Dear Doc:
I’m an AMERICAN. I run an AMERICAN business. I sell red hats that say “MAKE AMERICA GREAT AGAIN”
I have an AMERICAN website. My customers are mostly proud AMERICANS. Now a bunch of FOREIGNERS from EUROPE are making rules about the information that I collect and the emails that I send. SAD! Can’t I just ignore all of their regulations because this is AMERICA?
Not signed,
David Dennison
Dear Dave:
As you seem to know, the European Union’s General Data Protection Regulations (GDPR, and no, that does not stand for an expletive about Puerto Rico, which is an island in the middle of the ocean) come into effect in less than a month. These rules are long, complex, and apply to anyone, anywhere, as long as you collect and process certain kinds of information about people who are residents of any country in the EU.
The goal of the GDPR is to enhance privacy, an issue on which the EU has taken the lead, and which, frankly, the United States has largely ignored. As a non-European business, you may be able to avoid the GDPR, but you still have to protect yourself from its application if you don’t want to risk being drawn into a legal mess. You see, even a business that is not in Europe is still just a mouse click away from Europe. It’s still possible that (though, for the life of the Doc, he can’t imagine why) someone in Europe would want to buy your hats, or subscribe to your email newsletter, or quietly receive money from a Delaware LLC you control. What then? Will you just put a “NO FOREIGNERS ALLOWED” sign on your website and call it a day?
The Doc thinks that in this globalized economy, certain regulations enacted in one place have effects far away, even though you may never go there. Look at environmental regulations for cars, for example. California long ago solved its smog problem by imposing stricter standards on tailpipe and gas tank emissions. Manufacturers found after a short time that it was cheaper just to make all cars comply with these rules, even though the cars might never be driven in California, and the industry stopped selling “California only” versions of cars. The Doc thinks that after the dust settles, it will be the same with the GDPR.
So, Dave, the Doc’s advice is that while some very small US companies like yours may try to resist complying with the regulations, doing so will become abnormal, expensive, and risky in a short time. It will take a couple of years for the courts to sort out whether companies outside the EU really can be subject to the huge fines that are part of the GDPR, but most companies will decide not to take the risk, and will comply. That is why you have already seen emails from many organizations that ask for your consent to keep sending you email, and that explain that they have new privacy policies and invite you to spend the next 19 hours reading them.
In the end, avoiding the GDPR may turn out to be more complicated and expensive than compliance. After all, unless you just operate on the dark web where you trade data for cryptocurrency, the information you need to run your business is almost certain to contain “personal data” and some of that may pertain to Europeans. The Doc also thinks that the United States will soon follow along and enact tougher privacy regulations. After all, even Facebook’s Mark Zuckerberg told Congress that he thinks such rules are needed.
On the other hand, as Sun Microsystems founder Scott McNealy said in 1999, “It’s the Internet. You have no privacy anyway. Get over it.”
Have questions about intellectual privacy? Come talk to an attorney at LW&H (if you email, you will be consenting to the storage and processing of your personal information necessary to respond and to keep a record of the communication, a requirement of the GDPR.)
Until next month, or whenever the Doc finishes his GDPR compliance review…
— The Doc
Lawrence A. Husick, Esq.