privacy and security. Chad sits on the Arizona State Bar Rules of Professional Conduct Committee and is a member of the Intellectual Property section of the American Bar Association, American Mensa and the International Association of Privacy Professionals. You may contact the author at chad@chadknowslaw.com with any questions.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Navigating Age-Related Regulations in Europe

Age verification measures are rapidly gaining momentum across Europe, with regulators stepping up efforts to protect children online. Recently, the U.K.’s communications regulator, Ofcom, updated its timeline for implementing the Online Safety Act, while France’s ARCOM has released technical guidance detailing age verification standards.

Gavin Worrall ·
opinion

Why Cyber Insurance Is Crucial for Adult Businesses

From streaming services and interactive platforms to ecommerce and virtual reality experiences, the adult industry has long stood at the forefront of online innovation. However, the same technology-forward approach that has enabled adult businesses to deliver unique and personalized content to consumers worldwide also exposes them to myriad risks.

Corey D. Silverstein ·
opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
Show More