The GDPR and ePrivacy
The consequences for you and your website
General Data Protection Regulation (GDPR) The General Data Protection Regulation (GDPR) in Dutch, and the ePrivacy Regulation (ePR) entered into force on 25 May 2018. These two new EU rules are designed to better protect the personal data and privacy of EU citizens. They apply to any website owner with customers living in one of the EU Member States.
The GDPR and ePR are trying to address growing concerns about the use and privacy of online personal data by increasing individuals’ rights, giving individuals more control over the use of their personal information and asking companies, organizations and website owners to strictly comply with requirements. The new regulations mean that it is no longer necessary to understand and comply with the different privacy laws of 28 different EU countries. Now there is only one set of rules relating to all Member States.
The difference between GDPR/GDPR and ePrivacy Regulation
Both laws are about privacy, but on different levels. Where the GDPR focuses more on personal data, the ePrivacy Orderning is extra specific and is really about marketing channels and service providers. The channels that use electronic communications are not enshrined in the GDPR, only in the ePrivacy Regulation.
The ePrivacy Regulation is intended as a kind of lex specialis at the GDPR. The regulation gives more body/interpretation to the general rules in the GDPR. The rules are more specifically identified when it comes to electronic communications data that can be considered as personal data. The ePrivacy Regulation targets companies that communicate online. Tracking techniques and direct marketing are important points of attention. So it’s best to see the GDPR as the starting point for everyone, and in specific cases where organizations are dealing with electronic communications data, the ePrivacy Regulation is leading.
What is the definition of personal data?
Under the new rules, personal information is all information that can be used to identify a unique individual. Online, this may contain information generated by cookies and other trackers (including information generated by embedded third-party services, such as Google or Facebook), as well as the IP address of an individual computer. Website owners must provide the same level of protection for this information as for name, address, bank details and Social Security number. Crucially, even if anonymized, this information is still classified as personal data as the individual can be identified through reverse engineering methods.
What are the requirements for website owners?
The requirements are numerous and cannot be fully documented on this website. However, as a website owner, you should:
- fully aware of all tracking technologies on your website(s) and their purpose
- obtain user consent before any data processing takes place
- register proof of consent
- ensure that your website offers the possibility to revoke permission
- know what information you share with third parties on your website and where the data is sent (worldwide)
What if my website doesn’t comply with the GDPR?
There are high fines for non-compliance with the regulations. Companies can be fined 4 of their global turnover or up to €20 million, depending on which ever is the largest.