View more from News & Articles or Primerus Weekly

Timothy J. Toohey
Greenberg Glusker
Los Angeles, California

Friday, May 25, 2018, is arguably the biggest day in privacy law in many years. That is the day the European General Data Protection Regulation (“GDPR”) goes into effect. Many of our clients have been preparing for this date all year. In recent days, however, we have received numerous calls, especially those those without a footprint in the EU, wondering if they too need to be "GDPR compliant."

For those who are not sure if they need to be "GDPR compliant," below are the top five questions we're being asked, as well as our answers to those questions:

Do I have to do anything about the GDPR? Despite what many vendors are implying, not all companies are subject to the GDPR. However, if a company is selling to or targeting European customers, it has to comply even if it has no physical presence in the European Union.
If I have Europeans on my e-mail contact list, does that make me subject to the GDPR? Not necessarily. It depends on whether you are targeting European customers with sales of goods or services or whether you are engaging in business to business enterprise.

If I have obtained consent from European customers in the past, do I have to get consent again? In many instances, companies do not have to obtain new consent, particularly if they have provided customers with an option to unsubscribe from a mailing list. However, it may be necessary to obtain consent for certain types of data collection and processing, especially if you are collecting substantial amounts of personal data from Europeans.

Do I have to modify my privacy policy? If a company is subject to the GDPR, it most likely needs to modify its privacy policy to some degree. The extent of the modification depends upon the individual facts and circumstances of a particular company. In any event, it is a good idea to have a lawyer take a look at a privacy policy and terms of use for websites to see if they fulfill existing requirements under both EU and U.S. law.

If I have updated my privacy policy to be GDPR compliant, what should I do next? If you have updated your privacy policy, you can communicate this change by posting a notification to your website. With the GDPR, it may be a good idea to take the additional step of sending a targeted communication to your mailing list informing customers of your compliance.

If you or your clients have any of these—or other—questions about the GDPR, please have them contact Tim Toohey at ttoohey@ggfirm.com or at (310) 201-7450.