No…. its not all about the privacy policy. You do of course need a privacy policy, but the privacy policy is not the issue. Even the best written privacy policy is not going to cure GDPR violations.
It’s all about protecting people’s personal information! Just about anything you collect from an individual (even if you don’t know their name) is considered by the GDPR (and the Israeli regulator) to be personal information e.g. an e-mail address, an IP address and any other information that could lead you to a specific person, with or without the addition of other information which may even be freely available on the Internet.
The purpose of the privacy policy is to describe transparently how you collect personal information from individuals and what you do with it.
No… it’s not all about consent! There are a variety of legal basis’ for collecting personal information, and consent is only one of them. Using consent as a basis to collect personal information is particularly tricky, and if it can be avoided – I would encourage it.
In order for consent to be valid, (1) it has to be freely given (2) it has be given using an active step (and not a previously checked, checkbox) (3) you need separate consent for each use of the personal information and as it can be withdrawn at any time.
Fortunately for lead generation, as long as your privacy policy is written properly – you can use the legal basis of “fulfilling a contract” for much of your activity. A lead-generator needs to pass the personal information it collects onto third parties in order to fulfill its contract with the user; but this fact has to be very clear and transparent!
If you are not located in Europe and you are not marketing to Europe, it is likely that the GDPR does not apply to you directly. However if you have any international customers, anywhere in the world, it is likely that they have European customers and that they will insist you be GDPR compliant or they will not use your services.
So yes, even if you are not in the EU, it is highly likely that you will not be able to ignore the GDPR.
You are correct, it is unlikely that any European regulator would proactively seek you out, but remember that under Israeli law you also have certain privacy undertakings and the Israeli regulator has become more active in the last year or two; and don’t forget the risks you face of a class action suit or a data breach. These things could cost you a lot more than any fine from any regulator.
Oh yes you are! You are responsible for your entire supply chain all the way down, and this is why you should be sure to use GDPR compliant sub-contractors, and this is why if you purchase leads – you must be sure that the company that is selling you the leads is GDPR compliant, otherwise you will be equally responsible for any privacy fouls.
As of this stage, there is no such a thing as GDPR certification. The EU have yet to grant anyone the accreditation to give GDPR certification.
I’m afraid not. It will certainly help, but California (the fifth biggest economy in the world), has its own regulation (the “CCPA”) which entered into force on January 1st this year. In some cases the CCPA is even more stringent than the GDPR, in others could be considered more lenient. If you have any clients located in California, it is important to check this out as the exposure here is serious.
So to summarize, some tips:
Disclaimer: the foregoing is only general information and not legal advice. Please engage legal counsel should you require.
Beverley Zabow, Adv., CIPP/E is an experienced Israeli commercial attorney, certified by the International Association for Privacy Professionals (IAPP) for compliance in Europe. She has extensive knowledge and experience supporting hi-tech companies at all stages and in a large variety of fields. Beverley can be reached at beverley@ht-ip-law.com. or visit www.ht-ip-law.com.