How Will The General Data Protection Regulation Affect Your Sweepstakes Across the Pond
As was made pretty clear last week from the 1,400 hours of Congressional testimony by Mark Zuckerberg, the USA may want to follow the lead of the EU and adopt laws similar to the General Data Protection Regulation (GDPR). For now, if you are running a sweepstakes or contest open to EU residents, here are some things you need to know about the GDPR.
What is the GDPR? The GDPR is a comprehensive regulation concerning the collection and use of online personal data.
When does it come into effect? The GDPR becomes effective May 25, 2018.
Who is protected? The GDPR protects data collection from residents of the European Union. In a sweepstakes or contest, this is the entrant.
Who is covered? Any person or entity that holds or uses personal data. For a sweepstakes or contest, this could be the Sponsor or an entity collecting entry or other information from the entrants.
What is covered? Personal data, which includes anything that can be used directly or indirectly to identify a person, such as a name, photo, email or street address, posts on websites, and computer IP addresses.
What to do for Sweepstakes and Contests?
The GDPR does not contain any specific terms covering sweepstakes and contests. However, a Sponsor should be aware of three particular areas: having a GDPR-compliant privacy policy/website, obtaining proper consent, and proper data handling.
Privacy Policy Compliance
The Sponsor must have a GDPR-compliant privacy policy, clearly available to the entrant. The stated purposes of a privacy policy under the GDPR are transparency, consent and accountability. The topics to be covered in your privacy policy include: What personal information you collect; How and why you collect it; How you use it; How you secure it; Any third parties with access to it; If you use cookies; How users can control any aspects of this.
The following information must be in your privacy policy: Contact information for your Data Controller; Whether you use data to make automated decisions; Whether providing data is mandatory; Whether you transfer data internally; Legal basis for processing data; Informing users of their 8 rights (The rights to be informed, to access, to rectification, to erasure, to restrict processing, to object, and regarding automated decision making and profiling).
Consent
When collecting any personal data online:
1. The Sponsor can only collect what is necessary to administer the contest, such as name, address, phone or email, without obtaining specific consent.
2. The Sponsor must provide the entrant with the specific option to opt-in to any use of the entrant's personal data, besides using it for administration of the contest. (The Sponsor cannot use a negative option or require a person to opt-out.)
3. The Sponsor must give the entrant the ability to opt-in to each specific use/purpose for which the data is proposed to be used, which must be stated separately, in easy to understand language.
4. The Sponsor must inform the entrant that he/she can withdraw consent at any time and provide an easy method to do so.
5. Without obtaining specific consent for use of a person's personal data, the Sponsor can only use the personal data for the limited purpose for which it was given and must delete the personal data after its purpose is completed.
Official Rules
While the GDPR does not offer specific guidance for necessary disclosures in the Official Rules, the following paragraph may be sufficient for GDPR purposes:
Privacy Notice for EU residents: The General Data Protection Regulation (GDPR) provides a number of protections for use of your personal data. Any personal data collected from you shall be subject to the Sponsor's privacy policy located at www.XXXXXXXX and the GDPR. The Sponsor will only use your personal data for the purposes of administrating this contest, unless you provide consent signifying your agreement to any other processing or use of your personal data. You can withdraw your consent at any time by [insert method].
One final note, the GDPR contains specific restrictions for obtaining consent and using data from persons under 16 years of age, including obtaining parental consent.
Now, wasn't that simple?