If you sell online via your website, make sure that you adapt your practices for collecting your customers’ personal information

February 15th, 2018

As a result of the Comprehensive Economic and Trade Agreement signed by Canada and the European Union (CETA), accepting purchases by Europeans on your transactional website has probably become more attractive. Be careful! Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR) is waiting for you around the corner! The Regulation will apply to your online sales in the European Union starting on May 25, 2018.

This means that you have only a few months to comply. A company based in Quebec that sells its products and services to Europeans residing within the EU territory that does not comply with the GDPR is liable to a fine of up to 4% of its annual worldwide turnover or 20 million Euros, whichever is higher. Unless the necessary measures are put in place, the only alternative might be not to sell online to residents of the European Union, so as not to collect their personal information.

Note that depending on the manner of collecting personal information and obtaining your customers’ or users’ consent and on the type of information you collect, you might have to put different mechanisms in place or add to the existing ones. If you are already in compliance with Quebec and Canadian legislation, the following measures are what you should probably implement in order to comply with the GDPR.

  • Separate, optimized privacy policy.

A privacy policy that applies to personal information and is separate from your terms of use or other contract clauses that you require your users or customers to agree to. In some cases, the policy will have to inform the person about whom you collect personal information of the risks that the transfer of their personal information to Quebec may involve for them. In addition, some information will have to be added to your policy, such as how long the personal information will be retained or, where that is not possible, the criteria for determining how long that will be;

  • Protection by design and by default.

Technical and organizational measures, such as “pseudonymization”, that are intended to minimize the collection of personal information and the number of people who have access to it;

  • Withdraw my consent and delete me.

Adding a button for “I want to withdraw my consent” or some other method that allows your customer to withdraw their consent as easily as they gave it, together with a technological method for permanently and speedily deleting certain personal information. You will also have to require that all of the processors to whom you have transmitted the information do the same;

  • Parental consent.

For social media, having a mechanism that prevents children under the age of 16 from disclosing their personal information to you without obtaining parental consent;

  • Virtually prohibited questions.

Removing any question or field, or function, that asks a user or customer to disclose their racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or to provide genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, unless you fall within certain exceptions provided by the GDPR;

  • Representative in the EU.

For the purposes of the GDPR, appointing a representative of your company within the European Union, unless you collect personal data from European Union residents only occasionally and processing of that data is unlikely to result in a risk to the rights and freedoms of natural persons;

  • Processors.

A written contract with your processors that must contain a number of clauses set out in the GDPR, if you do business with processors for processing personal information;

  • Data portability.

A mechanism for providing your customers or users with their personal information that is collected automatically when a contract is entered into or a consent is obtained, in a structured, commonly used and machine-readable format. Where technically possible, you should be able to transmit their data directly to a third party, even if it is your competitor;

  • Record.

A record of your processing activities, which must comply with various criteria set out in the GDPR, except in certain cases.

Meeting all of the requirements in the GDPR is a complex job. It will be to your advantage to obtain a certification showing your compliance with the GDPR, in order to reap the full benefits of CETA. Companies that comply with the GDPR will also be better prepared to deal with any new American and Canadian legislation relating to personal information that may emerge in the near future.

Nicolas St-Sauveur is a member of BCF’s Internet Strategic team, which offers our clients legal services and advice regarding their online presence. This ever-changing field requires the expertise of a multidisciplinary team like BCF’s. The author would like to acknowledge the contribution made by Vincent Ébacher-Anderson and Didier Culat to this article.