Have you recently visited a website and received a cookie notice? Did it frighten you? The actual notice should have been information you already know, that most websites use some form of tracking to remember users, provide personalized services, or even to collect marketing data. Even if you do already know this, the European Union wants to give users the opportunity to opt out of it.
The European Union (EU) is very concerned about user data privacy in an information age when even your specific geographic location can be pinpointed simply because you accessed a website on your mobile phone. For businesses with a web presence, that means tighter restrictions and laws. Even if your company is physically located in the US, if you have European customers, you will be affected by these laws. The following are four very real ways in which the EU data protection laws will affect US businesses.
4 Ways EU Data Protection Laws Impact Your Business
1. The right to be forgotten – One of the key slogans being put forth by the EU is the right to be forgotten. It essentially means that the user owns his or her information and that user has the right to prevent websites and other online services from keeping it and storing it.
Many American businesses have been rather lax in their approach to this issue. They do not have qualms about collecting user data through geolocation, cookies, email data scanning, social media content harvesting, and other techniques. If they intend to do business in Europe, they must begin to take notice of these issues, particularly the right to be forgotten. From a technical standpoint, they may need to start asking, “Does my business have a system in place that will allow us to erase user data after it has been collected?”
2. Consent to share data – Proponents of privacy change in the EU argue that companies should not share user data without the user’s consent. In the US, everything from financial institutions to social networking sites share user data with partners and advertising firms. It is a major business revenue machine, especially for companies like Google and Facebook that rely on advertising for much of their income.
The user should decide if and when a company can share his data, according to the EU proposal. That means American companies must become more upfront about exactly what data they are sharing and give users the opportunity to opt out of that sharing without being penalized. Facebook has been at the forefront of such privacy issues because it is difficult and perhaps even impossible to use it without silently consenting to having the content you post shared with third parties.
3. Understanding what privacy means – In order to comply with privacy regulations, businesses will need to understand what the EU definition of privacy includes. For example, the European Union considers the location of data storage a real and valid privacy issue. A cloud provider may have the capability of storing user data in a dispersed number of locations around the world, but a European country may require it to store its user data at a local data center.
Similarly, companies will need to be aware of privacy concerns that they may have taken for granted in the past. Many web servers will collect IP address information by default, as it is generally viewed as a security and statistically helpful feature for the website owner. In doing so, however, a company can know the country of origin of the connecting computer and other information that could be viewed as a violation of privacy.
4. Comply and enforce – Ultimately, US companies will need greater transparency and will need to find ways to change the way data is stored. Ideally, they will be able to develop systems of complying and enforcing that are automatic and work seamlessly with their web and mobile applications.
Organizations must be proactive in order to effectively comply. That means a full privacy audit, much in the same way that a company might perform a security audit. Both active and passive methods of collecting and storing user data should be evaluated and brought into compliance.
The Future of Privacy
90 percent of Europeans want a unified data protection policy across member states. That means any legislation proposed regarding privacy is likely to be wholeheartedly embraced by the public. Furthermore, the EU may be leading the way for the rest of the world, and it is very possible such regulations will eventually take root in the US as well. Companies that value user privacy and ultimately want to keep their customers will need to find ways to adapt.