Small businesses are exempt. US-only companies are not at risk. ‘Legitimate interest’ allows marketing without consent. And other myths.
The upcoming General Data Protection Regulation (GDPR) is confusing enough without having to be weighed down by misconceptions.
So, here is a list of the top misconceptions about GDPR, according to two experts: Gary Southwell, VP/general manager of the cybersecurity division of security firm CSPi, and Kristina Podman, a digital policy consultant (who also consults for us, Third Door Media).
Misconception #1: ‘Legitimate interest’ allows marketing uses of personal data without user consent. While there is a “legitimate interest” exception in GDPR, it is always weighed against personal data rights. Podman said a company could, for instance, utilize data without consent under legitimate interest if it were under court order to do so, or if the data were needed to protect some vital interest like human rights, or if I needed your Social Security number after you’d already agreed to buy a car. But otherwise, consent is needed, and it’s not enough that a user has agreed to receive marketing info.
Misconception #2: Small businesses are exempt. There is no exclusion under current GDPR for businesses with only a few employees. “GDPR doesn’t care” about your firm’s size, Podnar told me.
Misconception #3: When GDPR begins implementation on May 25, there will be massive data auditing. Podnar said she expects “a narrow group of companies are probably on the prime target list,” but they’re not smaller companies. “If I had to bet,” she said, “what will trigger [GDPR] audits will be data breaches, or if your company cannot comply with user requests like ‘right to be forgotten.’”
Misconception #4: If your company is outside the US and doesn’t have business with European Union countries, it is not affected. Both Southwell and Podnar point out that GDPR applies to EU citizens’ data, wherever it may reside. Podnar noted that it’s not always possible to definitively determine where an EU citizen is physically at any one time.
Misconception #5: Personal data is personal data, under GDPR. Podnar noted there is an important GDPR distinction between personal data that is “private data” and that which is “sensitive data.” Private data includes IP address, name or street address. Sensitive data includes religion, sex, union membership or level of education. There are differences between how the two types of personal data can be stored and what you can do with them. Sensitive data, for instance, cannot be used for making business decisions like approving a mortgage.
Misconception #6: Companies that are not in the EU cannot be sued under GDPR. Wrong, Southwell says. The law applies to EU citizens’ data, wherever it resides, and he noted that two Italian citizens could file the equivalent of a class action suit in Italy against a Florida company if that company misused their personal data.
Misconception #7: GDPR only relates to data that has been provided by users. Nope. It applies to all data generated, collected or related to a user, whether or not they provided it.
Misconception #8: There is only one kind of user consent. Incorrect. As with the “cookie law” that preceded GDPR, sites and apps can obtain user consent to deploy a cookie or capture data that is not specific to an individual, with a notice to the effect of: “If you continue using this site, you grant permission for us to deploy a cookie that shows which pages you viewed, so that we can send you a follow-up ad.” Unless matched with other data, this kind of cookie deployment and data capture only identifies, say, those users that looked at a page showing blue sneakers. But if that data — possibly matched with other data sets — can identify an individual, then “click here” explicit consent for stated uses is required. The required consent differs, depending on whether the granularity can identify you.
Misconception #9: The data privacy movement behind GDPR is limited to Europe. Southwell points out that GDPR-like regulations are now also being considered in Asia — notably Japan and Singapore — as well as Australia. And, he noted, almost all US states have laws governing involuntary data exposure, and at least three — California, New York and Massachusetts — are exploring the possibility of implementing more stringent consumer data privacy laws.