Is Blocking European Visitors to Your Website a Valid GDPR Strategy?

We got caught up in a viral Twitter debate about whether U.S. businesses could comply with GDPR by blocking European visitors from their website.

Traffic to our website spiked over the weekend after Mikko Hyppönen, a well-known security researcher and influencer, mentioned Steel Root in a thread on GDPR that got over half a million views on Twitter.

“Steel Root is the first security company that I know that’s blocking access to their site from EU, because of GDPR.” – @mikko May 5, 2018

This sparked a conversation, in the context of other reactions to GDPR, about how companies are responding to the new data privacy laws that go into effect later this month.

Steel Root has been blocking visitors to our website from outside of the US since 2015, as an easy way to reduce the automated attacks on our WordPress website. Because our customers are all within the United States, it didn’t seem to pose a problem.

In preparation for GDPR, we looked at the types of data we store and how each type is captured. As we evaluated our website Privacy Policy and Terms and Conditions, we realized that we collect data through website elements like Google Analytics, newsletter signup, contact forms, and online booking.

The GDPR is vague in its definitions of what constitutes personal data. And the fact that we were already blocking non-US visitors fit with our strategy of minimizing the amount of potentially-identifiable data we collect and store.

However:

• Geo-blocking by itself is not a valid GDPR strategy, since GDPR covers EU persons regardless of where they’re physically located. The personal data of an EU citizen living in Boston is covered under GDPR. (edit: this may be an false interpretation of the GDPR, which refers to “subjects,” not “citizens.”)
• We were reminded by Jesper Lund, the chairman of a digital rights organization in Denmark, that Recital 23 of the GDPR makes allowances for a company’s intention when offering goods or services when the company is based outside of the EU. Which is to say that if our website does not obviously market to EU persons — as evident, Recital 23 says, by the availability of the website in European languages or the ability to pay for goods or services with Euros — then our intention to not market goods and services to EU persons may exempt us from certain requirements under GDPR, presumably even if we did unintentionally collect personal data (say, through a EU citizen signing up for our newsletter).

As US companies attempt to navigate GDPR, especially those who don’t have specialized legal counsel or privacy experts on staff, I suspect that making a good-faith effort to engage with the law is an important first step. It seems doubtful that regulators will seek to make an example of small- and medium-sized US companies who are not intentionally collecting data on EU persons.

Is blocking European visitors to your website a valid GDPR strategy? Probably not, though if your company does not do business in Europe, you could be forgiven for not fully understanding the grey areas of GDPR. There is, however, a general imperative to get behind: to design for privacy in our business practices.

Privacy is a human right. All companies have a responsibility to practice sound data governance. And if these haven’t been priorities in the past, GDPR is a good reason to get started.