Written by Peter J. Sacopulos Originally posted on: Trainer Magazine (October 24, 2018)
The Great Privacy Policy Alert
As the summer of 2018 began, every company doing business on the internet appeared to have developed a new user privacy policy overnight. Service providers, search engines, social media platforms, news sites, online retailers and others bombarded Americans with emails and pop-ups, urging users to review the new policies immediately and adjust their personal privacy settings accordingly. There is no official count of how many consumers dutifully clicked on links, doggedly read new rules, and deliberately updated their individual privacy preferences, or how many simply shrugged, ignored the alerts, and went on with their online lives.
Some who wondered what all the fuss was about may have thought the new privacy policies had something to do with recent headlines about corporate data breaches. Others may have associated them with the fallout of 2016’s US presidential election and UK Brexit referendum, after which reports emerged of foreign meddling online and a political consulting firm stealthily collecting data from tens of millions of Facebook users without their permission. (Criminal investigations are ongoing.) But many internet users knew the truth: the renewed focus on privacy was far from sudden and was the result of a European Union law known as the General Data Protection Regulation, that had been passed in 2016 and took effect on May 25, 2018.
The General Data Protection Regulation
Even though it is a European law, the General Data Protection Regulation (or GDPR) has implications for Americans who use the internet to conduct their business. Horse trainers and other equine professionals are no exception. This article will address the basics of GDPR, how it affects American businesses, and the primary steps your business should take to achieve and maintain GDPR compliance. Make no mistake, spending the time and effort to do so now will go a long way toward avoiding legal headaches and financial penalties in the future.
Privacy policies exist to protect personal data. Personal data is defined by the European Union as: “…any information that relates to an identified or identifiable individual….” It includes: “…Different pieces of information, which collected together, can lead to the identification of a particular person….” In short, any form or combination of information that can tell others who you are is personal data. In the US, personal data is also referred to as personally identifiable information (PII) or sensitive personal information (SPI).
Personal data typically includes information that can allow others to locate, contact or monitor you. Examples of personal data include your first and last name, home address, email address, telephone number as well as an identification card number, such as your social security number, driver’s license number or passport number. In the digital age, it can also take far more subtle forms, including some you may not have even realized, such as your Internet Protocol (IP) address, your mobile phone location data or a “cookie” ID on your computer. Personal data does not include anonymous information, such as that found in statistics.
The Big Question
The General Data Protection Regulation is based on the answer to this increasingly important question: Who owns an individual’s personal digital data?
In the United States, the answer to that question is still being debated and, some privacy advocates would go so far as to say, avoided. But the countries that make up the European Union (EU) and the European Economic Area (EEA) have determined that, when their citizens are concerned, every individual owns his or her personal data, wherever it may appear online and however it may be gathered and used by others. The GDPR enshrines this principle of personal data ownership in law. It grants specific data privacy rights to individuals and sets out rules that businesses must follow when dealing with a consumer’s data. It mandates harsh financial penalties for businesses that violate those rules, along with strict notification standards whenever a business suffers a data breach.
The American Question
The first question most Americans will ask about the GDPR is obvious. Why would an American citizen doing business in the United States need to worry about complying with a European law?
Like nearly all businesses in the digital age, the vast majority of the Thoroughbred racing community routinely conducts business on the internet. And therein lies the answer to the American GDPR compliance riddle. The web truly is worldwide and that means your website, and any and all social media platforms you use (such as Facebook, Instagram, YouTube, Snapchat, Twitter and any Thoroughbred-biz-specific websites and platforms), are as easily accessed in Europe as they are in America. In the course of conducting business online, you can come into contact with a European citizen as easily as you do an American citizen.
The General Data Protection Regulation clearly states that when any business entity, based in any location, deals with a European citizen’s data, GDPR rules apply. But there are some important exceptions. If a European citizen’s data is collected while the individual is not physically in Europe, that data is not governed by the GDPR. If, for example, a German visiting America takes an online marketing survey while in New York and offers up personal information in the process, only American regulations regarding the use of that data would apply.
The GDPR also takes intentionality into account. Basic, broad-based, generic marketing materials are exempt from the law. If an Italian citizen who has in interest in Thoroughbred training happens across the English-language website of an American horse trainer whose services are only offered in the US, the GDPR does not come into play. But if an American trainer’s site appears to target European citizens, gathers information on them, or seeks to do business with them, GDPR rules do apply.
