There are two situations in which the GDPR purports to apply extraterritorially to companies that have no contact to the European Union. The first situation, described in Article 3(2)(a) of the GDPR, occurs when a company that has no contacts with the European Union “offer[s] goods or services” to a person that is located in the European Union. The second situation, described in Article 3(2)(b) of the GDPR, occurs when a company that has no contacts with the European Union “monitor[s]” the “behaviour” of someone “as far as their behaviour takes place within the Union.”1
While the regulation implied that merely having an internet website that is accessible to European Union residents is not enough for the GDPR to attach based upon Article 3(2)(a), there is uncertainty about whether a European supervisory authority might attempt to apply the GDPR to a website that is accessible to European Union residents and that deploys behavioral tracking cookies.
One strategy considered by many United States companies for mitigating the risk that a supervisory authority might determine that a United States retailer that deploys behavioral advertising cookies is subject to the GDPR is to deploy a geofenced cookie banner – i.e., one that seeks opt-in consent before the deployment of cookies from website visitors that utilize a European IP address, but does not require opt-in consent before the deployment of cookies from website visitors that utilize a United States IP address.
In order to help companies understand and benchmark industry practices, BCLP randomly selected a sample of 33% of the Fortune 500 companies identified as being predominantly within the “retailing” sector and then visited their homepages from a server with an IP address in the United States and from a server with an IP address in Europe.4 As of January 13, 2020, 5% of Fortune 500 retailers deployed a geofenced cookie banner that required opt-in consent from European visitors, but did not require opt-in consent from United States visitors.5
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. GDPR, Article 3(2)(b).
2. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 18.
3. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 18.
4. Websites were visited from a server in Paris France with the following IP: 220.127.116.11.
5. Note that some companies in the survey population maintain multiple homepages. For example, a corporation might own several different retail brands. The survey focused only on the homepage of the corporate parent (if available) and did not analyze brand-specific practices. If no corporate homepage was available the survey reviewed the website of the company’s most prevalent brand.