By Cliff Ennico 

“My partners and I launched a software-as-a-service (SaaS) application earlier this year.

“We’ve gotten a good response to our product. Virtually all of our customers so far are in the United States and Canada, but we’ve started getting inquiries from potential customers in Europe.

“We’re aware (thanks to your column) that Europe has a very detailed regulation on privacy that’s very costly and difficult to comply with. While we don’t want to turn down European business, we are nervous about the cost of complying with this regulation.

“Can you address this in a future column?”

The regulation this reader is talking about is the General Data Protection Regulation, or GDPR, which was adopted by the European Union in May 2018 (you can find the official text at, but a more user-friendly version can be found at

The GDPR contains 90 — count ’em, 90 — requirements for companies throughout the world that do business with European consumers. Among many other rules, companies must do the following:

• Obtain “clear and affirmative consent” for process and use of personal data (Articles 13, 14, 15).

• Not hold data for any longer than personally necessary, not change the use of the data from the purpose for which it was originally collected and delete any data at the request of the consumer (Articles 17, 18) — the infamous “right to be forgotten.”

• Appoint a data protection officer if they are monitoring and processing customers’ data on a large scale (Article 35).

Companies that don’t comply face fines of up to 4 percent of global annual revenue or 20 million euros, whichever is greater (Article 79), and European regulators have already brought suits for GDPR violation against large U.S. tech companies with a substantial European presence.

But what about small businesses that don’t do business regularly in Europe but have occasional contact with people who live or work there?

First of all, the GDPR does apply to U.S. companies if they either offer goods or services to Europeans or use web tools that allow the company to monitor and track cookies or the IP addresses of Europeans who visit the company website. Contrary to popular rumor, merely accepting and responding to an email or text message from someone in Europe will not expose your company to GDPR liability if you are not doing anything else with that contact information.

The European privacy regulators responsible for administering the GDPR use a number of criteria to determine if a U.S.-based company is offering goods and services for sale in Europe. Some of the questions they focus on are:

• Does your business have business operations (brick and mortar) in Europe?

• Does your business share data on European customers with any affiliates or other companies?

• Does your business store data on servers located in Europe?

• Does your business have significant sales to European customers in each of the past three years (i.e., do European customers account for more than 5 percent of your firm’s total revenue)?

• Does your business sell goods or services from websites using European domain name extensions (such as “,” “.fr” or “.it”)?

• Does your business translate its website text into foreign languages?

• Does your business advertise in European publications, websites or social media?

• Does your business offer prices for goods and services in euros or pounds sterling? (The U.K. is no longer technically in the European Union after Oct. 1 but has indicated it would impose similar requirements to protect U.K. citizens.)

Sadly, the GDPR does not exempt small businesses from its requirements, but companies with fewer than 250 employees are exempt from some of its more- onerous record-keeping rules.

So what should this reader do to stay below the GDPR radar? Well, it could restrict its business to the United States and Canada and inform overseas customers via its online user agreement or terms of service that “no furriners are allowed.” Many small U.S. companies have taken this option since the GDPR went into effect.

If that is not an option, however, here are some things this company can do:

• Add language to its privacy policy stating clearly that the SaaS product is intended for use in the United States and Canada and may not be suitable for customers in other countries.

• Add language to its terms of service stating clearly that users outside the United States and Canada assume responsibility for compliance with all laws, rules and regulations of the country in which they live or work.

• If the company sends cookies to visitors and users of the SaaS product, install a blocker requiring the visitor to accept the cookies each time they visit (but allowing them to visit the site and use the product without having to accept cookies — the GDPR prohibits discrimination against people who do not wish their information monitored or tracked in any way).

• Hire a good attorney familiar with information technology matters to prepare a data protection policy describing in detail what the company does to protect the privacy and security of customers’ data and other personal information.

Cliff Ennico ( is a syndicated columnist, author and former host of the PBS television series “Money Hunt.” 


Pin It