Reed Smith Client Alerts

As the world enters its first weeks of the European Union’s General Data Protection Regulation (GDPR), companies and organizations globally are considering all aspects of their personal data processing, including collection, use, storage and disclosure, and how the GDPR may affect them. The offering of sweepstakes, contests, instant win games and other promotions inherently involves the processing of personal data through the collection of entries and contact information, sending marketing communications to entrants and reaching out to winners, among other activities. The advent of major European privacy regulation might elicit reactions by U.S. marketers with sweepstakes and contest templates on either end of the spectrum: One reaction is to completely ignore GDPR on the theory that the marketer is offering its sweepstakes and contests to U.S. residents only. On the other end of the spectrum is a complete overhaul of sweepstakes and contest templates as well as entry processes. So, which end point is correct?

This GDPR primer aims to clarify for U.S.-based sponsors of sweepstakes and contests the ways in which GDPR may affect them and to suggest practical steps to address this legal development.

1. What is GDPR?

The GDPR is a momentous change to European data protection law that aims to provide a consistent EU-wide law protecting European residents’ personal data and online rights. It became enforceable on May 25, 2018. Penalties for non-compliance may amount to up to 4 percent of a company’s global annual revenue.