If you sell over the internet, what if I told you that the European Union’s GDPR may well cost you a fine of $2.5M or of 4% of your annual sales?
Absurd but — the EU’s General Data Protection Regulation is pretty clear. Anyone located anywhere which uses, controls, solicits or possesses personal data of any EU person can be sued anywhere if they fail to protect that data from unauthorized disclosure or to provide an ability to strip personal information from the underlying data.
Simple example: US company Seller Co posts to the world wide web an offer to sell a widget for $10 plus shipping. A potential customer emails in response and asks if the widget comes in the color red. Or a potential customer emails an order for the widget. If that customer is located in any EU country, you the advertiser must have a conforming data protection system or you can be sued here in the US even if no actual misuse of the data occurs.
The details of how this works are beyond the scope of this blog post, but note the general view that e-commerce companies and travel sites are covered, as they solicit personal data such as names, email addresses, or charge card information. How can you prevent liability under the Regulation?
Hire a firm that will make sure that your e-commerce systems comply with EU Regulations.
If you do not provide a compliant system, your e-commerce site might state that no orders will be filled from EU countries. Some websites are blocking addresses originating from the EU. It seems that even if you state on your website that you will not accept EU business, if someone in the EU sends a reply that has personal information in violation of your warning and you actually look at that information (as you will, just by looking at the email address to see if it comes from the EU), then I am told that you have processed that information and are subject to the Regulation. Erasing the data and not entering into a transaction seems not to protect you.
Now this seems illogical; we have no US cases yet; the Regulation is not even in effect for another couple of months. Although the EU can declare and has declared unilaterally that they have authority over e-commerce companies located anywhere which simply post on the web, what a US court would do with an EU suit absent an express treaty promising enforcement is something for future lawyers to fight about. Larger, on-line companies are all over this issue but for the small e-commerce business this is a “gotcha.”
Europeans have always been more concerned about data breaches by businesses; Americans are more sensitive to data incursions by governments. But regardless of your sensitivity, the Regulation seems a massive over-reach.