On May 25th 2018, the EU’s General Data Protection Regulation brought about the greatest change to European data security in 20 years. If you’ve been watching the headlines, you’re probably aware of the “right to be forgotten,” 72-hour breach reporting, stronger consumer consent and high fines (up to 24 million US dollars <- really!!).
Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.
So there are solutions. The most compliant solution is to bring your site up to compliance. Not very hard to do and can be done usually for less than $200.00. The other solution is to restrict your website by refusing visitors from European Union countries. This is probably the cheaper way to go but do you really want to do that? Another possibility is the one we use on this website and that is to show compliance notices and forms only to countries in the European Union.