If you have a website, an email list, or an online store, you need to be aware of the new data protection regulations (also known as GDPR) set by the European Union (EU). Whether you’re a blogger with just a few followers, or a high-profile thought leader with readers and customers all over the world, here’s the low-down on what it means and what you need to do about it.
What is ‘GDPR’?
GDPR stands for general data protection regulations. According to the EU’s GDPR website, its main purpose is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Basically, it’s a standard set by the European Union that requires all websites to give users control over their personal data.
Does it Apply to You?
While it’s specifically mandated for citizens of the EU, it’s also necessary for anyone who has readers or customers there — which includes most websites today. If you offer goods or services (paid or free) to EU citizens, or monitor the behavior of EU citizens (such as website analytics), you must comply.
Specifically, these regulations affect you if . . .
- you collect information for email lists, contact forms, or comment boxes
- you offer products or services — paid or free — on your website
- you use third-party tracking such as Google Analytics, affiliate codes, or social media sharing options
- you embed content from other sites or use social widgets, which share data to other sites
- you run any future risk of a data breach (i.e., any website at all!)
Websites that fail to comply with the regulations by May 25, 2018 face heavy fines — up to 20 million euros, or 4% of your company’s annual global turnover, whichever is higher. It’s not worth the risk of ignoring, especially since it’s just plain good business to keep your customers informed of what data you’re collecting on them!
What You Need to Do
Thankfully, it’s not hard to meet the GDPR requirements — in fact, you can probably get everything GDPR compliant in less time than it takes to watch a TED talk.
First, update your Privacy Policy and Privacy Tools.
You must include specific language about data collection, cookies, and data user rights. This means telling your readers:
- what information you collect, including via third-party apps
- how you use that information and how long you store it
- their rights as a data subject (i.e., opting out or deleting their data)
- how you will inform them of any future data breaches
If you run a WordPress site, the simplest option is to use a plugin like this one, which generates a Privacy Policy that includes all the necessary wording about data collection and data user rights. You’ll need to add a few personal details, and skim it over just to know what you’re sharing, but it does most of the work for you. Non-WordPress users can find free templates like this one, or ask a lawyer to help you draft one specific to your company. If you’d like an example, check out our Privacy Policy here.
You also need to include a Privacy Tools page, which allows users to download or delete their personal data that’s been collected by your website (through cookies or tracking software). Again, a plugin like the one mentioned above makes this easy; but you could also talk with your site administrator about creating these tools.
Second, ask user consent for your site’s use of cookies.
Cookies are used to analyze customer behavior, track user movements or sessions — such as logins and shopping cart activity, collect information about users, and otherwise administer a website. They are a wonderful technology to personalize and enhance customer experiences, and most people have no problem with it — but like any technology, they can be abused.
To avoid legal trouble, you must inform your users and ask for their consent. I recommend using a plugin like this one to easily add a customizable disclosure box anywhere your website.
Third, state your privacy policy wherever you collect user information.
You must include a statement about privacy, with a link to your privacy page, anywhere on your website that asks for a person’s name, email address, or other personal data. This could include (but is not limited to):
- comment boxes
- community forums
- store checkout pages
- surveys or polls
- contact forms
This disclaimer could be as simple as “We use cookies to give you the best possible experience on our website,” and include a link to your policy page. You may also include a checkbox (as long as it’s not pre-checked) for people to actively give their consent.
Elizabeth Johnson loves the color yellow, strong {black} coffee, editing, and exploring the mountains in rural Wyoming and Utah, where she and her husband serve as church planters. In her free time, she enjoys learning new things, hand-lettering and acrylic painting, and gaming with her husband.