Friday is May 25, 2018. Do you know where your General Data Protection Regulation compliant privacy policy is? Do you even know what that means? Don’t feel alone. Most internet users in the U.S. had little, if any, idea that European Union regulations had anything to do with them until our email inboxes started clogging up with new privacy policies. Fortunately, someone who thought we might understand it better if it was explained with American football metaphors came up with this clever info-video.


What is the GDPR all about?

The General Data Protection Regulation (GDPR) is a long list of requirements that businesses in the European Union must follow to be clearer about the information they collect and use from their users or customers. Another purpose of the GDPR is to impose a uniform data security law on all EU nations so that each member state will no longer need to write its own data protection laws.

Why should websites not in the EU care about the GDPR?

On the internet, it’s easy for customers from one region to use services and purchase products in other countries. Because internet users are just a click away from EU based websites and services, many American companies have up-dated their privacy policies to adhere to GDPR requirements.

For example, Shopify created an extensive guide for the online retailers who use its software. They also created a helpful “Privacy Policy Generator” someone can use to create a privacy policy that is GDPR compliant. (Note: The generator is not legal advice, just a place to start. Run any changes by your attorney.)

Bottom line: If you sell goods, products or services to internet users in the EU, you should update your privacy policies. Even if you don’t sell things in the EU, it’s probably a good thing to review your policies and start following them.

The privacy rights EU internet users will have beginning May 25

Here are some specific items covered in the GDPR (via: CNBC):

  • Consumers will have a right to be informed about the collection of their information.
  • People will also have the right to access their information and companies much provide it within a month. If any data is inaccurate, companies must correct it.
  • Consumers have the “right to be forgotten” — and data can be purged. They can also ask for their data to be restricted: companies can store data but not use it.
  • People will be able to move or copy personal information from one source to another, known as data portability.
  • Consumers will have the right to object about how their data is used — including for direct marketing.
  • They can object to profiling when companies automatically process data to make assumptions about a person for marketing.

Some of the key privacy and data protection requirements of the GDPR include:

  • Requiring the consent of customers for data processing
  • Anonymizing collected data to protect privacy
  • Providing data breach notifications
  • Safely handling the transfer of data across borders
  • Requiring certain companies to appoint a data protection officer to oversee GDPR compliance

In addition to EU members, any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.