Mark Pestronk
Mark Pestronk

Q: Our agency operates a small number of highly specialized tours in the U.S. Once in a while, we have gotten a European client who finds us on our website and signs up. With a late 2021 relaunch in mind, we are redesigning our website and marketing campaign. Our website and marketing consultant says that having European clients means that we have to comply with the EU's burdensome General Data Protection Regulation (GDPR) rules by vastly revising our privacy policy, protecting data in particular ways, having special agreements with our vendors, etc. Is the consultant correct?

A: If you don't specifically target EU clients, you are not subject to the GDPR, and you can ignore the consultant's advice. My advice is supported by a recent court decision that addresses the targeting issue and is the first court precedent on the subject of whether a U.S. company with EU customers is subject to GDPR.

Earlier this year, the High Court of England and Wales decided the case of Soriano v. Forensic News. The case was decided under pre-Brexit EU law, but the English law that took the place of the GDPR is substantially the same.

The court interpreted Article 3(2)(a) of the GDPR, which states that the regulation "applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services ... to such data subjects in the Union."

In that case, the U.K. resident argued that Forensic News, a tiny California company, was subject to GDPR because: 1) the publications and postings by Forensic News were in English, 2) a website solicited donations in British pounds and 3) the website accepted U.K. shipping addresses for merchandise. The court ruled that these facts did not come close to meeting the applicability criteria under GDPR.

In your case, since you are obviously not "established in the Union," the key question is whether you are "offering goods or services" to people in the EU (and the U.K. post-Brexit). The drafters of the GDPR have written guides explaining that "offering" means more than merely "soliciting" or "advertising," which is how we in the U.S. would understand the term.

According to an official clarification issued by the EU, mere accessibility of your website in the EU or use of a language that is used in your country as well as parts of the EU are insufficient to constitute "offering." On the other hand, use of an EU language or currency other than your own, listing prices or taking orders in euros or other European currency, EU telephone numbers and references to EU endorsers will tend to be seen as "offering" services to EU residents.

So, in your case, the mere fact that your English-language website is accessible in Europe would clearly not constitute "offering." Further, signing up a few U.K. or EU clients once in a while would not change my advice. 


From Our Partners

From Our Partners

2021 Summer Escapes 2
Summer Escapes: Plan Your Clients' Next Adventure
Register Now
We Love Travel Advisors 2021
We Love Travel Advisors 2021 Guide
Read More
2021 Alaska Webinar Series
Learn How You Can SELL Alaska This Summer
Register Now

JDS Travel News JDS Viewpoints JDS Africa/MI