The GDPR Is Coming, The GDPR Is Coming!
You have no doubt heard about the GDPR, and you may think that it has nothing to do with you. First of all, what is the GDPR? Unlike the DPRK, which is also in the news quite a bit lately, the GDPR is based in the European Union, not North Korea. It stands for the General Data Protection Regulation, and it goes into effect on May 25, 2018, with the intent of standardizing data protection rules across the 28 member countries of the European Union, from Austria to the United Kingdom (yes, despite Brexit, the United Kingdom remains an EU member until March 29, 2019.) With additional countries currently seeking admission, there are only a few European countries (most notably Russia, Ukraine, Norway, and Switzerland) that are neither members nor in the process of joining. The GDPR is designed to protect the personal privacy rights of citizens who reside within the EU, through the implementation of data protection standards by companies based in the EU itself and global companies that either process or control the personal data concerning individuals who reside in the EU.
Although the owner of a small campground in Oklahoma may not think of his business as a global enterprise, the Internet has made this planet a very small world indeed. Campgrounds near international tourism destinations like New York City, Washington DC, or units of our National Park System certainly recognize their percentage of guests from outside of the United States, many of whom originate from within the European Union. In fact, I have written in the past about measures that park owners can take in order to pursue a larger segment of international tourism business. Unless you are going to take the extreme (and suicidal, from a business development standpoint) measure of banning guests from Europe, the new regulations apply to your business. It is better to embrace the standards now because these new standards are likely to be broadly embraced around the world in the coming years. Which one of us, as individual members of the world society, is not in favor of improving standards to protect our personal privacy?
Some people dismissively think that they can ignore the new GDPR rules, foolishly assuming that they cannot possibly be enforced or that their small business would certainly never be targeted. As Americans, we get inundated with a daily barrage of telemarketing phone calls and junk faxes despite the fact that they are prohibited by the U.S. Telephone Consumer Protection Act, and we have all been the victims of widespread security breaches where companies like Equifax get virtually slapped on the wrist. Well, change is in the air.
What Does It Mean For You?
The new rules require a higher standard of consent in the gathering of personal data, broaden the rights of individuals to demand that their personal data remain private, and establish enforcement powers that include some substantial files for violations. If your website, like many if not most, is running Google Analytics, Google Tag Manager, or similar analytical software, you have probably received notices from Google, requiring that you update your agreement and provide your company’s legal name and contact information, a process that shifts the burden of ultimate legal responsibility from Google to your business. If you are familiar with Google Analytics and have evaluated your analytical data, you know how it can map your website’s traffic volume down to the local level, based upon the IP addresses of individual computers and mobile devices. The information falls just short of identifying a specific visitor to your site as Liam Andersson, at 211 Svarvargatan in Stockholm, Sweden; however, the IP address of a user’s computer constitutes personal information under the new regulations.
If you are advertising your business using online tools such as Google AdWords, Bing Ads or Facebook Advertising, you are probably fully aware of how that advertising can be targeted toward specific countries. Targeting any EU countries identifies your company as one that is specifically processing data from individuals who come under the protection of the GDPR. Although many American campground websites have dedicated French language versions (if they cater to a French Canadian clientele) or Spanish language websites (in order to reach out to the growing numbers of bilingual Americans), having dedicated website content (not simply the availability of a Google Translate tool) in French (even FR-CA, as opposed to FR-FR) or Spanish could also be interpreted as an effort to market to individuals in France and Spain. Clearly, this gets complicated.
There is no question that companies like Google and Facebook will be modifying the ways that they gather and process personal data, in order to safeguard their own interests; however, your individual business is also going to have to take certain measures in order to comply with the new GDPR rules. If your park belongs to a franchise that has its own assets to protect, such as Leisure Systems’ Yogi Bear Jellystone Parks, your compliance needs to be assured. None of this is particularly easy, but it is all unquestionably necessary.
What Do You Need to Do?
First of all, you need to recognize that, even if you are not specifically targeting or marketing to consumers in the European Union, people residing in the member countries are likely to be visiting your website. For that reason alone, it is necessary that some modifications be made to your site, particularly if it involves the sale of any type of merchandise or has any sort of form that compiles personal information. This would include reservation request forms or any third-party software that processes reservations on your behalf. Those forms must be modified so that users specifically consent (opt in) to the gathering of their personal information (in other words, no permission boxes that are checked by default), and they must have a clear option to withdraw their consent. These processes must be very clear, specific and unambiguous, and you must have a means to immediately halt any data processing upon request.
Your website should also have a privacy policy that is associated with any e-commerce or form that gathers personal information. That privacy policy must be updated to reflect the new GDPR requirements. If it does not already do so, your privacy policy should specify that your website is not directed toward children (although, unlike alcohol-related sites as an example, an age gate does not need to be in place), whether or not it is using cookies or tracking technologies that might be out of compliance, how your website is identifying user locations (Google Analytics or Google Tag Manager, for example), whether you are collecting email address for marketing purposes (again, clearly specifying opt in and opt out procedures), whether you are collecting phone numbers and for what purposes, and how and where your data is stored.
Your level of exposure to the new GDPR rules should also address a series of European-specific questions. These include whether or not your site accepts payments in currencies other than U.S. dollars (it should not), whether your site is advertised or specifically marketed in any way toward European consumers (if so, you may want to reconsider this practice for the time being), whether your site blocks or diminishes content to European users (for example, disabling reservations – a rather extreme measure), and whether or not your site gets any significant traffic from users in Europe.
Although it is your responsibility to update any agreements with companies like Google and Facebook, many of the necessary steps will require either assistance or implementation by your webmaster or third-party reservation service providers. Keep in mind that this will involve additional services that will almost certainly incur additional fees. Maintaining standards that respect personal privacy go beyond your website and must influence your internal business practices, including the secure storage of customer data. We are living in a complicated world where, ultimately, we are all consumers with rights that need to be protected.
This post was written by Peter Pelland