As the world enters its first weeks of the European Union’s General Data Protection Regulation (GDPR), companies and organizations globally are considering all aspects of their personal data processing, including collection, use, storage and disclosure, and how the GDPR may affect them. The offering of sweepstakes, contests, instant win games and other promotions inherently involves the processing of personal data through the collection of entries and contact information, sending marketing communications to entrants and reaching out to winners, among other activities. The advent of major European privacy regulation might elicit reactions by U.S. marketers with sweepstakes and contest templates on either end of the spectrum: One reaction is to completely ignore GDPR on the theory that the marketer is offering its sweepstakes and contests to U.S. residents only. On the other end of the spectrum is a complete overhaul of sweepstakes and contest templates as well as entry processes. So, which end point is correct?
This GDPR primer aims to clarify for U.S.-based sponsors of sweepstakes and contests the ways in which GDPR may affect them and to suggest practical steps to address this legal development.
Authors: John P. Feldman Jason W. Gordon
1. What is GDPR?
The GDPR is a momentous change to European data protection law that aims to provide a consistent EU-wide law protecting European residents’ personal data and online rights. It became enforceable on May 25, 2018. Penalties for non-compliance may amount to up to 4 percent of a company’s global annual revenue.
Entities worldwide are seeing impacts as the GDPR applies to all organizations (wherever located) that provide goods and services to the EU including the processing of personal data of individuals located in the EU. Personal data includes anything that can be used directly or indirectly to identify a person, including name, email address, telephone number, address and IP address, among many other data points.
The GDPR affects entities (a) that are established in the EU and process personal data, whether within or outside of the EU or (b) that are not established in the EU but either offer goods or services to individuals in the EU or monitor the behavior of individuals in the EU. Such individuals must merely be physically in the EU (even temporarily). Their nationality, residence, or intention to stay within the EU is irrelevant. The offering of goods or services does not even have to be connected to payment.
An entity operating a U.S.-based business does not automatically have to comply with GDPR if Europeans visit its website and purchase goods and services. The GDPR only applies if the entity intends to offer goods or services to users located in the EU. The entity can exhibit an intention to offer goods or services to EU users by offering local currency payment options, availability of shipment to the EU or local (i.e., EU) telephone hotline numbers. However, even if the entity did not exhibit any of these criteria, the GDPR could apply nonetheless if the entity monitors the behavior of users in the EU. Tracking individuals’ internet activities or profiling and targeting them in the context of advertising (e.g., via cookies) is the most common driver of GDPR compliance for many companies that might not otherwise have or focus on the EU.
2. Can I ignore GDPR?
You may want to take steps to avoid having to think about GDPR. Sponsors can avoid having their sweepstakes, contests, instant win games and other promotion-related data processing activities fall within the scope of GDPR by following these tips:
- Do not allow individuals located in the EU to enter the sweepstakes or contest;
- If there is a form that entrants fill out to enter, the form should not allow for the entry of European addresses or telephone numbers;
- Do not advertise the approximate retail value of prizes in EU currencies;
- Use location targeting to avoid advertising the sweepstakes to individuals located in the EU;
- Include disclaimers on the sweepstakes landing page stating that individuals located in the EU are not eligible to enter;
- Be careful to not offer a GDPR-compliant privacy policy on the sweepstakes landing page that could mistakenly create the impression that you believe you should be GDPR compliant (include your normal U.S. privacy policy instead); and
- Exclude individuals in the EU, to the extent possible, from any cookies or other tracking technologies on the sweepstakes landing page, which may be achieved using general location detection based on IP addresses.
If you follow these tips, you will be in a much better position to defend allegations that you have processed personal data from the EU and should be complying with the GDPR even if an individual in Europe enters the sweepstakes in violation of the rules.
Please note: if the sponsor is a multinational organization with a presence in Europe, it should very clearly establish that the U.S. arm or subsidiary of the organization is running the sweepstakes, not the EU parent or related company. This includes ensuring that the administration and prize fulfillment do not involve European personnel or departments. This may also be helpful to establishing that the processing of any personal information outside the EU is undertaken with consent.
3. When do I have to care about GDPR?
If you open your sweepstakes, contest, instant win game or other promotion to individuals in Europe by allowing Europeans to enter and/or targeting Europeans when advertising the promotion, you will need to think about GDPR. These actions indicate that you intend to process the personal data of individuals in Europe. If the sponsor is a multinational organization with a presence in Europe, there is a risk that EU regulators will require the promotion to comply with GDPR if the running of the promotion is not clearly separated from the European operations, even if the sponsor takes measures to bar Europeans from entering.
4. What does compliance look like for a sweepstakes or contest sponsor?
Some of the more onerous obligations of GDPR are unlikely to apply to sponsors that merely open sweepstakes, contests, and instant win games to Europeans without engaging in large-scale processing of personal data in Europe. However, there are some basic requirements that sponsors of sweepstakes, contests and instant win games open to individuals in Europe should meet, along with additional requirements depending on how the sponsor handles the data collected.
Rules
Sponsors running GDPR-compliant sweepstakes, contests and instant win games should have a separate rules template that references a GDPR-compliant privacy policy (discussed below).
Call to action
If any advertising for the sweepstakes, contest or instant win game (including banner ads and landing pages) features tracking technology such as cookies, proper consent for the use of cookies should be obtained. Most entities currently observe an opt-out consent regime for cookies, though whether that is sufficient is currently being debated between the various European authorities. Additionally, on any pages that advertise the sweepstakes, contest or instant win game and that collect personal information from entrants, a GDPR-compliant privacy policy should be clearly linked or otherwise available.
Privacy policy
The sponsor should make a GDPR-compliant privacy policy easily available to the sweepstakes, contest or instant win game entrants/players. This document informs entrants/players of how their data is collected and used, the legal basis for doing so, whether third parties will receive the data, how long it is stored and their rights with regard to their data. The privacy policy or a clear link to it should appear on the entry page and should be concise, transparent, intelligible, easily accessible, written in clear and plain language, and free of charge.
Elements that should be present in GDPR-compliant privacy policy include:
- The identity and contact details of the data controller (in this case, the sponsor) and the controller’s representative in the EU;
- The purpose of the processing and the legal basis for the processing;
- The legitimate interests of the controller or third party, where applicable;
- Categories of personal data processed;
- Any recipient or categories of recipients of the personal data;
- Details of transfers to any third country, applicable safeguards for how data is protected when transferred, and the means by which to obtain a copy of the safeguards;
- Retention period or criteria used to determine the retention period;
- The existence of each of the data subject’s rights (including the rights to be informed, to access, to rectification, to erasure and to object, as well as restriction of processing and data portability);
- The right to withdraw consent at any time, where relevant;
- The right to lodge a complaint with a supervisory authority;
- Whether the provision of the personal data is part of a statutory or contractual requirement and possible consequences of failing to provide the personal data; and
The existence of automated decision making (decisions made by machines and not by humans that affect individuals’ rights), including profiling and information about how decisions are made, the significance and the consequences.
Entry form and proper consent
You may collect the information that is necessary to administer the promotion, such as name, email address, mailing address or telephone number. However, if you plan to use the information for other purposes, such as including the entrants in your CRM system and sending them marketing communications, you will need to obtain affirmative consent for those uses.
An example of consent for these uses is: “By checking this box, I agree that [Sponsor] is collecting and will use my name and email address to send me marketing messages about [Sponsor] products that may be of interest to me,” followed by, “By checking this box, I agree to [Sponsor’s] Terms of Use” and the statement “[Sponsor’s] Privacy Policy applies to the processing of your data.”
The following are additional guardrails for the consent requirement:
- Consent requires a positive opt in, such as affirmatively clicking “I Agree” and/or checking a box. Pre-checked boxes or other default methods of consent are not sufficient.
- Consent should be specific. Obtain consent for each way the personal data will be used, including receiving marketing messages in the future.
- Keep the consent requests separate from other terms and conditions. Do not bury them in the rules.
- It should be easy for individuals to withdraw their consent at any time. Inform them how they can do so.
- Keep evidence of consent: who, when, how and what you told people.
- Use the personal data only for the purpose for which it was collected, and delete the personal data after the completion of this purpose.
- Obtain specific consent to the official rules and the privacy policy by providing them in full or providing clear links to them, as well as a mechanism such as a checkbox.
Database of information
As mentioned above, the GDPR gives individuals in the EU certain rights regarding the personal data that entities hold about them. These include the rights to access the data, to correct it and to request its deletion. Entities that collect and store individuals’ data for purposes such as their CRM systems should be prepared to respond appropriately to these requests. Such entities should create internal policies and procedures to ensure that requests from entrants to exercise their rights can be handled effectively.
Data security
The “security principle” of GDPR requires data controllers to process personal data securely using appropriate technical and organizational measures. These measures, which may include physical and technical measures such as encryption and pseudonymization, should ensure the confidentiality, integrity and availability of your systems and services and the personal data you process in those systems or services. You must have appropriate processes in place to test the effectiveness of these measures and undertake any required improvements.
Appointing a local representative in the EU
If your organization is subject to the GDPR because of its sweepstakes and contest activities but does not have a corporate office in the EU, the GDPR requires that you appoint a local EU representative to serve as the contact person for all questions on data protection from EU citizens and data protection supervisory authorities. Many law firms and companies in Europe have developed this service and are available to be hired as local representatives.
Other considerations
International transfers: If you will be collecting the personal data of individuals in the EU and storing it outside of the EU for sweepstakes administration purposes, you will need to obtain the individual’s informed consent to that transfer. Individuals will need to be informed of the international transfer and the possible risks of data transfers to countries outside the EU if those countries have not been designated as providing an adequate level of protection.
Third-party vendors: If you will be using third-party vendors to help you administer the sweepstakes or to otherwise process the data, you will need to ensure that your contracts with them contain adequate provisions to meet GDPR requirements and that they are adequately identified in your privacy policy and/or rules.
Data breaches and notification: The GDPR also requires organizations to report certain types of personal data breaches to relevant EU supervisory authorities within 72 hours of becoming aware of the breach, where feasible. Create internal policies and procedures to ensure timely compliance.
For more information and to consult with our attorneys on the impact of GDPR on sweepstakes and contests, please contact John Feldman, Jason Gordon or Kimberly Chow.
Client Alert 2018-147