GDPR Applicability to U.S. Merchants, Processors and Acquirers

2 Jan

The EU General Data Privacy Regulation (GDPR) was adopted in 2016 and went into effect on May 25, 2018. The GDPR is a framework regulation that is designed to provide a uniform regime to protect the privacy of an individual of the European Union (“data subject”) whose personal data is collected, stored, or processed.   

At first glance, there would seem to be no need for a merchant, processor, or acquirer operating in the United States to worry about the GDPR.  But the GDPR provides for extra-territorial jurisdiction beyond the EU. There can be significant obligations and penalties imposed on U.S. entities which fail to fully comply with the GDPR if they collect, store, or process personal data of a data subject.  

The GDPR is extremely broad in scope.  Accepting or processing payments may be classified as the collection and processing of personal data under the GDPR. As such, any company involved in processing payments from consumers should take steps to determine whether they or any of their business partners are collecting, storing, or processing personal information of a data subject. 

The good news is that in order for the GDPR to apply to a U.S. entity, there must be an intent to market to an EU resident.

In-person transactions occurring in the U.S. that involve EU residents visiting the U.S. are unlikely to involve the GDPR. However, the application of the GDPR to online activity can be much more treacherous. For example, if a merchant sells goods or services online and markets to residents of the EU (as opposed to merely allowing purchases from residents of the EU), then the GDPR is likely to apply. Similarly, if a merchant maintains a website in the language of an EU country, it is more likely that the GDPR could apply to those online commerce activities. And, since the merchant could be collecting personal data of a data subject, all of participants in the chain that process or assist with processing a payment transaction could be unintentionally subject to the GDPR.

So, what are some important questions to pose regarding your operations?

If you are a merchant:

  • Do you market to countries in the EU?
    • Do you maintain your website in alternate languages?
    • Do you accept currencies such as the Euro for purchases?
    • Do you allow EU residents to participate in your loyalty and awards programs?

If you are a processor or acquirer:

  • Do you monitor the online activities of your merchants?  If so, do any of your merchants answer “yes” to the above questions?
    • Have you updated your merchant agreements to address GDPR concerns?

Merchants answering “yes” to any of the questions above should seek legal guidance to determine if and to what extent the GDPR may apply to them.

Processors or acquirers that do not monitor the online activities of merchants or that have not updated merchant agreements would be well advised to consult with knowledgeable counsel to ensure that they are not unintentionally subject to the GDPR through the activities of their merchant portfolios.

–Holli Targan, Nicole Meisner, and Daniel Unger,
Attorneys, Jaffe, Raitt, Heuer & Weiss, P.C.

The above is intended as general information only and should not be construed as legal advice or as creating or soliciting an attorney-client relationship. You should consult your attorney for guidance with respect to any particular issue or legal inquiry.

Holli Targan

Attorney & Partner

htargan@jaffelaw.com

Leave a Comment Below

Leave a Reply

Why ask?