
First and foremost, let me be abundantly clear: I am not a lawyer. Please do not take this blog post as legal advice. Nothing is guaranteed or a promise to ensure that you meet GDPR compliancy. This is just an attempt for me to share what I have taught myself regarding these new regulations to the best of my ability that I think other website owners may find useful.
GDPR is coming May 25th.
And guess what, we’ve had 2 years to figure it out but most of us have waited until two weeks prior to actually figure it out. (Cough, me, cough.) I’ve seen estimates showing that only 21% of website and business owners have taken steps to ensure compliancy.
So what is GDPR?
GDPR stands for General Data Protection Regulation and is a regulation introduced by the European Commission to ensure data protection for all EU (European Union) citizens.
You may be asking, why does this affect me? I’m a US citizen and my business is in the US. However, if you have a website that visitors of the EU can use, then you may want to pay attention to GDPR because you could risk being non-compliant and you could be subject to very scary fines.
Questions you may ask to see if you should be making changes:
- Does your website use Google Analytics?
- Can users submit forms on your website?
- Can users buy products on your website?
- Can users subscribe to a mailing list on your website?
- Does your website use Google AdSense, AdWords, or Re-marketing?
- Does your website have a membership portal?
Notice how I didn’t add a stipulation that the users accessing your site be in Europe? That’s because Europeans can be anywhere in the world, even living and working in the US. That means that if a European citizen living and working in the US accesses your website, then you need to be GDPR compliant. This is why you can’t just shut down your website to European visitors.
What does this mean for you?
There are a ton of resources to learn more about GDPR and I’m not going to lie, it’s pretty confusing and complicated. I wish I had a better answer for you. (This is where I insert a reminder about my “not a lawyer” status.)
If you own a website and you answered yes to any of the above questions, then you may need to make some changes. I’m going to do a rundown of the things I have done on my own site to try to attain GDPR compliancy.
Google Analytics
If you are using Google Analytics, and if we’ve set up your site there’s a strong possibility that you are, then a few things need to happen. First, know that Google is taking GDPR seriously and will do what they need to do to prepare, including updating their data retention controls, which control how long Google Analytics data is stored. The one aspect I’ve seen is that Google is collecting IP addresses, which even if you aren’t seeing or using can be interpreted as personally identifiable information. The solution is that you should turn on IP anonymization.
If you’re using a Google Analytics plugin like CAOS (which this site uses) then there is a super easy checkbox to tick to make this happen. I assume others have it as well.
If your site uses the regular javascript tracking code, then you’ll need to add a little snippet to that tracking code to turn on anonymization.
Oh, and you also need to update your privacy policy about the use of Google Analytics.
Website Forms
If your site uses forms and collects any personally identifiable information, such as their name and email address and IP address, then you may need to make some modifications. In most cases, providing a clear consent checkbox, that is unchecked by default, will suffice.
This will need to be added to any form you have on your website. I used a plugin called WP GDPR Compliance that integrates with many form plugins, such as Gravity Forms, Contact Form 7 and your comment form. It’s pretty easy to pop that checkbox in wherever you need it using this plugin.
Oh, and don’t forget to update your privacy policy with clear details and how you are using and storing that data. And if you don’t have a privacy policy? You need one now!
Mailing Lists
Do you allow users to subscribe to your blog via email? Guess what, those forms need to be compliant as well. Adding a consent checkbox that users must tick before subscribing should do the trick. MailChimp is updating their forms for GDPR compliance.
Don’t forget to update your privacy policy!
Shopping Carts
If you sell products, then again, you need to be thinking about GDPR if you allow European citizens to buy products. And remember, they don’t have to be in the EU to be citizens, they can be anywhere in the world. Having the checkbox that they agree to your data storage policies should be sufficient in this case. I used the WP GDPR Compliance plugin for our own WooCommerce shop. WooCommerce has stated they are doing their part to ensure compliancy as well.
Again, with the privacy policy! Update this to reflect how you use the data to deliver products.
What about cookies?
This is literally what I have spent the most time researching, to find out if I need to add one of those annoying cookie popup boxes. (Have I mentioned lately that I’m not a lawyer? Just thought you should know.) If you are collecting data that is shared with any third parties, then yes, you need a popup. (For example, if you use Google AdSense or do re-marketing.)
Oh yeah, and update your privacy policy with this info.
Guess what? There’s more!
I know, you thought you were done, right? NOT SO FAST. If you collect any personally identifiable information on your website, such as a name or email address provided when leaving a comment on a blog post, then you have to provide a way for users to request to view that data and request to remove that data. AND! If the user requests to have that data removed, then you have 72 hours to comply.
I know, this is super complicated! But don’t throw in the towel just yet. The WP GDPR Compliance plugin makes it fairly easy. In their settings, . One of their settings allows you to create a new Data Request page. It will activate and create a page and paste in a shortcode that allows users to request their data, view the data, and then request removal of data. You can include a link to this page in your privacy policy, but I think the general consensus is to put the email address that the user should contact to get access to this and then send them the link upon request. If someone uses this tool to request their data be removed, you’ll get an email and then have 72 hours to remove it, which you can do via the Requests tab in the WP GDPR Compliance plugin settings.
Confused yet?
Now would also be a good time to remind you that I AM NOT A LAYWER. Please take any information in this post as tips of what I’ve learned in my own process toward GDPR compliancy and definitely not as legal advice. I believe there are companies out there that can help you attain and confirm your GDPR status but Sumy Designs is not one of those firms due to our serious not-lawyer status.
I found a lot of great info on Suzanne Dibble’s website that may be helpful for you.
Amy Masson
Amy is the co-owner, developer, and website strategist for Sumy Designs. She's been making websites with WordPress since 2006 and is passionate about making sure websites are as functional as they are beautiful.