I’m experiencing a bit of deja-vu right now, as the world’s internet system adjusts to the new European Union General Data Protection Regulation (GDPR). So are you, possibly, if you recall what happened about four years ago with the Canadian Anti Spam Legislation (CASL) introduction.
In both cases, there was a flurry of often fearful response by website owners and marketers, even (notably) in places outside the original authority’s jurisdiction. Hence, US marketers have started sending notifications to their users to comply with CASL, and even more dramatically, have been panicking about GDPR and shutting access to their sites from European markets.
The difference between the two circumstances: GDPR is much more wide-ranging, and because of the legislation’s “worldwide reach” wording, businesses with even the slightest interest or revenue connection with Europe have concluded they need to comply with the law — even though its requirements are, to say the least, challenging to implement properly.
There are significant new disclosure requirements, and there are also requirements that users can retrieve and delete personal data from the website owner/system. There are more arcane and confusing rules about cookies and whether you need an agent/person in Europe to be your legal representative. Taken to the extreme, if you have any viewership or interest in Europe at all, you must comply with the new rules or face legal action and possibly very expensive consequences (and the first lawsuits have in fact been filed against the big name Internet players, such as Google and Facebook).
Do you really need to worry about this stuff if you have no business in Europe, or your operation/relationship there is small or incidental? Probably not. But the right of private action is a scary thing, because it incentivizes individuals, organizations and lawyers to play extortion-type games. (This was the biggest fear when CASL was introduced here; the original regulations seemed properly tuned against Internet evil doers, but the legislation included delayed private-action provisions, that scared marketers everywhere, because it is virtually impossible for most small businesses to at some point or another to be in technical violation of the law. Fortunately, the Canadian government realized that the original CASL rules were overkill and removed the most onerous parts of the legislation.)
I’m not a lawyer, and am sure that I don’t have it 100 per cent right, but equally, I think my response would pass the due diligence and responsibility ‘smell test’ for a business with at most an incidental relationship to the European Union. I think you can, and should, take similar measures yourself, gauging your response by the level of business/exposure you have in the European market.