First and foremost, let me be abundantly clear: I am not a lawyer. Please do not take this blog post as legal advice. Nothing is guaranteed or a promise to ensure that you meet GDPR compliancy. This is just an attempt for me to share what I have taught myself regarding these new regulations to the best of my ability that I think other website owners may find useful.
GDPR is coming May 25th.
And guess what, we’ve had 2 years to figure it out but most of us have waited until two weeks prior to actually figure it out. (Cough, me, cough.) I’ve seen estimates showing that only 21% of website and business owners have taken steps to ensure compliancy.
So what is GDPR?
GDPR stands for General Data Protection Regulation and is a regulation introduced by the European Commission to ensure data protection for all EU (European Union) citizens.
You may be asking, why does this affect me? I’m a US citizen and my business is in the US. However, if you have a website that visitors of the EU can use, then you may want to pay attention to GDPR because you could risk being non-compliant and you could be subject to very scary fines.
Questions you may ask to see if you should be making changes:
- Does your website use Google Analytics?
- Can users submit forms on your website?
- Can users buy products on your website?
- Can users subscribe to a mailing list on your website?
- Does your website use Google AdSense, AdWords, or Re-marketing?
- Does your website have a membership portal?
Notice how I didn’t add a stipulation that the users accessing your site be in Europe? That’s because Europeans can be anywhere in the world, even living and working in the US. That means that if a European citizen living and working in the US accesses your website, then you need to be GDPR compliant. This is why you can’t just shut down your website to European visitors.
What does this mean for you?
There are a ton of resources to learn more about GDPR and I’m not going to lie, it’s pretty confusing and complicated. I wish I had a better answer for you. (This is where I insert a reminder about my “not a lawyer” status.)
If you own a website and you answered yes to any of the above questions, then you may need to make some changes. I’m going to do a rundown of the things I have done on my own site to try to attain GDPR compliancy.
If you are using Google Analytics, and if we’ve set up your site there’s a strong possibility that you are, then a few things need to happen. First, know that Google is taking GDPR seriously and will do what they need to do to prepare, including updating their data retention controls, which control how long Google Analytics data is stored. The one aspect I’ve seen is that Google is collecting IP addresses, which even if you aren’t seeing or using can be interpreted as personally identifiable information. The solution is that you should turn on IP anonymization.
If you’re using a Google Analytics plugin like CAOS (which this site uses) then there is a super easy checkbox to tick to make this happen. I assume others have it as well.
If your site uses forms and collects any personally identifiable information, such as their name and email address and IP address, then you may need to make some modifications. In most cases, providing a clear consent checkbox, that is unchecked by default, will suffice.
This will need to be added to any form you have on your website. I used a plugin called WP GDPR Compliance that integrates with many form plugins, such as Gravity Forms, Contact Form 7 and your comment form. It’s pretty easy to pop that checkbox in wherever you need it using this plugin.
Do you allow users to subscribe to your blog via email? Guess what, those forms need to be compliant as well. Adding a consent checkbox that users must tick before subscribing should do the trick. MailChimp is updating their forms for GDPR compliance.
If you sell products, then again, you need to be thinking about GDPR if you allow European citizens to buy products. And remember, they don’t have to be in the EU to be citizens, they can be anywhere in the world. Having the checkbox that they agree to your data storage policies should be sufficient in this case. I used the WP GDPR Compliance plugin for our own WooCommerce shop. WooCommerce has stated they are doing their part to ensure compliancy as well.
What about cookies?
This is literally what I have spent the most time researching, to find out if I need to add one of those annoying cookie popup boxes. (Have I mentioned lately that I’m not a lawyer? Just thought you should know.) If you are collecting data that is shared with any third parties, then yes, you need a popup. (For example, if you use Google AdSense or do re-marketing.)
Guess what? There’s more!
I know, you thought you were done, right? NOT SO FAST. If you collect any personally identifiable information on your website, such as a name or email address provided when leaving a comment on a blog post, then you have to provide a way for users to request to view that data and request to remove that data. AND! If the user requests to have that data removed, then you have 72 hours to comply.
Now would also be a good time to remind you that I AM NOT A LAYWER. Please take any information in this post as tips of what I’ve learned in my own process toward GDPR compliancy and definitely not as legal advice. I believe there are companies out there that can help you attain and confirm your GDPR status but Sumy Designs is not one of those firms due to our serious not-lawyer status.
I found a lot of great info on Suzanne Dibble’s website that may be helpful for you.
Join our list!
Our blog, delivered to your inbox. Never miss a post!