Extra-territorial Reach of the General Data Protection Regulation (GDRP)
On May 25, 2018, the European Union implemented the General Data Protection Regulation (GDRP), which seeks to enhance the protection of personal data belonging to individuals in the EU and the European Economic Area (EEA). Generally, if your company (a) has an office or branch in the EU that transfers, transmits, or stores personal information belonging to users in the EU, (b) offers for sale (or for free) goods or services to persons in the EU or (c) monitors the behavior of persons in the EU, the GDRP likely applies to you. "Personal information" generally refers to information that may be used to identify a particular person or user on your website and may include, among other things, an individual user's email addresses, location data, computer IP addresses, and payment and credit card information (i.e., which are typically required as part of any purchase transaction). As such, it is prudent for companies based in the United States to review their existing Privacy Policies to make sure they adequately address the requirements of the GDRP, especially if your company transacts business with, or collects information from, persons or customers in the EU. Among other things, existing privacy policies should be revised to make it clear to EU users that they have the right (a) to access their personal information, (b) to require correction of any mistakes, (c) to require that their information be erased, (d) object to the processing of personal information for purposes of direct or other marketing, and more.