By Craig Gipson
The (Privacy) Times, They Are A-Changin’
If nothing else, your email inbox probably alerted you to the major privacy legal shift that occurred last month: why are so many companies sending me new privacy terms? The answer is the European Union’s General Data Protection Regulation, known more commonly by its acronym “GDRP”, which went into effect May 25.
Although the law originates in the E.U., its coverage extends far beyond European borders, including to U.S. businesses. Below are some basics about GDPR to be aware of and resources for further information:
Who does GDPR apply to?
The short answer is any organization that possesses data about an E.U. citizen or other person in the E.U. The extra-territorial reach of the regulation makes it virtually global in scope. If your organization possesses the email address of an E.U. citizen (even if that individual is now residing in the U.S.) or has ever used cookies to track an E.U. resident after visiting a website, the regulation likely applies to you.
What do we need to do about GDPR?
GDPR is fairly comprehensive so its requirements are both broad and deep. But a good place to start is to be able to answer the following questions:
- First a threshold question: do we have any data about an E.U. citizen, an individual residing in the E.U., or does our organization have “established” dealings in the E.U.?
- What data do we have about our customers or other individuals and how did we get it?
- What data are we currently collecting and by what means (e.g. directly from an individual or indirectly through cookies, etc.?)
- Who are we sharing data with and for what purposes are we sharing it?
- How are we storing and protecting the data?
- How long do we maintain the data?
With answers to these questions, your organization’s privacy policy should be updated to include this and other required information. And, as always, the procedures for handling data described in your privacy policy must align with how your organization acts in practice.
What are the penalties for not being compliant with GDPR?
This is why GDPR has caused such an uproar in mainstream media reports and among domestic companies. The fines are on a sliding scale but steep. For organizations with approximately $12 million in annual revenue, the fines may be 2 percent of worldwide turnover from the previous fiscal year. For businesses with about $24 million or more in total revenue, the fine may be four percent.
More information on GDPR linked recently in ECPA’s Rush to Press can be found here and here.
If your organization is not compliant, you are not alone. In fact, you are in the majority. One regulatory report estimated 90 percent of British businesses were not prepared for GDPR. Enforcement will likely center on large foreign businesses with established European presences at first but the regulation also allows for individuals to make certain demands about their data. If organizations do not respond to those demands properly, the individual may have European authorities act on the violation.
Reminder: Book Titles Are Not Trademarks…Except When They Are
A federal judge recently struck down an author’s attempt to remove book titles from Amazon that contained a word she claimed was a trademark. The title of a single work is not a trademark as it is descriptive of a good and not indicative of the source of that good. However, the title of a series of books may be a trademark subject to protection. In this case, the court found the author’s trademark as the title of her series to be weak and entitled to only narrow protection. But if your organization publishes a successful series, it is worth bearing in mind that protecting the series title as a brand can distinguish your product and reduce market confusion in the future.