My Oversimplified*** Opinions relating to US Small Businesses re: the New EU Privacy Law

Getting Consent & Being Courteous are at the Heart of the Matter


The Gist:

  • EU citizens always own their information[1].
  • Assume GDPR applies to any information you collect on an EU citizen b/c GDPR defines personal data very broadly.
  • Your business can get permission to use a person’s information and the person can revoke consent at any time.
  • Consent to use personal information must be specific and clear, in plain language.
  • Pointing to a privacy policy isn’t enough.


Consent:  Active and regular opt-ins.  Respect and destroy Opt-outs.

  • ·       Directly given (ex/ “I desire Scheel Legal send me marketing emails.  I desire Scheel Legal share my email with MailChimp.”)
  • ·       Business use will never surprise a person b/c consent was given clearly about every intended use.
  • ·       Business use should be for a legitimate business purpose.
  • ·       Must have consent to create a marketing profile on a person.
  • ·       Must have consent for sharing with any third party, including your vendors, designers, contractors, employees, etc.


Privacy Policy:  One of many important documents.

  • Who is collecting the data?
  • What data is being collected?
  • What is the legal basis for using the data?
  • Will the data be shared with any third parties?
  • How will the information be used?
  • How long will the data be stored for?
  • What rights does the owner of the data have?
  • How can a person raise a concern about their data?


Other things:  Do your best to protect personal data.  Document it.

  • 72-hour reporting of security breach
  • Keep records of where you store EU data and who you share EU data with
  • You are responsible for ensuring the parties you share EU data with are GDPR compliant (which might be your web hosts, ecommerce stores, cloud services, payment processors, and your people:  designers, employees, contractors).


***My opinions may change given the complexity of your business.  I cannot give legal advice without understanding certain aspects of your business which tend to influence my opinions.

[1] For years the EU has had personal privacy laws to protect EU residents.  EU basically takes the opposite view from regular US practices.  EU defines personal information very broadly.  Federally we have HIPAA.  Oregon and many other states have implemented consumer protections security measures relating to preventing identity theft and “sensitive” personal information.