FSC Leadership Conference Explores New GDPR Privacy Laws

FSC Leadership Conference Explores New GDPR Privacy Laws

LOS ANGELES — The 2018 FSC Leadership Conference got underway today at the Andaz hotel in Hollywood, held in conjunction with the 2018 XBIZ Show, presented by ManyVids.

One vitally important session presented at the FSC Leadership Conference looked at the new General Data Protection Regulation (GDPR), set to go into effect in the U.K. in May, before spreading throughout the EU — a law that applies to every company, everywhere, when serving these nations.

Attorney Alan L. Frei, Partner at Baker Hostetler, kicked-off the discussion with an overview of U.S. privacy regulations to provide a baseline comparison with what the GDPR will bring to stakeholders.

“Digital innovation creates risk,” Frei said, pointing to California’s requirement that all sites serving surfers within the state clearly post an appropriate privacy policy. “California also mandates tracking disclosures, such as the use of third-party cookies.”

Frei discussed the California Online Privacy Protection Act (CalOPPA) as well as best practices for mobile device users such as those issued by Google and other entities with a focus on preserving user privacy.

“Are you using third parties to collect information or sharing info you have collected with third parties?” Frei asked the attentive audience. “Has ‘privacy by design’ been incorporated into your campaign and design process?”

The notion of “privacy by design” — which extends to business models, database architecture and more, rather than being a matter of background colors and font selection, quickly became a repetitive theme.

Frei outlined differences in opt-in, opt-out, and give-up approaches to future marketing communications as well as CAN-SPAM and TCPA requirements, and the need to record customer service calls. He also asked the audience about their involvement in behavioral advertising and targeting, among other means of consumer tracking that are increasingly coming under regulatory scrutiny. The subject of collecting location-based information, especially in the context of geo-discrimination and analytics, was also tackled as it pertains to current laws.

Among the considerations Frei brought to the fore, the Video Privacy Protection Act (VPPA), which has long prohibited the disclosure of consumer’s media viewing habits, raised some eyebrows, while needed disclosures about social media marketing and advertising must make it clear that a speaker/writer has a material connection to the product or service being offered.

“The U.S. Federal Trade Commission (FTC) is aggressively pursuing affiliates over non-disclosure,” Frei explained, underscoring the sometimes-unexpected liability and reach of commercial disclosure and privacy requirements. “Have you and your vendors adopted a formal data security compliance program? What about formalized agreements covering content and ad errors and omissions?”

If the breadth and depth of U.S. regulations intimidated some attendees, the new European rules were an eye-opening exercise in the need to be prepared, no matter how overwhelming the prospect may be.

Taking over the presentation for a glimpse at what’s coming in May, Dr. Kai Westerwelle, a partner at Taylor Wessing, revealed the realities of the uphill battle facing merchants in the months to come.

“Europe is a bit more difficult regarding privacy and privacy protection,” Westerwelle said, as he led into a discussion of Europe’s backspin into harmonization, where more consistent regulation will govern the transfer of data from Europe to the U.S., and explored Safe Harbor and Privacy Shield provisions, along with new regulations governing cookies.

According to the U.S. Department of Commerce, the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks “were designed … to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.”

Compliance with Privacy Shield, it seems, gets merchants well along the way to GDPR compliance.

On the topic of meeting the regulatory requirements of different countries across Europe given the lack of a unified mandate, Westerwelle told the audience “We have a very big space to maneuver in.”

“The EU is drifting apart on privacy,” Westerwelle said. “Different countries have different approaches, so a U.K.-centric model may not cover other countries.”

With the GDPR set to take effect in May, however, it behooves merchants to use this regulation as a model for their ongoing privacy programs, as it is reportedly set to cover the entire EU in 2020.

“For the first time ever, we have a different regulatory scope,” Westerwelle said. “[The GDPR] applies to every platform targeting EU customer no matter where they are in the world. Whenever you store data from Europe, think of the GDPR.”

Westerwelle shocked some attendees with the reality that their corporate headquarters’ location, level of market share, or any other factor, does not shield their businesses from having to comply with GDPR.

“Every company touching EU personal data has work to do,” Westerwelle said, specifying everything that can or does identify users’ personal data, including IP addresses, is covered by the new regulations. “The GDPR also specifies ‘sensitive data’ — including a user’s sexual interests — as requiring even more stringent care.”

Highlighting the vast difference in U.S.-centric data policies and those in Europe, Westerwelle was clear:

“In the U.S., you can use any data until you can’t,” he explained. “In the EU, it is the exact opposite — you can’t use any data until you can.”

It was a stark lesson in informed consent, which requires an unambiguous declaration with a statement of clear, affirmative action, localized to comply with EU law.

This means no pre-checks; no “by submitting this form/entering this site I consent…” shenanigans, consent must be spelled out and positively affirmed by the user.

“You have to make documentation for every but of data collected,” Westerwelle said. “This begins with complete data mapping. Data mapping is the hardest thing for you to do to comply with the GDPR.”

Detailed data mapping is the heavy lifting of compliance and the point at which merchant’s eyes open as to the extent their sites and service partners collect data. This includes remote access, such as live chat, interactions with call centers/customer support, connections with ISPs and payment facilitators, etc.

Westerwelle noted that comprehensive data mapping must not only account for when data is acquired but when it is deleted as well and points to the need for formal data retention policies.

“You have to delete the data as soon as you no longer have a direct need for it,” Westerwelle explained, citing ongoing consent for newsletter mailing to an email address as an example of data that needs to have periodical re-authorization for use, saying this authority “should be renewed every six months.”

That’s a bitter pill to swallow for many marketers that have built their business on legacy mailing lists, especially when “there is specific contractual language required.”

Another action point is the naming of a corporate Data Protection Officer (DPO).

“A DPO is someone making sure your company is complying with everything under the law, and is legally obliged to report to authorities if something goes wrong — such as providing mandatory data breach notifications within 72 hours,” Westerwelle said, adding, “It is often difficult to get facts [about data breaches] in three days…”

As for penalties for non-compliance, they can be most severe, with egregious violations reportedly running at up to four percent of the annual turnover of the offender’s entire global group of companies — not just that of the problematic property — up to $40M. That’s a stiff chunk of change, and regulators are eyeing the actions of affiliates for which merchants are liable, making huge fines a likely proposition.

The discussion moved to the likelihood of offenders being caught, and while regulator staffing shortages and other burdens make the chance of a mid-size company randomly being identified as an offender, Westerwelle told the audience they should find no comfort in that fact.

“Your enemy is your customer,” Westerwelle said, citing the possibility that disgruntled customers and ex-employees can report businesses to authorities, which are then legally obligated to investigate them.

As for immediate steps to take, Westerwelle emphasized that “I don’t want this!” is NOT an option if you want to serve customers in the EU.

“Make stakeholders aware and consider budgets. Map data and create a data inventory,” Westerwelle advised. “Identify who is the lead supervisory authority, and review privacy notices and consents.”

Finally, Westerwelle underscored “the right to be forgotten” and how the GDPR not only provides for users to demand that merchants expunge all available data about them, but to demand a copy of all data the merchant holds about them.

“Focus on the design of your database,” Westerwelle concluded. “You have to be ready to transfer user data to the user on demand.”

The complexity and seriousness of the message took many attendees by surprise, but the resilience of the adult entertainment industry is legendary, and this will be only one more hurdle for the increasingly corporate and sophisticated players driving the industry forward. Kudos to the FSC for fostering more awareness of this vital issue that will impact all online businesses.

Some last bits of advice: consult a qualified attorney and ensure your compliance before the deadline.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More News

Clip Page Launches 'Creator Analytics' Feature

Custom content marketplace Clip Page has launched the Creator Analytics feature on its platform.

BBWXXXAdventures Relaunches Through Grooby's Blue.xxx

Paysite BBWXXXAdventures has relaunched under Grooby's new website management company Blue.xxx.

Flirt4Free Announces 'Tease the Season' Holiday Contest

Flirt4Free has announced its Tease the Season promo and model contest, which will run Dec. 21-25.The competition is led by the return of the Snowflake Contest, where models can be gifted digital snowflakes by their fans. The models who collect the most snowflakes by 11:59 a.m. on Christmas Day will win cash prizes.

SWR Data Publishes 2024 'Top Creator Platforms' Report

Adult industry market research firm SWR Data has published a report on the Top Creator Platforms of 2024.

MintStars Joins Pineapple Support as Supporter-Level Sponsor

Content platform MintStars has joined the ranks of over 60 adult businesses and organizations committing funds and resources to Pineapple Support.

Politicians Aim to Study Effects of FOSTA-SESTA on Sex Workers

In an encouraging sign for sex workers, California State Representative Ro Khanna and U.S. Senator Elizabeth Warren of Massachusetts have reintroduced the SAFE SEX Workers Study Act, which aims to study the effects of FOSTA-SESTA.

Pornhub to Shut Down Access in Florida Over Age Verification

Aylo will geoblock Pornhub across Florida starting Jan. 1, when HB 3, the state's age verification law, goes into effect.

AEBN Publishes Popular Searches by Country for October, November

AEBN has released the list of popular searches from its straight and gay theaters by country in October and November.

Texas Bill Aims to Ban Sex Toys at 'Big-Box' Retailers

Republican State Representative Hillary Hickland has introduced a bill in the Texas legislature that would restrict the sale of pleasure products at "big-box" and other non-adult retailers.

Jacquie et Michel Acquired by 'International Fund'

French adult studio Jacquie et Michel has been acquired by an international fund, marking a significant development for the well-known brand.

Show More