The short answer is–WRONG, you are more likely to be affected than not!
Be forewarned, this is a lengthy post…but since the GDPR has weighty consequences, it deserves it–and there is no hiding from it!
My Business is US Based so GDPR is Irrelevant
You live in the US, and your business is based in the US. You don’t market to people in other countries. So you may be thinking, understandably so, that you don’t have to worry about GDPR.
Sadly, you would be wrong.
My personal disclaimer: Let me start off by saying, I am not a lawyer. I never even played one on television. So, after reading this you have legal-type questions, please contact your attorney.
OK, not that that is over with, let’s start off with what GDPR is, because since you probably thought it didn’t affect you, you might have glossed over it.
What is GDPR?
GDPR stands for the General Data Protection Regulation.
It is law that was passed by the European Union (EU), but don’t let that stop you—because, believe it or not, it just might impact your business.
(If after reading this post, you want more info, you can go to the European Commission’s Principles of the GDPR.)
Just Whose Data is Being Protected?
OK, so the law is about Data Protection, but what data and whose?
The regulation is intended to protect individuals who live in the European Economic Area (EEA)*.
It gives people some protection and control over what personal information is collected by businesses online, and how it is stored and used.
Notice that we said ‘individuals who live in’ not citizens.
What Data is Protected
“Personal Data” is the term they use, but what does that really mean?
Some things that are protected are fairly obviously, like a person’s name, address, email address, credit card information and the like.
But this regulation also covers things that can identify an individual “indirectly.”
That would be things like a person’s IP address, because that IP address actually identifies every computer. IP stands for Internet Protocol. And an IP address is a unique string of numbers. That number is linked to everything you do online. You don’t have control over your IP address, so there’s no need to memorize it.
A person’s IP address, unlike their home address, changes. The address is assigned by your Internet service provider. If you are using a different network (like when you’re surfing the web while waiting for your car to be washed, or checking your email from your remote office, AKA the local coffee shop), you will be assigned a different IP address. Even at home your IP address can, and frequently does change.
(Click to read more about IP addresses)
What Businesses does GDPR Apply to:
The GDPR applies to ‘Data Controllers’ and ‘Data Processors’
Data Controller: someone/entity that determines if you will collect data and what data you will collect.
Data Processor: the entity or application that processes or stores the data on behalf of a controller.
Most internet marketers are therefore Data Controllers. Some may also be processors, but most will probably engage other entities or applications as data processors.
My Business is Small, Surely I’m Exempt
Wrong Answer. Size doesn’t matter if you collect or process personal data,
But I Don’t Target Europeans
Unfortunately, your intentions don’t actually seem to matter. This is about the end-user’s location, not you or your business.
Non-EU based businesses are required to comply with the GDPR if that business “collects or processes” any EU residents’ personal data.
I Don’t Charge Anything on My Site, So I’m Good
Wrong, again. There is no requirement under the GDPR that money must change hands.
When Does it Go into Effect?
May 25, 2018
Why is this Happening?
Let’s face it, people are pretty pissed off that some of the big businesses have collected our personal data and abused it.
Those big guys have the staffing, the lawyers, and the bucks to cover their bases. Good for the consumer, but it still leaves smaller businesses with a huge burden to protect people—even though they never abused anyone’s info in the first place.
Penalties and Enforcement
The fines for not complying a pretty hefty: up to 4% of a company’s global turnover. The exact amount would be determined based on how bad the violation was.
How this regulation will be, well, regulated, and enforced is not clear.
What Do I Need to Do to be Compliant?
This regulation may require you make some significant changes on how you obtain consent, who you collect and store personal data, and your disclosures.
Consent: you must obtain “explicit consent” before you collect personal data from an EU resident. Consent must be voluntary, specific, informed and unambiguous.
That means a several things to marketers
- You can’t pre-tick boxes for people, or presume that by using your site someone agrees. You must require they take an action in order to agree.
- The language has got to be clear and understandable. And it can’t be buried in a bunch of legalize—it needs to actually be separate from other terms and conditions.
- You must specify what data you are collecting or processing and what will be done with that data.
- You must identify any third-party controllers or processors that will be using that data
- You must explain how a person can later withdraw their consent
- You should avoid making consent a precondition of service
- You must keep records of the consent (even if this wasn’t required, you would want to do this, because it would be how you would defend yourself should the need ever arise.)
- If you will use data for more than one purpose, you must inform the user of each use and allow them to accept or reject each use individually.
- Parental approval is needed before collecting data on children under the age of 16
What Data Do You Collect?
Start by figuring out what data you actually collect.
Ex: Names, email address, IP address, mailing address, payment info
Where did that data come from?
Ex: an opt-in form, Google Analytics, a comment area, a contact us page
Do you share that data with anyone?
Ex: email client, credit card processing company, website hosting company, a cloud storage server, a company that you are an affiliate for, a company that serves of personalized information (such as retargeting ads) on your website
Do you currently have any data on an EEA resident?
If you do, did you get ‘explicit consent’ or do you need to do that now?
Change How You Get Consent
Once you know what data you collect and how it is used, you can now create forms, opt-in boxes, etc that lay it all out there.
Allow the user to check one, several, all, or none of the boxes giving consent accordingly.
Be Sure to Check These Easily Overlooked Areas of Your Site/Business
Analytics: Most marketers use some sort of analytics in order to determine where their traffic is coming from, and how well their efforts are working. The GDPR doesn’t mean that you cannot do this, but you may have to make a few tweaks
to your collection.
You can make the data anonymous (including not tracking IP addresses) before it is stored or processed.
Tracking Pixels, Retargeting Ads: If you use retargeting ads, you must inform users when they enter your site and obtain informed consent before they enter your site. This includes using Facebook’s tracking pixel.
Sponsored or Guest Content: anyone who publishes content (editorial or advertising) on your site must also be GDPR compliant. So check it out before you publish.
Email Lists: Have a checkbox (unticked) that the visitor must check to indicate consent. Your opt-in form may have several checkboxes.
If you use tracking pixels in your email campaigns (commonly used to see if/when someone opens an email) you must list that expressly before they subscribe to your list.
Your email service provider should give you the tools you need in order for your emails to be GDPR compliant—but it will be up to you to use the tools.
Affiliate Links: Get consent for cookies—it can be on a post, a page, or an overlay, but it must be before a website visitor clicks the actual affiliate link.
Display Ads: If your site displays ads from a third-party, you must get consent from site visitors immediately—before they actually enter your site. The consent might be that this third-party is colleting data for advertising and marketing purposes, but if they gather data for more personalized targeting that should be specified.
Contact Forms: Hey, we think it should be self-evident that if a person is requesting you contact them that they are giving permission for you to collect their data. But, apparently it isn’t. Are you storing the data? How will it be used? What data are you collecting and why? Bottom line, include the disclaimer and get explicit consent.
Website Plugins: If your website uses plugins, it is your responsibility to ensure that the plugin developers are also GDPR compliant. The good news is that WordPress.org’s guidelines prohibit approved plugins (on the WordPress.org directory) from tracking users without their clear consent. Keep in mind however, that just because a plugin WAS on the directory when you installed it, it doesn’t mean that it STILL is.
Webinars: If you are a guest on a webinar or other web-based event, be sure that your host is using GDPR compliant tools. If you are the host, and you share your data with a guest, you must ensure that the guest is GDPR compliant.
Live Events: GDPR is not strictly for web events. If you attend a live event and collect data, you still must follow the GDPR.
Other Marketing Efforts: do you have or buy a list for mailing, phoning, or email marketing? Those all fall under the jurisdiction of the GDPR as well.
Security: Keep in mind that everything you have done to protect data in the past is also affected by the GDPR. This includes, but is not limited to off-line storage (do you back up to a different hard drive, or to a thumbdrive or CD?), malware protection software, cyber security software…
Help Managing GDPR
There are some checklists that can help you make sure you are in compliance, and if not, the steps you need to take in order to get there. Check out these at ICO.org.uk and you might want to check out their 12 steps to take now info here.
Plugins: There are WordPress plugins that are touted as being able to help businesses manage data and be GDPR compliant. We are not, at this time, vouching for any specifically.
Email: contact your email service provider to be sure they offer the tools you need
Hosting company: check with your webhost to be sure they are GDPR compliant
Forms: if you use any kind of forms, check with that provider to be sure they are GDPR compliant
Storage: where do you store data? Is it GDPR compliant?
Final Thoughts on GDPR
Quick recap: any business, even those based in the USA, must obtain explicit consent from any resident of the EEA prior to collecting any data that could identify them, either directly or indirectly.
Although the GDPR is an EU regulation, it wouldn’t surprise us if something similar comes down from other countries. So, if you decide you are not going to protect data now, you may be required to do so in the future.
We pulled information from a variety of sources for this post in order to better understand the ramifications of the GDPR for us, our clients, and readers. This is not necessarily the ‘final word’ on the topic, and there are many other sources of information that may provide similar info and advice—or advice that contradicts our conclusions. We cannot tell every business owner what is right for their business; this is general information that should help you make an informed decision about what your next step(s) should be.
*Residents of the following Countries Covered by the GDPR: The EEA includes all countries in the EU (Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK—at least for now), and also includes Norway, Iceland, and Liechtenstein. Switzerland’s residents may, or may not be covered, that is unclear.
Map of the European Economic Area from Wikipedia