How Will The General Data Protection Regulation Affect Your Sweepstakes Across the Pond
As was made pretty clear last week from the 1,400 hours of Congressional testimony by Mark Zuckerberg, the USA may want to follow the lead of the EU and adopt laws similar to the General Data Protection Regulation (GDPR). For now, if you are running a sweepstakes or contest open to EU residents, here are some things you need to know about the GDPR.
What is the GDPR? The GDPR is a comprehensive regulation concerning the collection and use of online personal data.
When does it come into effect? The GDPR becomes effective May 25, 2018.
Who is protected? The GDPR protects data collection from residents of the European Union. In a sweepstakes or contest, this is the entrant.
Who is covered? Any person or entity that holds or uses personal data. For a sweepstakes or contest, this could be the Sponsor or an entity collecting entry or other information from the entrants.
What is covered? Personal data, which includes anything that can be used directly or indirectly to identify a person, such as a name, photo, email or street address, posts on websites, and computer IP addresses.
What to do for Sweepstakes and Contests?
When collecting any personal data online:
1. The Sponsor can only collect what is necessary to administer the contest, such as name, address, phone or email, without obtaining specific consent.
2. The Sponsor must provide the entrant with the specific option to opt-in to any use of the entrant's personal data, besides using it for administration of the contest. (The Sponsor cannot use a negative option or require a person to opt-out.)
3. The Sponsor must give the entrant the ability to opt-in to each specific use/purpose for which the data is proposed to be used, which must be stated separately, in easy to understand language.
4. The Sponsor must inform the entrant that he/she can withdraw consent at any time and provide an easy method to do so.
5. Without obtaining specific consent for use of a person's personal data, the Sponsor can only use the personal data for the limited purpose for which it was given and must delete the personal data after its purpose is completed.
While the GDPR does not offer specific guidance for necessary disclosures in the Official Rules, the following paragraph may be sufficient for GDPR purposes:
One final note, the GDPR contains specific restrictions for obtaining consent and using data from persons under 16 years of age, including obtaining parental consent.
Now, wasn't that simple?