You have probably received a few emails from companies about their new privacy policies and compliance with GDPR (the European General Data Privacy Regulation), which went into effect on May 25, 2018. This regulation harmonizes and strengthens personal data protections across the European Union and European Economic Area. It also promises to provide greater transparency over how businesses and organizations use and store customer data. Does it have any impact on photographers? What if your photography business isn’t located in Europe? Read on for the answers.
The good news is, for someone with a small photography business here in the US, you are unlikely to be greatly affected by the new regulations. The chances of you coming to the attention of the European regulators, much less them coming after you are vanishingly small. Still, there are a few things you ought to do. If you do destination weddings, have overseas clients or do a lot of travel photography, you might need to take a more detailed look at the regulation.
Two caveats. I am not a lawyer and this is primarily written for photographers in the United States, but should be reasonably applicable to others outside of Europe. Nothing here should be construed as legal advice and, if you’re based in Europe, or do a lot of business in Europe or with Europeans, you will need to dive much deeper into the regulation to be sure you’re compliant. That’s what your lawyer is for.
What exactly is personally identifiable information (PII)?
PII is general considered to be things like a person’s name, social security number, address, phone number, date of birth, photograph, and IP address. There’s more, including details about medical conditions, but photographers are less likely to be recording or maintaining these other types of PII. You may be maintaining PII in your accounting software, for your email newsletter, in the descriptions and photos in your Lightroom catalog, and in the cookies of your website. Or, that may all be handled by your website, newsletter and payment processing providers.
Why new data protection regulations?
You’ve heard about major data breaches, when big corporations, like Target and Equifax, have been hacked and lots of personally identifiable information has been exposed or compromised. And you’ve heard about companies, like Facebook, that have used personally identifiable information to market to you or sold data about you to other companies without your knowledge or consent. There is also growing concern about the privacy of medical records and worry over what might happen with facial recognition technology.
European nations have taken a much stricter line about protecting consumer data privacy than has the US. They have a much narrower view of what data companies can collect and what can be done with that data. European regulators have been much more aggressive than the US in going after big tech companies on these issues. Europe even recognizes a “right to be forgotten,” requiring companies to remove information about individuals on request.
The GDPR updates European data privacy practices to take into account more recent developments in the online world. It covers doing business within the EU (European Union: 28 countries with over a half a billion people) and the EEA (European Economic Area: Norway, Iceland, and Lichtenstein). But it also applies to anyone doing business with EU or EEA citizens, regardless of where you might be.
Because Europe is such a huge market, the GDPR is affecting how multinational countries do business. Most are changing their practices to comply with GDPR, which is why you may have received lots of emails about the changing privacy policies of companies with which you do business. Some companies have found that their business model wouldn’t work with GDPR and have closed (e.g. Klout). Others have taken actions to limit their exposure, like some newspaper websites that have blocked access to users in Europe.
If, through your website, you’re selling something to an EU or EEA citizen, GDPR could apply to you. If you have an email list for your newsletter or marketing materials, and someone from the EAU/EEA is on it, it could apply to you. If your website uses certain kinds of cookies that collect data, that might fall under the GDPR. If you’re planning on selling photos from a European vacation, it might apply to you. And, if you’re booked to shoot a destination wedding in one of the 31 countries, it definitely applies to you.
In the past, each European country passed enabling legislation that brought a regulation like GDPR into its national laws. Exceptions were typically carved out for artistic, editorial and journalistic purposes. So, for example, you could use photos that include people if you were selling them as fine art, as news, or using them as part of your portfolio. You would, however, need a model release if you wanted to use such photos for stock or advertising.
Previously, anyone attending a wedding or a corporate event or convention could be considered to have assented to having their picture taken. There was no expectation of privacy. The same was true for sports and other public events. It is not entirely clear what the GDPR will require here and I’ve read several conflicting opinions.
Photography in public places (the Trevi Fountain in Rome, Trafalgar Square in London, the Champs Elysees in Paris) is still OK, within reason. So long as you’re not embarrassing someone, showing them in a bad light, or using their image to sell or endorse something, you should be OK. Use common sense.
So, what are you to do?
1) Check your service providers. Are they compliant?
My clients are mostly people in my general area, just outside Washington, D.C.—not citizens of Europe. Like most small photography business owners, I use a website provider (like Zenfolio, Squarespace, Smug Mug, Wix, Photo Shelter and others) for my website and an email service for a newsletter (Mail Chimp, Constant Comment, etc.) and process payments via a platform (Square, Stripe, PayPal). Almost all of all my customer interactions are managed through these companies. My biggest concern is to make sure I know that they are all GDPR compliant. Most have sent me detailed emails stating their compliance. Others have a page or more about GDPR compliance on their website. By and large, I think I’m OK. How about you?
2) Be responsible and responsive
European authorities have indicated they’re not interested in going after small businesses that do not pose major threats to the data security of large numbers of people. They will, however, take action against companies, regardless of size, that are not responsive to consumer requests to delete data, who are found to have been careless or negligent, who collect more data than necessary or than they said, or who improperly share or sell data. As long as I’m acting responsibly, and respond to any requests I might receive, I should be OK.
If you do collect personal information from or about a European (billing, mailing list, model releases, etc.) you have several obligations. You have to collect the data in a fair and transparent manner, where you say exactly what data you are collecting and why. That data has to be relevant and necessary to your business relationship with that person, and the data should be secured and only kept so long as necessary. Doing so for all clients isn’t a bad idea and could be an advantage that sets you apart from other photographers. But you might also ask yourself why you’re doing the collecting when that could be part of your package with your website or email marketing provider.
3) If you accept work in Europe or with Europeans, know what you’re getting into.
If you’re signed to shoot a destination wedding in Helsinki, a conference in Paris, or a party in Milan, the GDPR is in full force. In order to use your photographs, for any purpose, you may have to get the affirmative permission of anyone and everyone in your photos. The standard disclaimer that, by attending this event, you consent to being photographed and your image used by the host just doesn’t fly in Europe any more. Some experts are saying that each guest will have to explicitly say yes. Other legal eagles say that’s unreasonable and unnecessary. Informed opinions differ.
4) Can contacts opt out of your communications?
Do you have an email newsletter? Does it have an easy way for recipients to opt out? It should. Do you run contests or provide prizes to gather people’s email addresses for your mailing list? Do they have clear options to opt out of any future communications or marketing messages? They should. Your website has a global reach. You could get email subscribers from anywhere.
5) Are you keeping and data you do have secure?
If you are keeping customer data, is it secure? Are your files at least password-protected, if not encrypted? Are you deleting outdated information? You should at least have a plan to do so at certain intervals, say after 3 or 5 years. Most backup and storage solutions have those options. Use them.
You might have noticed that most of these are simply smart and ethical business practices. The GDPR wasn’t really aimed at photographers. Rather it’s intended to safeguard Europeans against large corporations’ improper use of customer data and against the theft of that data from companies by cybercriminals.
If you run a smart and ethical photography business, and your website and other providers are complying with GDPR, you should be fine.
One less thing to worry about in a world with plenty of other distractions.