opinion

Data Privacy Is Tightening Up in the E.U.

Data Privacy Is Tightening Up in the E.U.

Have you begun preparing for GDPR? If you are like most, you haven’t even heard of GDPR, but also if you are like most, it is going to affect your business, starting May 25, 2018.

The GDPR, or General Data Protection Regulation, was first introduced to the European Union Parliament in 2012 and passed in 2016 to take effect in 2018.

The GDPR is “the most important change in data privacy regulation in 20 years” and it comprises comprehensive E.U. data protection regulations that are intended to create uniform privacy laws across Europe.

The GDPR is “the most important change in data privacy regulation in 20 years” and it comprises comprehensive E.U. data protection regulations that are intended to create uniform privacy laws across Europe.

The GDPR will probably change the way the rest of the world handles data as it applies to any organization outside the E.U. that offers goods or services to E.U. residents, and that includes doing business online.

Due to its broad reach, it is likely to become a global standard, and even if you aren’t selling to E.U. residents, the companies you do business with may require you to certify compliance in order to maintain business relationships.

The bad news about GDPR.

The bad news is that penalties for non-compliance can be stiff. Supervisory authorities are to impose fines that are “effective, proportionate, and dissuasive”; up to €20 million or 4 percent of global revenue, whichever is higher. You can read this is as: “Make an example out of the ones that don’t comply.”

The highest fines are for not obtaining customer consent when collecting data and lesser fines for not keeping records in order or not following the notification rules in the event of a data breach, but expect fines to be stiff for any violation.

It isn’t just regulators that have enforcement powers, either. GDPR gives E.U. individuals the right to sue for damages in the state where they reside, independent from supervisory authorities.

This means that even if you don’t attract regulator attention, your E.U. customers potentially have the right to damages if you get hacked. Further, the GDPR gives those individuals the right to bring an action against the supervisory authorities if those authorities don’t deal with a complaint against you

It’s not just two teams of FBI agents trying to police all adult websites; the entire population of the European Union has a cause of action if you ignore this regulation.

The good news about GDPR.

The good news is most of the rules make sense and bringing systems up to date won’t be difficult for most businesses.

The regulations are intended to protect individual privacy and were written with input from a broad spectrum of stakeholders, unlike adult entertainment laws that were often written by special interests that really just wanted to regulate porn out of business.

Also good news is that the GDPR applies to just about everyone, so compliance solutions should be widely available.

Compared to the 18 U.S.C. § 2257 regulations that only applied to publishers of adult content, and where only a relative handful of compliance services are available, the GDPR applies to every entity that collects names and email addresses from E.U. residents, so expect more companies and professionals offering solutions.

So what does this GDPR make me do?

The first thing it is going to make you do is update the privacy policy on your website. Under the GDPR, your privacy policy needs to be accurate and explain in clear language what you do with customer data, so a 42-page policy in legalese or copying a privacy policy from another website could really cause problems down the road.

The first thing regulators will look at after a data breach or consumer complaint is your privacy policy, and a policy copied from someone else is almost certainly not accurate for your business. If you have a data breach and the privacy policy you copied from another website says you delete collected information after 30 days but you really don’t, you have some explaining, and some fine paying, ahead.

What you definitely don’t want is to try explain why your privacy policy is not accurate or up to date and includes the contact information for an unrelated business because you didn’t even take the time to insert your own information into the privacy policy you copied from another website.

The next thing GDPR requires is that you obtain informed consent from E.U. residents before collecting their information, and if you are collecting a name, even a fictitious name, and an email address, you are collecting information.

If you are collecting information, your privacy policy must set out exactly what information you will collect, why you are collecting it, and what you plan to do with that information. This means you need to state the obvious: you need to explain to your customer that you need his name, credit card information and billing address because you plan to charge him money for accessing your website or shipping a product.

If you collect other information, like viewing history to create customer profiles, you need to disclose that as well. If you intend to send marketing emails for your own websites or emails for a partner site, that needs to be included in your privacy policy. Basic rule is disclose, disclose, disclose.

There is increased data security and reporting with GDPR.

The GDPR has specific requirements for data processors and defines data processors very broadly. Under the GDPR, “processing” basically means doing anything with customer data, including collecting it, storing it, or deleting it, so everybody becomes a data processor.

The GDPR requires data processors to implement security measures “appropriate to the risk” and implement processes for regularly testing those security measures. Again, using common sense and sound security procedures such as installing firewalls, requiring two-part authentication and IP blocking for server access, will most likely get you across the threshold.

The more sensitive the data you collect, the more secure your systems need to be, but first you need to understand what data you collect and how the GDPR classifies that data to determine how much security you will need for your systems. Layered systems, with greater security for more sensitive data, will likely be necessary even for basic adult online businesses.

There are data breach notification standards with GDPR.

The GDPR also mandates notification after personal data breaches. It defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”

This means a hacker doesn’t need to steal data, just alter it or delete it to trigger notification requirements.

If you discover a data breach, you have 72 hours to notify the supervisory authority, 1) describing the nature of the breach, including the scope of breach, 2) providing your contact information, 3) “describe the likely consequences of the personal data breach,” and 4) what you plan to do about it. If the data breach is likely to result in a high risk to the individuals, which is as simple as there being a high risk your customers’ credit card information could be used for unauthorized transactions, you also need to notify those customers whose data was breached “without undue delay.”

Taking a week to notify customers after a data breach because you didn’t already have a plan in place and had to take time to figure out how to respond probably would be “undue delay.” You will need to know what to do to comply with the notification requirements before disaster strikes in order to avoid “undue delay”, so start planning ahead.

This article barely scratches the surface of the upcoming General Data Protection Regulation.

In many ways, the GDPR mandates common sense approaches to data security, but it is quite comprehensive and requires any entity that collects data from E.U. residents to evaluate how it collects data and what it does with that data.

If your activities fit within the term “data processor,” and most will, you need to create and implement a compliance plan and put together a data breach response plan.

Again, most of this is common sense, but it takes time, money and effort, or the help of trained professionals, to make sure you don’t get caught with your pants down.

Chad Anderson is a solo attorney practicing in copyright, trademark, business relations, privacy and security. Chad sits on the Arizona State Bar Rules of Professional Conduct Committee and is a member of the Intellectual Property section of the American Bar Association, American Mensa and the International Association of Privacy Professionals. You may contact the author at chad@chadknowslaw.com with any questions.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

profile

WIA Profile: Holly Randall

If you’re one of the many regular listeners to Holly Randall’s celebrated podcast, you are already familiar with her charming intro spiel: “Hi, I’m Holly Randall and welcome to my podcast, ‘Holly Randall Unfiltered.’ This is the show about sex, the adult industry and the people in it.

Women In Adult ·
trends

What's Hot Now: Leading Content Players on Trending Genres, Monetization Strategies

The juggernaut creator economy hurtles along, fueled by ever-ascendant demand for personality-based authenticity and intimacy — yet any reports of the demise of the traditional paysite are greatly exaggerated.

Alejandro Freixes ·
opinion

An Ethical Approach to Global Tech Staffing

One thing my 24-year career as a technologist working to support the online adult entertainment industry has taught me about is the power of global staffing. Without a doubt, I have achieved significantly more business success as a direct result of hiring abroad.

Brad Mitchell ·
opinion

Finding the Right Payment Partner

Whenever I am talking with businesses that are just getting started, one particular question comes up a lot: “How do I get a merchant account?” It’s a simple question, but it has a complicated answer.

Jonathan Corona ·
opinion

The Taxman Cometh for Every Business

February may be the month of romance, but it is also a time when we need to think about something that inspires very little love: taxes. April is not far away, and the taxman is always waiting. This year, federal and most state income taxes are due Monday, April 15.

Cathy Beardsley ·
opinion

The Continuous Journey of Legal Compliance in Adult

The adult entertainment industry is teeming with opportunity but is also fraught with challenges, from anticipating consumer behavior to keeping up with technological innovation. The most labyrinthine of all challenges, however, is the world of legal compliance.

Corey D. Silverstein ·
profile

Alexzandra Kekesi Takes Charge as Aylo's Head of Community and Brand

While Alexzandra Kekesi was earning her bachelor’s degree in women’s studies from the Simone de Beauvoir Institute at Concordia University, feminist thinkers influenced her deeply, inspiring her passion for sex work advocacy.

Alejandro Freixes ·
opinion

New Year, New Tools for Tackling Chargebacks

Happy New Year! Looking back, 2023 saw some important developments for the industry. Visa lowered the limit on credit card surcharges to 3%, AI continued growing fast and Mastercard published an update to its Business Risk Assessment and Mitigation (BRAM) program.

Jonathan Corona ·
opinion

The Next Frontier in Computing, Storage Is Here

While I typically steer clear of diving too deeply into the technical nitty-gritty, in this month’s column I’m making an exception, because there’s a technological evolution underway that has the potential to fundamentally enhance technical outcomes and, more importantly, grow revenue.

Brad Mitchell ·
opinion

Raising Awareness and Taking Action Against Financial Discrimination

While foes of the adult entertainment industry often focus on “moral” concerns and perpetuate social stigmas, another form of attack can be equally or even more damaging: financial discrimination.

Corey D. Silverstein ·
Show More