On May 25, General Data Protection Regulation (GDPR) becomes law in the European Union, vastly expanding the regulations that apply to all companies processing the data of EU subjects. Why should US companies care? Because any site that touches the EU must comply. Therefore, if your company has an online presence—even if it’s based in the US—it likely falls under the scope of GDPR, and it must become compliant with more rigorous regulation ASAP.

Until now, the EU has had a “general directive” that exempted US companies from compliance. But the safe harbor is gone with this new law, so it is time to review your privacy policy. Failing to comply with GDPR could cost you, as the penalties are stiff: 4% of annual global revenue or 20 million pounds, whichever is greater.

Get Started: Review Your Privacy Policy

All US companies with an online presence should begin by reviewing their privacy policies. The new regulations favor users: The regulations demand more transparency from companies about the way they use data. Privacy policies can no longer be buried at the bottom of a webpage.

Opting In Instead of Opting Out

This change alone is why you may need a full-blown overhaul of your site. Most American business sites have had opt-out clauses, meaning users have to proactively choose to protect their data. Now, the opposite is true. Users must affirmatively agree to the privacy policies of each site, acknowledging if those sites collect personal data.

Cookies are Personal Data

Cookies are typically unique codes that a website adds to a user’s computer, to track the way a customer visits a site and uses its content—often then determining which ads will be displayed to the user. Under the GDPR, cookies, regardless of cloaking devices they may employ (like using a jumble of letters and numbers), are considered personal data. Therefore, customers must be informed of the tracking and must consent to it.

The Guiding Principle

The GDPR takes as its guiding principle, “People have the right to be forgotten.” Therefore, companies must also create a process that allows all users to remove all of a site’s information and cookies from their own computers, if they so desire.

We’ve just scratched the surface—but the essential thing to realize from the start is that that just updating your privacy policy isn’t enough. Your site actually needs to function differently.

In the next post, we’ll discuss how you can prepare for the coming changes.


Pete Salsich III has been General Counsel for Coolfire Studios, LLC (an entertainment content creation studio), Coolfire Solutions, Inc. (a mobile software development studio focused on the military and commercial enterprise), and MedAware Solutions, Inc. (a mobile software platform company focused on the healthcare industry). Since joining AEGIS, Pete continues to serve in this capacity.