The European Commission’s General Data Protection Regulation (GDPR)

The European Union (“EU”) regulates intellectual property matters, including websites, through
the European Commission (“EC”). The EC recently enacted the General Data Protection Regulation
(“GDPR”).1 The GDPR goes into effect May 25, 2018.

The new regulation is aimed at protecting the “fundamental rights and freedoms of natural
persons and in particular their right to the protection of personal data.”2 EU based users of your website,
even if your website is based outside the EU, now have more control over how their personally
identifying data is used, as well as increased rights.3 For U.S. companies that collect personal data from
EU-based users (e.g., names, email addresses, etc.), there are new compliance obligations. While
enforcement and potential fines are EU-based, companies outside the EU who violate the GDPR can
avoid potential EU-based liability by compliance with the new regulations.

The headlines regarding the new GDPR are focused mainly on data mining websites, for example
online advertising-based businesses such as Google and Facebook whose core business model is targeted
advertising resulting from “harvesting” of user data.

For companies whose websites make minimal use of EU user information (e.g., an EU user
invited to provide an email address and name to receive an online newsletter or to be contacted for
business reasons), compliance will be less onerous though still required. This will typically include
updating privacy policies,4 implementing interactive website consent tools for users,5 and providing
contact information for a Data Protection Officer (“DPO”).6

In addition to basic disclosures in the website privacy policy, most of the compliance will be
implemented by your website developer, who will be responsible for adding “GDPR Compliant” plug-in
features to the portion of your website that interacts with users and confirms their privacy rights.7

It is our understanding that cost-effective “plug and play” GDPR compliant website privacy
controls are being quickly developed by the U.S.-based software community for those companies that
obtain data from EU-based users as part of their business model. It is essential that your GDPR
compliance strategy include identifying website programmers who offer validated GDPR compliance
programming services.

                                                       
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General
Data Protection Regulation) [hereinafter Regulation (EU) 2016/679].
2 Id. art.1 para. 2.
3 Id. ch. 3.
4 Id. art. 13, 15, 17, & 19–20.
5 Id. art. 6–8.
6 Id. art. 37.
7 Id. ch. 4.

8033 W. Sunset Blvd., Suite 978 310 467 5855

Hollywood, CA 90046 www.coreyfieldlaw.com
 As noted, there are potential EU-based fees and penalties that could be assessed against a
company if not in compliance with the GDPR after a mandated series of warnings.8 As of May 25, 2018,
should your company receive any inquiries from users based in the EU regarding use of their personally
identifying information, compliance is essential.9

Corey Field Law Group, P.C. counsels clients on GDPR compliance. This includes a preliminary
analysis to assess whether your business is engaging in online activities with EU residents that require
GDPR compliance; updating your privacy policy as needed; and, ensuring that your website designer and
programmer is providing you with GDPR compliant website solutions.10

Please note: The GDPR is European-based law that may have specific obligations and non-
compliance penalties arising from the law of EU-member countries. If your company would like in depth
advice on GDPR obligations and enforcement, including any potential EU-based fines or other penalties
for non-compliance, please consult a law firm based in the EU and licensed in the relevant country.11

 
May 17, 2018
 

                                                       
8 Id. art. 58, 77–79, 82–84.
9 Id. art. 77.
10 Id. ch. 4.
11 For a useful graphic of the different components to the GDPR, please see the EC’s website here:

http://ec.europa.eu/justice/smedataprotect/index_en.htm.

8033 W. Sunset Blvd., Suite 978 310 467 5855

Hollywood, CA 90046 www.coreyfieldlaw.com