GDPR Fines Have Arrived, Are You Prepared?

GDPR Fines Have Arrived, Are You Prepared?

Before I get into the latest and greatest from the world of data protection and the GDPR, I would like to take a moment to talk about my personal experiences from the 2019 XBIZ tradeshow. I’ve grown increasingly tired of hearing people complain about industry tradeshows and focus solely on the quantity of attendees; the fact is that everyone likes to complain and always will. This year’s 2019 XBIZ tradeshow was a tremendous success and I feel sorry for those who missed out. The mood was set from the opening night with the incredibly popular “Rooftop Rage,” sponsored by MojoHost and Silverstein Legal.

Sure, I’m a little biased because I co-sponsored the event, but given the personal messages that I’ve received, this event was a hit. I’m told that the Rooftop Rage ended up being the start of new ventures and collaborations for many in the industry. The rest of the show was equally impressive and the entire XBIZ team deserves credit for a job well done. The seminars were packed wall-to-wall, the awards shows were memorable celebrations of the best-of-the-best and everywhere I looked meetings were taking place and business was getting done — if that’s not a successful tradeshow then I have no idea what is.

Far too many companies continue to not take the GDPR seriously and I have no doubt that eventually this line of thinking will backfire; it’s just a matter of when.

As luck would have it, I received my first XBIZ Exec Award at this year’s show and I was truly honored and humbled by the experience. I’m told that I’m the first lawyer in the award show’s history to receive an XBIZ award and I don’t think I have adequate words to express my appreciation to the adult industry for providing me this recognition. Incredibly, I was even honored on the same night as Stephen Yagielowicz who was presented with a special award for his nearly 20 years of journalistic work for XBIZ. I’ve always admired Stephen and find it amazing to have shared this award-winning evening with him.

Now that I’ve gotten that out of my system, it’s time to talk about the latest news concerning the GDPR and it isn’t good. In the later part of this past January, Google was assessed fines in the amount of 50 million euros (approximately 57 million USD) by a French regulator for violations of the GDPR. Most experts and journalists seem to agree that this is being considered the first major financial penalty assessed on anyone since the GDPR became enforceable. Google has promised to appeal (as they should) and this will be a case that everyone should continue to follow.

In terms of what happened, France’s National Data Protection Commission alleged and found that Google failed to present information about data-processing purposes and data-storage periods in the same place, sometimes, requiring users to make five or six clicks to obtain the information. In a statement released with the announcement of the fine, Google was fined over “a lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” In summation, Google was found to not have obtained prior consent from Google users for the data it collects for the numerous services it provides.

Many companies in the adult industry have made the GDPR a priority and have taken steps to either become GDPR compliant or to start the process. Those companies making the effort are truly acting as prudent, responsible business operators. However, the problem is that the majority of companies in the adult industry are not treating the GDPR as a serious matter. In preparation for writing this article, I polled some adult business operators and asked them for the main reasons why they haven’t taken GDPR seriously and here are the top five responses:

  1. I don’t know what the GDPR is;
  2. It costs too much to become compliant;
  3. I’ll deal with it when/if the adult industry is targeted;
  4. I’m located in the United States, so it doesn’t apply to me;
  5. I’m waiting to see what everyone else does;

These are all horrible reasons that can each lead to disastrous consequences. So here are my simple responses to each of these excuses for not getting serious about GDPR compliance:

1 - I don’t know what the GDPR is;

The GDPR went into effect in May 2018 and is a massive set of regulations that amongst other things, creates strict rules on processing and storing data. The GDPR also covers the export of personal data outside of the E.U. and European Economic Area (EEA). The GDPR requires businesses to seek explicit consent before businesses collect or use personal data. The GDPR has set specific rules about when and how businesses must provide users with a copy of their personal data and when businesses are required to report data breaches. I should note that the GDPR is substantially more complex and covers far more, but I’m severely limited in space for this article; I’d need a few thousand pages to cover it all. The GDPR text alone takes up 261 pages).

2 - It costs too much to become compliant;

Yes, it’s true that there are pretty hefty legal expenses associated with getting GDPR compliant but instead of thinking of the cost let’s discuss the possible fines allowed under the GDPR. Up to 20 million euros or 4 percent of your worldwide annual revenue of the prior financial year, whichever is higher. My response to those businesses who indicated legal costs were their primary concern in delaying GDPR compliance was, “would you rather spend a few thousand dollars now or pay a few million euros later?” I’m sure that you can guess how everyone responded to that.

3 - I’ll deal with it when/if the adult industry is targeted;

That is the same attitude that people took in 2010 when the President of the United States signed the Restore Online Shoppers’ Confidence Act “ROSCA” into law. Since that time, millions of dollars in fines and penalties have been assessed against adult industry businesses for ROSCA violations.

4 - I’m located in the United States, so it doesn’t apply to me;

Wrong. The GDPR applies to your company if it processes personal data of an individual residing in the E.U. when the data is accessed. The GDPR even applies if no financial transaction occurs. Note: I have yet to provide a consultation to any successful online business who isn’t impacted by the GDPR in some manner.

5 - I’m waiting to see what everyone else does;

This response makes sense, but is a terrible way of thinking. What happens when you are one of the early targets of regulators? By then, it will be too late.

The GDPR isn’t going away and this fine against Google is simply the first of many. Far too many companies continue to not take the GDPR seriously and I have no doubt that eventually this line of thinking will backfire; it’s just a matter of when.

Now is the time to be talking to lawyers such as myself who understand the GDPR and can properly assist you in becoming compliant. Kicking the can down the road is not going to work with the GDPR. As an aside, the rest of the world’s governments are taking data privacy and security far more seriously and are actively following enforcement of the GDPR. It’s not beyond the realm of imagination that we will be seeing more stringent laws coming from the federal level in the United States very soon; the State of California is already moving forward with its own online privacy laws that take effect in January 2020.

This article does not constitute legal advice and is provided for your information only and should not be relied upon in lieu of consultation with legal advisors in your own jurisdiction. It may not be current as the laws in this area change frequently. Transmission of the information contained in this article is not intended to create, and the receipt does not constitute, an attorney-client relationship between sender and receiver.

Corey Silverstein is the managing and founding member of the Law Offices of Corey D. Silverstein. His practice focuses on representing all areas of the adult industry and his clientele includes hosting companies, affiliate programs, content producers, processing companies, website owners and developers. He is licensed in numerous jurisdictions, including, Michigan, Arizona, Georgia, New York and the District Columbia. Contact him at, or (248) 290-0655.