Europe is big into protecting the privacy of users who enter their information online (like filling out a form for an appointment, a credit card application, or even signing up for a newsletter). They continually make the laws stronger to protect their citizens from digital evilness (like selling your information without your consent)– much more so than the US.
So what does this mean for you?
If you do collect user data from anyone in the European Union, you will probably need to make some changes. Here is the top level gist of what you need to do. (we will have links to the nitty gritty legal stuff at the end)
- Only collect the data from users that is truly required to process their request and clearly explain why it is needed. So asking for an email for a free newsletter is fine. Asking for their race, religion, and credit card information is not.
- Be uber clear that you are collecting their data. It must be “freely given, specific, informed and unambiguous.” And by unambiguous– the user must clearly state they want to opt-in. So, no opt-out as a default.
- Do not sell any user information to anyone else.
- Medical information has extra strict rules, however, this is already covered in the US by HIPAA
- There are special guidelines when reaching out to people 16 years or younger.
- There are really special guidelines when reaching out to those 13 or younger (short version– don’t do it. Reach out to parents.)
- Be clear on how long you will retain their information and why.
- Delete all information once it is not needed anymore.
- If there’s a breach in your security, everyone needs to be notified. No hiding it like when Yahoo was hacked– TWICE– and the hacker got access to all the users’ information.
European Policy is Good Policy to Follow
Although not required by US law (yet), the above guidelines are good practice for everyone to follow. And it appears that you are following the spirit of the law.
Links for more information:
- Straight for the Digital Horse’s mouth, here is the European Union’s official GDRP site.
- And Verisafe (we have no connection to this company) does a nice job of providing a check list and is much more digestible and clear than the GDPR’s version.
Got more questions? We can’t explain much more than the above, however, you’re welcome to ask. If you do intend on reaching out to anyone in the EU, we do recommend you discuss this with a lawyer with experience on this topic.