The US has traditionally adopted a relatively low key and hands-off approach to data protection. Increasingly, though, that’s changing as more states enact new measures, often based on the EU’s General Data Protection Regulation (GDPR).
In our experience, however, many US businesses are yet to get up to speed with the changing state of legislation. Even more are unaware that, if they handle the data of EU residents, they are bound by the EU GDPR as well as US and state law. In this post, we share some of the most frequent GDPR and electronic marketing pitfalls our US clients face, together with real life examples.
GDPR may be an EU law, but it applies far beyond the EU’s borders. US (and any other non-EU) companies that process the data of EU residents must comply, regardless of their location.
A tech startup in California served a primarily US customer base, yet its services inadvertently captured the data of EU users. Ignorant of GDPR’s global applicability, the company faced large fines when a user from France requested their data.
A New York-based e-commerce company decided to expand its reach by targeting EU customers. Little thought was given to GDPR – the company took a US-appropriate approach to all its data and assumed that would be sufficient for everyone. It wasn’t. When a German data subject attempted to request access to their personal data, the issue wasn’t just that GDPR-appropriate compliance measures weren’t in place; the company didn’t have a GDPR representative. A GDPR rep is first base for any non-EU company wanting to achieve GDPR compliance. Without this fundamental platform in place, legal repercussions were inevitable.
Email marketing can be a powerful tool but, without proper consent, it can lead to significant compliance issues. Some US companies still fall into the trap of sending unsolicited marketing communications.
Bringing onboard data protection and GDPR services can help ensure your marketing activities don’t fall foul of legislation you may simply be unaware of.
A marketing agency in Chicago was eager to boost its client base. The company purchased a list of email addresses for a mass email campaign. However, the company failed to obtain valid consent, leaving the agency to face severe penalties for breaching electronic marketing regulations.
Data breaches have regularly hit the headlines over the past few years and 2023 has been no exception. MOVEit, Yum! (with brands including KFC and Taco Bell), ChatGPT and Chick-fil-A have been among the many high-profile brands affected.
In some instances, robust security measures were simply overcome by committed and resourceful hackers. In other cases, human error, IT failure and weak security measures allowed data to escape (or hackers to get in).
Not every breach will result in the loss of personal data. Not every breach will lead to a fine, because a company that takes all the right preventative action can still be targeted by hackers. Yet where personal data is lost and an organization is in some way culpable, the reputational and financial damage can be huge.
A financial institution in Texas experienced a data breach due to a lack of encryption of sensitive customer information. The breach exposed thousands of individuals, resulting in substantial regulatory fines and a loss of customer trust.
As we approach 2024, the landscape of data protection is evolving. Privacy-by-design principles, advanced encryption methods, and regular security assessments will become even more critical.
For organizations eager to stay on the right side of the law (and the right side of their consumers) staying informed about emerging regulations and seeking GDPR consultancy in compliance efforts has never been more crucial.
Explore how our GDPR services can support you now, get data protection advice or, for questions about your next steps, call us on +1 303 317 5998.