Tech & Sourcing @ Morgan Lewis


The General Data Protection Regulation (GDPR), EU legislation that will take effect in May 2018, will drastically change how companies can collect and use personal data about web users in Europe. Among other things, the GDPR will require that users browsing the internet give unambiguous consent to the collection of their personal data every time they visit websites.

Under the GDPR, the following rules will apply for the collection of a user’s personal data through websites:

  • The user’s consent must be given freely and must be specific, informed, and unambiguous.
  • The user’s consent cannot be bundled with other written agreements.
  • The user’s consent must be actively given, and cannot be gained through inactivity or prechecked boxes.
  • The user may withdraw his or her consent at any time and ask to have his or her data erased.
  • In most cases, the user cannot be asked to consent to sharing his or her data in order to gain access to a service.

These new rules could have a drastic effect on advertising firms, including ad-tech firms that use data to target ads across the internet and data warehouse firms that buy data for multiple purposes. After the GDPR becomes effective, in order to use personal data, such firms will be dependent on companies obtaining consent to collect such data from internet users first. If a company violates these new rules, the penalties are high—up to 4% of the company’s global revenue or 20 million Euros, whichever is greater.

This new regulatory framework contrasts with recent moves by the US Congress, which recently invalidated the Federal Communications Commission’s privacy and data security rules.

We will continue to provide updates on the GDPR.