Businesses, large and small, are in the midst of preparing for compliance with the European Union’s new data privacy laws: The General Data Protection Regulation, or the GDPR, which will go into effect on May 25, 2018.
The GDPR is very broad in scope and can apply to businesses both in and outside of the EU. Businesses that don’t comply with the GDPR could face heavy fines.
Here’s what you need to know about the GDPR. (Note: You should consult your own legal counsel to determine if you are subject to the requirements of the GDPR.)
What is GDPR?
GDPR is short for the General Data Protection Regulation that goes into effect on May 25, 2018. It was passed by the European lawmakers to create a harmonized data privacy law across all the EU member states. Its purpose is to:
- Support privacy as a fundamental human right;
- Require companies that handle personal data to be accountable for managing that data appropriately; and give individuals rights over how their personal data is processed or otherwise used.
What is Personal Data?
In a nutshell, GDPR defines personal data as “any information relating to an identified or identifiable natural person.”
Okay, so what does that mean?
In addition to the kinds of information you might think about – name, address, email address, financial information, contact information, identification numbers, etc., personal data can in some cases be information related to your digital life, like an IP address, geolocation, browsing history, cookies, or other digital identifiers.
It also could mean information about a person, including their physical, mental, social, economic or cultural identities
In short, if information can be traced back to or related in some way to an identifiable person, it is highly likely to be personal data. You can find out more about the GDPR here.
What rights does the GDPR provide to individuals?
There are several rights an individual may exercise under the GDPR, including:
- Right of access: Individuals can ask for a copy of the personal data retained about them and an explanation of how it is being used
- Right to rectification: Individuals have the right to correct, revise or remove any of the personal data retained about them at any time
- Right to be forgotten: Individuals can ask to delete their personal data
- Right to restrict processing: If an individual believes, for example, that their personal data is inaccurate or collected unlawfully, the individual may request limited use of their personal data
- Right of portability: Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format
- Right to object: Where an individual decides that they no longer wish to allow their personal data to be included in analytics or to receive direct marketing emails or other personalized (targeted) marketing content at any time, the individual may opt out of use of their data for these purposes
Please note that these rights are not absolute, and limitations/exceptions may apply in some cases.
How does the GDPR affect your business?
Individuals, companies, or businesses that have a presence in the EU or, if no presence, offer goods or services to, or monitor the behavior of, individuals in the EU need to comply with this law. Please consult with your own legal counsel about whether GDPR applies to you and your business.
What do you need to do differently to comply with GDPR?
If the GDPR applies to you, there are various obligations you will need to comply with in order to continue doing business with your customers from the EU. Luckily, not all of these obligations are new, so you should be complying with some of them already
The most important differences in this context are as follows:
- More information about your use of personal data must be communicated to your customers. You should make sure that your privacy notices/policies are updated to reflect the new requirements of the GDPR, including setting out the purposes of your processing personal data, how long you are retaining such data, and what legal basis for use of personal data are you relying on.
- You should determine the legal basis for your use of personal data: If you are relying on consent to use your customers’ data you should ensure that the consent you have meets the new requirements of the GDPR (more details on this below). Please note that sending marketing emails or showing promotional content in any form to your customers may require, in certain circumstances, prior opt-in consent from them. As a reminder, you have already agreed through acceptance of our terms of service to lawfully obtain and process all personal data appropriately and have attested that you have permission to expose your customers to promotional content.
- You will also need to comply with the rights provided to individuals by the GDPR. See section above “What rights does the GDPR provide to individuals?” for details.
To the extent that you have these obligations, we have tools in place to help support your compliance efforts – we’ll get into some detail about this below. These include methods for you to obtain consent on your website for all visitors and to show promotional content to your existing customers, as well as ways for you to confirm and document consent for new ones, too.
You should consult with your legal counsel on the above and your other obligations under GDPR.
What kind of Consent is required under the GDPR?
When in doubt, and you are relying on consent to market to your customers, express consent is typically your best option. You obtain and document express consent when you explicitly ask your potential customers for permission to send them emails and other marketing content, and they agree, and that agreement is recorded. Bluehost India has ways for you to indicate whether you have obtained express or implied consent from a customer, outlined in more detail below.
There may be circumstances where you can rely on something similar to implied consent for sending emails or promotional content to customers even when subject to the GDPR. This is called a “soft opt-in” where –
- you have obtained their contact details in the context of a sale of a product or service,
- you are sending emails and showing personalized ads relating to similar products or services
- the customer has the ability to opt-out of receiving such emails when they first provided their data when making a purchase and in every subsequent communication sent from you.
You should consult with your legal counsel to determine whether you can rely on the soft opt-in going forward under the GDPR. If you have customers with soft opt-in consent, you can store them as implied consent, but you will need to maintain your own documentation about how you obtained that soft opt-in consent.
Your customers should also be given an easy way to withdraw their consent in order to comply with the GDPR.
How is Bluehost India complying with GDPR?
There are no alternatives available; all businesses are required to deal with this change before the said deadline. We have and will always strive to value your privacy and take seriously our obligations to keep the information provided by you confidential and secure. Mentioned below is a list of changes we’ve made as first steps:
- We will give you detailed information about what personal data we collect from you, how we collect it, what we do with it, and who we share your data with, including advertisers and other third parties (such as vendors we work with to support the services we provide to you)
- You will now have more control over what data you share with us, the way in which your data is shared, and the extent to which you wish your data to be used. This involves scenarios where we identify your interests and deliver you personalized advertisements, or take efforts to better tailor your experience on our website (Eg.: collecting and acting upon actionable data obtained with the help of cookies, Google Analytics, etc.)
- We will include information about how you can ask us to stop or limit using the data we have about you
- We will make sure we communicate these changes to you as and when they take place, so you are aware of what is happening and why
What are the next steps for Bluehost India:
The European data protection authorities have expressed concern over the unlimited publication of personal data of domain name registrants in the WHOIS. To ensure our WHOIS output is compliant with the GDPR, we will implement the following changes starting May 25th, 2018:
- For Existing Domain Names:
- For all existing domain names, if either of the Registrant, Admin, Tech and/or Billing contacts is identified as being from the EU, we will mask the WHOIS output for that domain name with placeholder details in place of the users’ personal information (this service will be referred to as “GDPR WHOIS Protection”).
Our engineering team is currently working on building these changes into the system. While we do that, to enable our API partners to plan ahead, we will aim to share the final API specification with sample request and response patterns as soon as they are ready. Also, we will confirm when the new API methods will be available on the demo environment.
Notwithstanding the foregoing, access to personal data of domain name registrants may be granted when such access is necessary for technical reasons such as for the facilitation of transfers, or for law enforcement when it is legally entitled to such access.
3. Cookie Consent
When you visit the Bluehost India website, the web server passes on a cookie i.e., a string of text, to the web browser. These cookies enable our website to work, or work more efficiently, as well as provide information and additional services. Cookies are used for purposes of marketing, analytics or are essential for site functionality and making experiences better. To ensure that we capture and record the appropriate consents for cookies deployed on our website, we will be using TrustArc, a globally trusted third-party compliance management tool. This way, you will be able to select and manage your cookie preferences. Generally, cookies may fall into any of the following categories*:
- Strictly necessary/required cookies: These cookies are required to enable core site functionalities. If you choose to block these cookies, you may not be able to register, login to the website, access certain parts of the website or make full use of the website.
- Functional cookies: In addition to core functionalities, these cookies collect and store login details, and can be opted out of
- Analytics cookies: These cookies analyze site usage by monitoring how users navigate through the website, and can be opted out of
- Advertising cookies: These cookies make users’ information available for targeted advertising, and can be opted out of
*The cookie definitions stated above are in accordance with how TrustArc (our cookie consent tool) identifies and segregates cookies.
What if you have more questions about GDPR?
If you have specific questions about GDPR, you can reach out to us at [email protected]
You may be aware that there is likely to be further change in the near future about the way in which you can send marketing communication to your customers in the EU. The rules contained in the EU Directive on Privacy and Electronic Communications is under review and we are expecting a new ePrivacy Regulation to be finalized soon.
Once these new rules are finalized, we will be reviewing our forms and features again to provide our partners with the necessary tools to achieve compliance.
NOTE: The information included on this page is meant to guide you through the process of understanding GDPR and is not a substitute for legal advice. Find more information on the GDPR website.