If you have a website, an email list, or an online store, you need to be aware of the new data protection regulations (also known as GDPR) set by the European Union (EU). Whether you’re a blogger with just a few followers, or a high-profile thought leader with readers and customers all over the world, here’s the low-down on what it means and what you need to do about it.
What is ‘GDPR’?
GDPR stands for general data protection regulations. According to the EU’s GDPR website, its main purpose is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Basically, it’s a standard set by the European Union that requires all websites to give users control over their personal data.
Does it Apply to You?
While it’s specifically mandated for citizens of the EU, it’s also necessary for anyone who has readers or customers there — which includes most websites today. If you offer goods or services (paid or free) to EU citizens, or monitor the behavior of EU citizens (such as website analytics), you must comply.
Specifically, these regulations affect you if . . .
- you collect information for email lists, contact forms, or comment boxes
- you offer products or services — paid or free — on your website
- you use third-party tracking such as Google Analytics, affiliate codes, or social media sharing options
- you embed content from other sites or use social widgets, which share data to other sites
- you run any future risk of a data breach (i.e., any website at all!)
Websites that fail to comply with the regulations by May 25, 2018 face heavy fines — up to 20 million euros, or 4% of your company’s annual global turnover, whichever is higher. It’s not worth the risk of ignoring, especially since it’s just plain good business to keep your customers informed of what data you’re collecting on them!
What You Need to Do
Thankfully, it’s not hard to meet the GDPR requirements — in fact, you can probably get everything GDPR compliant in less time than it takes to watch a TED talk.
You must include specific language about data collection, cookies, and data user rights. This means telling your readers:
- what information you collect, including via third-party apps
- how you use that information and how long you store it
- their rights as a data subject (i.e., opting out or deleting their data)
- how you will inform them of any future data breaches
You also need to include a Privacy Tools page, which allows users to download or delete their personal data that’s been collected by your website (through cookies or tracking software). Again, a plugin like the one mentioned above makes this easy; but you could also talk with your site administrator about creating these tools.
Cookies are used to analyze customer behavior, track user movements or sessions — such as logins and shopping cart activity, collect information about users, and otherwise administer a website. They are a wonderful technology to personalize and enhance customer experiences, and most people have no problem with it — but like any technology, they can be abused.
To avoid legal trouble, you must inform your users and ask for their consent. I recommend using a plugin like this one to easily add a customizable disclosure box anywhere your website.
You must include a statement about privacy, with a link to your privacy page, anywhere on your website that asks for a person’s name, email address, or other personal data. This could include (but is not limited to):
- comment boxes
- community forums
- store checkout pages
- surveys or polls
- contact forms