At the HoochLaw househould, when confronted with an unknown acronym, we have a longstanding contest of seeing who among us can come up with the most unlikely potential meaning. And since any game worth playing with others is frequently worth playing alone, I find myself doing this from time to time even when the children are not present.
Such was the case several months ago when I first began hearing of something called “GDPR” (which I subsequently learned was the “General Data Protection Regulation” and had nothing to do with oxymoronic canines with agricultural tendencies). According to news reports, GDPR was a European invention which would either make your life safer and more secure or make your business more difficult, or possibly both. And GDPR was quickly approaching – with an enforcement date of May 25, 2018. It seemed that this was a big deal.
Or was it? I mean – if you’re a U.S.-based hooch company without a physical presence in Europe, is there any reason you should care?
The short answer is “yes.”
Even the smallest of said U.S.-based hooch companies routinely have websites. And those websites frequently allow consumers, with a few simple keystrokes, to sign up for newsletters, emails and other marketing communications. If those consumers are in the European Union when they stroke those keys, then GDPR may apply. It does not matter if you didn’t sell a bottle of your hooch to that whiskey connoisseur in Antwerp – if you’ve got data on him then you may be covered by the regulation.
The trick here – at least in part – is whether you’re targeting EU consumers in your business’ marketing. If you’ve got a website up and running that can simply be accessed by consumers in Belgium, that probably does not subject you to the requirements of GDPR. But if you’ve figured out that there’s a thriving U.S. craft whiskey scene in Ghent and you’ve got a button on your website that lets consumers see a version in Dutch – well now you’re probably going to need to comply.
So what does compliance with GDPR mean? A full discussion of the regulation is well beyond the scope of this post or this forum. But the short answer is that you’re going to need to take a look at your online presence with an eye to adjusting your consumer consent provisions. GDPR ushers in requirements to get consumer consent to data collection which is “freely given, specific, informed, an unambiguous.” That means telling consumers what you intend to do with their email addresses. It even means (to the chagrin of lawyers everywhere) that it may not be enough to simply link consumers to a lengthy, byzantine and essentially opaque document that hides the reality of what you’re going to do.
If your gent in Ghent actually buys one of your products online (perhaps challenging if hooch – but maybe he’s buying some merch), you’re definitely not going to be able to simply take his email address during the check-out process and then use it as you see fit. He’s got to consent at essentially every step of the way. And if he changes his mind, decides he’s really more of a baijiu guy and wants you to forget all his data, then you’re going to need to have a way to accommodate his obviously poor decision-making.
Seriously, this GDPR thing is unlikely to impact very many within the U.S. craft distilling community. But it will impact a few of the smaller producers – and all of the larger producers – and without being able to tell who is going to be impacted and who is not, my suggestion is that it is likely worth a bit of your time to take a quick look at your existing policies and tweak them to the extent you’re at least close to compliance. If you’ve got distribution in the EU – it is definitely worth that exercise.
Excellent article, says the spirited privacy attorney.