European data privacy regulations
having ripple effect in US

By Kurt Christian 812-331-4350 | kchristian@heraldt.com May 28, 2018

New data privacy regulations enacted in the European Union may translate to less-cluttered inboxes, fewer targeted advertisements and a reduction in the number of seemingly random calls people receive in the United States.

The General Data Protection Regulation went into effect Friday to impose greater transparency in the way European organizations collect and handle users’ identifying information.

The effort to give individuals more ownership of the personal information collected by both private and nonprofit organizations extends to select companies in the United States.

The regulations apply to companies that monitor the behavior of, or offer goods or services to, any EU resident.

Bloomington-based Hanapin Marketing chose to send out emails to its subscribers a month ago to be transparent and make sure it was in compliance with the new regulations.

The marketing company collects data and hosts an annual conference in London.

If an applicable company had not come into compliance by Friday, it could face fines up to 20 million euros ($23.6 million) or 4 percent of the organization’s total annual global revenue — whichever is higher.

“It’s really about giving the power back to the person and allowing them to give consent freely and to be able to opt into that instead of being spammed,” said Amber Connor, senior email marketing coordinator for Hanapin.

“I think it’s fantastic. I hope eventually the U.S. will take on this practice as well. It’s about clean marketing, clean outreach, clean information.”

As a result of the sweeping regulations, people may have recently noticed a larger-than-usual number of emails from a variety of senders regarding updated privacy policies.

Connor said the emails Hanapin sent to its EU-based subscribers explained the regulation and asked permission to keep collecting and processing their data.

“It kind of shows how transparent we are and that we want these best practices in place,” Connor said. “You have the right to say yes or no. I would say it’s a good thing to go in and investigate these emails and make sure you’re OK with it. It doesn’t have to be that we’re mindlessly giving away our emails and all of our information.”

The types of information protected under the European regulation may include: name and surname, home address, an email address, location data, an Internet Protocol (IP) address and other personally identifying data.

Connor said Hanapin’s collection tends to focus on many of those same data points. The company also tracks a user’s country or state, their employer and sometimes their phone number.

Users may waive certain data protection when they agree to an organization’s privacy policy, but that organization has to describe: what type of personal data will be processed, why it’s being processed, how it will be processed and when that processing will take place.

Although only 55 to 65 percent of Hanapin’s users in the European Union expressly consented to allowing the collection of their data, Connor and Hanapin Account Manager Bryan Gaynor both believe those who opt in will be more engaged and will ultimately have a better experience.

“Definitely, small businesses are going to take a hit, but I think the biggest initial thing that is going to happen is that it’s going to get more of the bigger data companies in check,” Gaynor said.

Although the regulation applies only to residents of the EU, companies may decide to treat their clients’ data with a globally unified set of rules, since the creation of two systems to manage differing user data is expensive and impractical. Also, there is a risk of incorrect classification, thereby incurring stiff penalties, with more than one system.

That means U.S. companies may adhere to more strict guidelines that require express consent for the way an individual’s data is used. For example, they may give users the “right to be forgotten,” meaning a complete wipe of their information from an organization’s records, or the right to request all data an organization has collected on an individual. Or they may adopt the EU regulation’s requirement that data breaches be reported within 72 hours.

Connor said all users in the European Union who interact with any of Hanapin’s three sites have received an email notifying them of the privacy policy changes and giving them the ability to opt in. For users based in the United States, only those who visit the website for Hanapin’s London conference will be notified of the policy changes.

“The (General Data Protection Regulation) definitely will start to influence things over here if it’s successful,” Gaynor said.

Gaynor, who is originally from Ireland, said culture may play a role in what sort of data privacy rules take hold.

He said people in the EU may be more willing to fight for data privacy, while those in the U.S. have shown from their largely uninterrupted Facebook usage that protecting their data may not be as big a concern.

“People here are so used to it being ingrained in day-to-day society, so it may not be demanded as much,” Gaynor said.

This article originally appeared in The Herald-Times.