The page it self might be compliant (not recording IPs/session cookies/etc) but the law still applies on any data collected on EU citizens that might be visiting abroad.
They're a US entity operating under US law. If you are in the US, US law is what applies, not EU law.
They also don't have European operations, so it's not like the EU has any means to compel them to act even if it wanted to.
You'd certainly be laughed out of a US courtroom (rightfully) if you are trying to force a domestic business to comply with arbitrary foreign regulations in a country they have no involvement with.
It's worth noting that the important part here is the "have no involvement with" part, which the geographical blocking helps establish.
A US entity operating under US law with no physical presence in a foreign jurisdiction but actively courting business with citizens in that foreign jurisdiction has to be a lot more careful. For example, if one of their foreign customers sues them in a foreign court, wins, and gets a damages award there is a decent chance in many states that the US court would recognize and enforce that judgement.
For controllers or processors not established in the Union, GDPR only applies to the processing of personal data of data subjects who are in the Union. See Article 3 [1].
unfortunately the data collected on eu citizens abroad does not seem to actually be the case, it was a common misunderstanding of the law that I fell prey to as well.
> Valter Longo is a tenured professor that's been nominated for a Nobel Prize based on his work in nutrition and fasting. I'd hardly call him an alchemist.
Sorry but nominations for Nobel prizes are kept secret for 50 years. I highly doubt he was nominated the same year he was born.
Why do you believe the data collection is not GDPR compliant?
I think that the site is very clear on how my data will be handled and what my email will be used for (sending me 3 emails).
To quote from your pasted link:
'The new regulation requires that brands collect affirmative consent that is “freely given, specific, informed and unambiguous” to be compliant.'
I submit the data freely to receive the information stated on the page.
For consent this is true, but there are other legal ways for you to collect the data.
One is legitimate interest, this one is more abstract but requires a bit more work from you.
I think a lot of the future court cases will be around trying what one can use legitimate interest for.
Legitimate interest is meant for when it's in the user's best interest... but I've no doubt that, given sufficient lawyers, Facebook et al could argue almost any data-hoovering is in their users best interest
First of IANAL, I'm a European citizen within IT that has to deal with GDPR in my professional role.
I believe there is a lot of hysteria and FUD around GDPR.
Anyway, this is how I would handle your problems.
1. In the same article[1] that you reference, the following paragraph might apply to your business:
>27.2 The obligation laid down in paragraph 1 of this Article shall not apply to:
>processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1)
I would ignore it for now. If any supervising authorities would contact you regarding compliance issues, talk to an expert.
2. This is if you use Consent as the legal basis for collecting the data. I have seen a few business use 6.1.f [2] (legitimate interests) as their legal basis, which has other issues like the weight test of interests not being tested in court, yet. The Article 29 Data Protection Working Party have released opinions on how 'legitimate interests' should be used [3]. However, there are other laws about marketing that could apply on a country per country basis.
If you select the consent route, a double opt in with possibility to opt out at anytime that should be sufficient as long as you document the text for the opt-in's and record it together with the date&time of the opt-in.
Oh, and you don't make the consent conditional on getting your goods/services. I can recommend the Article 29 WP guidelines on consent[4] for extended reading.
It sounds like your current process is enough or requires very little tweaking, I would keep it as is.
3. I have not run a consent campaign. I have run information campaigns about our users rights with links to required documentation and they have been appreciated.
I would not run a consent campaign as I believe your consent should be good enough based on the process mentioned above.
Re #1: To be exempt you must fit all 3 criteria:
1. processing is occasional
2. does not include, on a large scale, processing of special categories of data (e.g. religious, political, criminal backgrounds, sexual orientation, etc.)
AND
3. unlikely to result in a risk to the rights and freedoms of natural persons
I collect a number of emails on my website and apps every day, so I don't think my processing is "occasional". If I collected emails once a year or even once a month, sure I could argue that processing is occasional. But collecting 10-20 email signups per days doesn't seem occasional to me.
2. Thanks for this opinion on this. I think I agree your assessment.
3. Again, I think I agree with you - thanks for you opinion.
That's why a GeoIP block is not a real fix.