_Sep/privacy-cover4.jpg "privacy-cover4.jpg")
New data privacy laws mean change in business practices
By David Gould
Responding to a digital world ever hungrier for personal information, Europeans have placed new emphasis on data privacy and backed it with the rule of law.
Years in the making, the European Union’s recent General Data Protection Regulation is a growing hot topic in the U.S., as states like California eye their own versions. The GDPR is a comprehensive package of laws designed to counteract the capture, storage and leveraging of personal information by search engines, businesses and organizations of all types. As of late May, American companies are on the hook to abide by it — golf courses being no exception.
So, if a consumer from any of the 28 EU member countries purchased a tee time from you online or otherwise found their way into your marketing database, you’re required to treat their personal data and “behavioral information” according to stringent GDPR protocol. And this is truly about information — no financial transaction need take place for the full sweep of the law to apply. Even a seemingly innocent marketing survey would have to be fully anonymous in order not to invoke the new rules.
What does compliance look like? To a great degree it’s about explaining and requesting. Companies that deal with citizens of EU nations must get used to asking — clearly and repeatedly — whether they can initiate communication, collect personal data and deploy it for business purposes. The golf course websites and management groups will have to tell EU-based customers what data they’re collecting, why they want it, how it will be used and how long it will be retained.
Along with being entitled to receive these explanations, the consumer across the pond is free to withdraw any and all consents they’ve provided. Furthermore, they must be reminded of this prerogative on a continual basis.
Two concepts that receive lots of attention in Europe are “privacy by design” and “privacy by default” — together they suggest a turning of the tide. Data that’s personal will move from individual control onto a server or the cloud not automatically, but when the person expressly OKs it. That’s the “default” aspect. “Design” refers to software code and other hard wiring. Through the years computer programs have had ever-more robust data-extraction tools built into them — that trend will be undergoing reversal.
If you’ve got associates in Europe, they can describe for you the opt-in checkboxes and confirmation requests popping up everywhere. It’s likewise for U.S. golf business with extensive trans-Atlantic activity. Michael Binchy, founder of Connecticut-based Owenoak International Travel Services, “received a barrage of queries” in early summer from European travel contacts about opting out of further communication. “Their emails to us were suddenly ending with prompts saying ‘Click this button if you no longer wish to hear from us,’” says Binchy.
Under GDPR you can’t put the opt-out onus on the consumer, or set up pre-checked boxes the individual must un-check. In reply to that universal question of “when did I sign up for this?” GDPR requires that the date and time of someone’s consent be kept on file, along with the actual request form or documentation.
If that all sounds onerous, take heart that “territorial scope” is in your favor. A business cannot run afoul of GDPR if it does all its data collecting in the U.S. A citizen of a EU country who wanders beyond European borders and starts disclosing personal information electronically will not enjoy GDPR protection for what he or she provides.
As for penalties, golf courses that somehow run afoul of GDPR would be liable for a fine up to 4 percent of annual net sales. But is enforcement truly viable? Companies without a physical presence in the EU are seemingly beyond the long arm of the GDPR law, but reportedly EU courts have discretion to define certain data-collection activities of U.S. businesses as purposely intended to skirt GDPR compliance. Experts on the legal interface between EU and U.S. courts say cooperation around data protection is a shared high priority.
What may be worth contemplating is GDPR’s possible seepage into American business practice. Protecting privacy is a concern over here, as well, and Europe’s new statute is already putting pressure on giant American firms like Facebook. The social media juggernaut, preparing to honor GDPR regulations in its treatment of EU customers, had indicated plans to do so for users everywhere, including North America. On the heels of subsequent statements that indicated second thoughts about the decision, Facebook came in for harsh criticism from opinion leaders in the tech world.
If data privacy matters to American voters and consumers, GDPR is the obvious gold standard for regulating it. Already, California has drawn its line in the sand, passing the California Consumer Privacy Act of 2018 in June.
By steps and perhaps by stealth, individual privacy could become increasingly protected in the U.S., with or without federal legislation.
David Gould is a Massachusetts-based freelance writer and frequent contributor to Golf Business.