May 20, 2018

Are you confused by GDPR, and how it will impact your website?

GDPR, short for General Data Protection Regulation, is an European Union law that you have likely heard about. We have received dozens of emails from our clients asking us to explain impact of GDPR on their website and what needs to be done to make them compliant.

The General Data Protection Regulation (GDPR) is a European Union (EU) law that took effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world. By now, you have probably received dozens of emails from companies like Google and others regarding GDPR, their new privacy policy, and bunch of other legal stuff. That’s because the EU has put in hefty penalties for those who are not in compliance.

Does GDPR apply to your site?

The answer is YES. It applies to every business, large and small, around the world (not just in the European Union). If your website has visitors from European Union countries, then this law applies to you.

What is required under GDPR?

The goal of GDPR is to protect user’s personally identifying information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data. The personal data includes: name, emails, physical address, IP address, health information, income, etc. While the GDPR regulation is 200 pages long, here are the most important pillars that you need to know:

1. Explicit Consent – if you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t just send unsolicited emails to people who gave you their business card or filled out your website contact form because they DID NOT opt-in for your marketing newsletter (that’s called SPAM, and you shouldn’t be doing that anyways). For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.
2. Rights to Data – you must inform individuals where, why, and how their data is processed / stored. An individual has the right to download their personal data and an individual also has the right to be forgotten meaning they can ask for their data to be deleted. This will make sure that when you hit Unsubscribe or ask companies to delete your profile, then they actually do that.
3. Breach Notification – organizations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. However if a breach is high-risk, then the company MUST also inform individuals who’re impacted right away.
4. Data Protection Officers – if you are a public company or process large amounts of personal information, then you must appoint a data protection officer. Again this is not required for small businesses. Consult an attorney if you’re in doubt.

SUMMARY: GDPR makes sure that businesses can’t go around spamming people by sending emails they didn’t ask for. Businesses can’t sell people’s data without their explicit consent. Businesses have to delete user’s account and unsubscribe them from email lists if the user ask you to do that. Businesses have to report data breaches and overall be better about data protection.

What do you need to do to make sure that your website is GDPR compliant?

• WordPress Upgrade: If your website is developed using WordPress, WordPress version 4.9.6 is GDPR compliant. So, you need to make sure that your website is upgraded.
• Comment Consent Form: If you website allows users to leave comments, you need to make sure that by default you don’t store the commenters name, email and website as a cookie on the user’s browser. You need to add a comment consent checkbox. The user can leave a comment without checking this box – but it would mean is that they would have to manually enter their name, email, and website every time they leave a comment.
• Data Export and Erase Feature: You need to have the ability to comply with GDPR’s data handling requirements and honor user’s request for exporting personal data as well as removal of user’s personal data.
• Privacy Policy: Your website needs to have a website privacy policy, and it needs to share with users in terms of what data you store and how you handle their data.
• Google Analytics: You need to anonymize the data before storage and processing begins; and add an overlay to the site that gives notice of cookies and ask users for consent prior to tracking.
• Contact Forms: You need to get explicit consent from users to store their information; get explicit consent from users if you are planning to use their data for marketing purposes (i.e adding them to your email list); disable cookies, user-agent, and IP tracking for forms; comply with data-deletion requests.
• Email Marketing Opt-in Forms: Similar to contact forms, if you have any email marketing opt-in forms like popups, floating bars, inline-forms, and others, then you need to make sure that you’re collecting explicit consent from users before adding them to your list. This can generally be done with either adding a checkbox that user has to click before opt-in or simply requiring double-optin (Double opt-in includes an extra confirmation step that verifies each email address. This confirmation provides additional evidence of consent) to your email list.
• Retargeting Ads: If your website is running retargeting pixels or retargeting ads, then you will need to get user’s consent.

If you are not sure, contact your website developer to discuss how your website can be made GDPR Compliant.