When GDPR first went into effect, we saw companies rush for compliance, some even going as far as blocking EU traffic to avoid violating the regulation. However, with a population of 446 million, the EU is too large of a business opportunity to ignore. Further, an increasing number of global privacy regulations are passing, and stronger data privacy practices are now required for sustainable growth strategies. Even so, nearly two years after GDPR went into effect, a study by MIT, University College London, and Aarhus University found that nearly 90% of the 10,000 websites included in their research aren’t GDPR compliant.
In our experience, we’ve encountered several companies that choose not to comply because they don’t think the GDPR applies to them. However, the reality could not be more different. Article 3 of GDPR defines its territorial scope and specifically states the regulation “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union.” In other words, even if you’re not based in the EU, if you process the personal data of anyone in the EU, whether it’s by conducting business transactions or doing any sort of behavioral tracking, GDPR applies to your business.
A number of companies outside the EU have already been fined under GDPR. Some of the most notable ones include Google and Marriott. Google was fined twice:
- In early 2019 for ~$57 million by France’s Data Protection Authority (DPA) for not properly disclosing data collection practices
- In 2020 for ~$8 million by Sweden’s DPA for failure to adequately execute against right to be forgotten requests
On the other hand, Marriott’s ~$123 million GDPR fine was levied by the UK’s Information Commissioner’s Office (ICO) in 2019 for its 2018 data breach, which affected at least 383 million guests from its merger with Starwood.
While Google’s second fine and Marriott’s have not been finalized, EU DPAs have shown that they are not afraid to enforce GDPR beyond their borders. As such, it’s crucial to double down on compliance efforts if you haven’t already.
Finally, it’s worth noting that while companies that have already made efforts to comply with the California Consumer Privacy Act (CCPA) will have an easier time complying with GDPR, compliance with one does not equate to compliance with the other— there are nuances between the two. One key difference is that CCPA is opt-in by default whereas GDPR’s default is opt-out. Additionally, CCPA has different definitions with regard to what consumers can opt out of. CCPA only enables opt-out of the sale of personal information, whereas GDPR stipulates that consumers are able to opt out of all personal information processing. As such, while CCPA compliance will certainly make GDPR compliance easier, the two are not to be confused. The same site optimized for CCPA compliance will most likely fail against GDPR compliance.
That said, compliance efforts can be significantly streamlined with the right solution, and many privacy rights management companies offer products with support for CCPA and GDPR. For example, dynamic consent solutions capable of serving users the applicable interface based on region. Additionally, frameworks like the IAB’s Transparency & Consent Framework or CCPA Compliance Framework can also help ease compliance efforts for any company that monetizes data.
As the world we live in continues to become more global and interconnected, businesses that intend to scale cannot limit their compliance initiatives to one region or regulation. As time continues to pass, we will eventually see businesses that invested too heavily in single-region initiatives slowly losing ground to those that quickly adapted with a global mindset from the start.