Many dealers may have seen news stories about the broad privacy and data security regulation coming from the European Union (EU) called the “General Data Protection Regulation” or “GDPR.” GDPR is European law, but it applies to any company, anywhere in the world, that “controls” or “processes” information about people in the EU. Violations carry steep potential fines and penalties, and reports suggest that compliance with the GDPR is operationally disruptive, complicated, and expensive to implement. The deadline for compliance is May 25, 2018.
The key question for automobile dealers and other U.S. businesses is whether the GDPR applies to them at all. The answer depends on the scope of your activities with, or directed to, people in the EU. If you have a physical location in the EU, if you actively market goods and services to the EU, or if you undertake certain other activities concerning EU data, then the GDPR may apply to you.
However, the applicability of GDPR to the average U.S. dealer or dealer group seems unlikely at best. The current expert consensus appears to be that if, for example, you have no EU physical location, you do not engage in marketing directed to the EU (a website alone is generally not enough), you do not ship goods to the EU, and you do not engage in any “monitoring” of people in the EU, then the GDPR likely does not apply to you.
Please note that these issues are fact-specific and many questions remain about the GDPR and its applicability to U.S. businesses. Dealers should consult with their legal counsel to determine the applicability of GDPR to their specific operations, and this serves as an important reminder for dealers to also work with their lawyers to ensure continued compliance with current U.S. privacy and data security related obligations.
NOTE: This is not legal advice. Dealers should consult with their attorneys to determine the applicability of this or any other law or regulation to their dealership operations.