GDPR: What’s All the Fuss, it Doesn’t Affect Me, Right?

The short answer is–WRONG, you are more likely to be affected than not!

Be forewarned, this is a lengthy post…but since the GDPR has weighty consequences, it deserves it–and there is no hiding from it!

no hiding from GDPR

My Business is US Based so GDPR is Irrelevant

You live in the US, and your business is based in the US. You don’t market to people in other countries. So you may be thinking, understandably so, that you don’t have to worry about GDPR.

Sadly, you would be wrong. red buzzer equals GDPR wrong answer

My personal disclaimer: Let me start off by saying, I am not a lawyer.  I never even played one on television. So, after reading this you have legal-type questions, please contact your attorney.


OK, not that that is over with, let’s start off with what GDPR is, because since you probably thought it didn’t affect you, you might have glossed over it.

What is GDPR?

GDPR stands for the General Data Protection Regulation.

It is law that was passed by the European Union (EU), but don’t let that stop you—because, believe it or not, it just might impact your business.

(If after reading this post, you want more info, you can go to the European Commission’s Principles of the GDPR.)

Just Whose Data is Being Protected?

OK, so the law is about Data Protection, but what data and whose? European Economic Area

The regulation is intended to protect individuals who live in the European Economic Area (EEA)*.

It gives people some protection and control over what personal information is collected by businesses online, and how it is stored and used.

Notice that we said ‘individuals who live in’ not citizens.

What Data is Protected

“Personal Data” is the term they use, but what does that really mean?

Some things that are protected are fairly obviously, like a person’s name, address, email address, credit card information and the like.

But this regulation also covers things that can identify an individual “indirectly.”

That would be things like a person’s IP address, because that IP address actually identifies every computer. IP stands for Internet Protocol. And an IP address is a unique string of numbers. That number is linked to everything you do online. You don’t have control over your IP address, so there’s no need to memorize it.

A person’s IP address, unlike their home address, changes. The address is assigned by your Internet service provider. If you are using a different network (like when you’re surfing the web while waiting for your car to be washed, or checking your email from your remote office, AKA the local coffee shop), you will be assigned a different IP address. Even at home your IP address can, and frequently does change.

(Click to read more about IP addresses)

What Businesses does GDPR Apply to:

The GDPR applies to ‘Data Controllers’ and ‘Data Processors

Data Controller: someone/entity that determines if you will collect data and what data you will collect.

Data Processor: the entity or application that processes or stores the data on behalf of a controller.

Most internet marketers are therefore Data Controllers. Some may also be processors, but most will probably engage other entities or applications as data processors.

red buzzer equals GDPR wrong answerMy Business is Small, Surely I’m Exempt

Wrong Answer. Size doesn’t matter if you collect or process personal data,

But I Don’t Target Europeans

Unfortunately, your intentions don’t actually seem to matter. This is about the end-user’s location, not you or your business.

Non-EU based businesses are required to comply with the GDPR if that business “collects or processes” any EU residents’ personal data.

I Don’t Charge Anything on My Site, So I’m Good  GDPR is in effect whether you charge money or not

Wrong, again. There is no requirement under the GDPR that money must change hands.

When Does it Go into Effect?

May 25, 2018

Why is this Happening?

Let’s face it, people are pretty pissed off that some of the big businesses have collected our personal data and abused it.

woman angry at how personal data was used

Those big guys have the staffing, the lawyers, and the bucks to cover their bases. Good for the consumer, but it still leaves smaller businesses with a huge burden to protect people—even though they never abused anyone’s info in the first place.

Penalties and Enforcement

The fines for not complying a pretty hefty: up to 4% of a company’s global turnover. The exact amount would be determined based on how bad the violation was.

How this regulation will be, well, regulated, and enforced is not clear.

What Do I Need to Do to be Compliant?

GDPR compliance checklist

This regulation may require you make some significant changes on how you obtain consent, who you collect and store personal data, and your disclosures.

Consent: you must obtain “explicit consent” before you collect personal data from an EU resident. Consent must be voluntary, specific, informed and unambiguous.

That means a several things to marketers

  • You can’t pre-tick boxes for people, or presume that by using your site someone agrees. You must require they take an action in order to agree.
  • The language has got to be clear and understandable. And it can’t be buried in a bunch of legalize—it needs to actually be separate from other terms and conditions.
  • You must specify what data you are collecting or processing and what will be done with that data.
  • You must identify any third-party controllers or processors that will be using that data
  • You must explain how a person can later withdraw their consent
  • You should avoid making consent a precondition of service
  • You must keep records of the consent (even if this wasn’t required, you would want to do this, because it would be how you would defend yourself should the need ever arise.)
  • If you will use data for more than one purpose, you must inform the user of each use and allow them to accept or reject each use individually.
  • Parental approval is needed before collecting data on children under the age of 16

What Data Do You Collect?

businesses collect and store personal data

Start by figuring out what data you actually collect.

Ex: Names, email address, IP address, mailing address, payment info

Where did that data come from?

Ex: an opt-in form, Google Analytics, a comment area, a contact us page

Do you share that data with anyone?

Ex: email client, credit card processing company, website hosting company, a cloud storage server, a company that you are an affiliate for, a company that serves of personalized information (such as retargeting ads) on your website

Do you currently have any data on an EEA resident?

If you do, did you get ‘explicit consent’ or do you need to do that now?

Change Your Privacy Policy GDPR requires security of personal data

Make sure your privacy policy is up to date and addresses the GDPR. You have probably been getting a lot of emails from businesses about their updated privacy policies. You might take a look at those to see how they are handling it.

In the privacy policy you should disclose the data you collect and how it is used, and if you share it with anyone. Also include how a person can rescind their permission.

Keep in mind, the privacy policy is important, but it is NOT in place of getting informed consent.

Change How You Get Consent

Once you know what data you collect and how it is used, you can now create forms, opt-in boxes, etc that lay it all out there.

Allow the user to check one, several, all, or none of the boxes giving consent accordingly.

Be Sure to Check These Easily Overlooked Areas of Your Site/Business often overlooked areas affected by GDPR

Analytics: Most marketers use some sort of analytics in order to determine where their traffic is coming from, and how well their efforts are working. The GDPR doesn’t mean that you cannot do this, but you may have to make a few tweaks

GDPR cookie consent example

to your collection.

You can make the data anonymous (including not tracking IP addresses) before it is stored or processed.

OR you can add an overlay to the site that 1) gives notice that your site uses cookies, 2) what the cookies are used for and 3) requires the user to take an action to give consent prior to entering your site.

Here is an example of an overlay that gives informed consent about the use of cookies. This example is from the UK’s Information Commissioner’s Office, page on GDPR FAQs for small organisations (sic)

Tracking Pixels, Retargeting Ads: If you use retargeting ads, you must inform users when they enter your site and obtain informed consent before they enter your site. This includes using Facebook’s tracking pixel.

Sponsored or Guest Content: anyone who publishes content (editorial or advertising) on your site must also be GDPR compliant. So check it out before you publish.

Email Lists: Have a checkbox (unticked) that the visitor must check to indicate consent. Your opt-in form may have several checkboxes.

If you use tracking pixels in your email campaigns (commonly used to see if/when someone opens an email) you must list that expressly before they subscribe to your list.

Your email service provider should give you the tools you need in order for your emails to be GDPR compliant—but it will be up to you to use the tools.

Affiliate Links: Get consent for cookies—it can be on a post, a page, or an overlay, but it must be before a website visitor clicks the actual affiliate link.

Display Ads: If your site displays ads from a third-party, you must get consent from site visitors immediately—before they actually enter your site. The consent might be that this third-party is colleting data for advertising and marketing purposes, but if they gather data for more personalized targeting that should be specified.

GDPR and contact forms

Contact Forms: Hey, we think it should be self-evident that if a person is requesting you contact them that they are giving permission for you to collect their data. But, apparently it isn’t. Are you storing the data? How will it be used? What data are you collecting and why? Bottom line, include the disclaimer and get explicit consent.

Website Plugins: If your website uses plugins, it is your responsibility to ensure that the plugin developers are also GDPR compliant. The good news is that’s guidelines prohibit approved plugins (on the directory) from tracking users without their clear consent. Keep in mind however, that just because a plugin WAS on the directory when you installed it, it doesn’t mean that it STILL is.

Webinars: If you are a guest on a webinar or other web-based event, be sure that your host is using GDPR compliant tools. If you are the host, and you share your data with a guest, you must ensure that the guest is GDPR compliant.

Live Events: GDPR is not strictly for web events. If you attend a live event and collect data, you still must follow the GDPR.

Other Marketing Efforts: do you have or buy a list for mailing, phoning, or email marketing? Those all fall under the jurisdiction of the GDPR as well.

Security: Keep in mind that everything you have done to protect data in the past is also affected by the GDPR. This includes, but is not limited to off-line storage (do you back up to a different hard drive, or to a thumbdrive or CD?), malware protection software, cyber security software…

Help Managing GDPR GDPR compliance help

There are some checklists that can help you make sure you are in compliance, and if not, the steps you need to take in order to get there. Check out these at and you might want to check out their 12 steps to take now info here.

Plugins: There are WordPress plugins that are touted as being able to help businesses manage data and be GDPR compliant. We are not, at this time, vouching for any specifically.

Email: contact your email service provider to be sure they offer the tools you need

Hosting company: check with your webhost to be sure they are GDPR compliant

Forms: if you use any kind of forms, check with that provider to be sure they are GDPR compliant

Storage: where do you store data? Is it GDPR compliant?

Final Thoughts on GDPR

GDPR and future for business

Quick recap: any business, even those based in the USA, must obtain explicit consent from any resident of the EEA prior to collecting any data that could identify them, either directly or indirectly.

Although the GDPR is an EU regulation, it wouldn’t surprise us if something similar comes down from other countries. So, if you decide you are not going to protect data now, you may be required to do so in the future.

We pulled information from a variety of sources for this post in order to better understand the ramifications of the GDPR for us, our clients, and readers. This is not necessarily the ‘final word’ on the topic, and there are many other sources of information that may provide similar info and advice—or advice that contradicts our conclusions. We cannot tell every business owner what is right for their business; this is general information that should help you make an informed decision about what your next step(s) should be.

*Residents of the following Countries Covered by the GDPR: The EEA includes all countries in the EU (Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK—at least for now), and also includes Norway, Iceland, and Liechtenstein. Switzerland’s residents may, or may not be covered, that is unclear.

Map of the European Economic Area from Wikipedia

Facebook Moves to Block Fake News

New Facebook Update Expected July 17 will Affect Your Ability to Edit Posts–But is that the Right Answer?

Fake News keyboard

In late June, Facebook announced they were taking steps to make if more difficult to edit what readers see in the “preview windows”. In reality, this ‘preview’ is all that many people actually do see.

And there is the underlying problem. Many, if not most professional “publishers”–the loose term given to anyone who posts content on the internet–make changes to the headlines and descriptions.

Why do we do this? Because we want people to click on our post. We want people to be so moved by what they see, they click it and “read all about it”–on our site, rather than the competitions.

Some publishers are really good at writing compelling copy that results in lots of people looking at their websites.

NASA runs a child-slave colony on Mars!


Photos taken by a Chinese orbiter reveal an alien settlement on the moon!


Shape-shifting reptilian extraterrestrials that can control human minds are running the U.S. government!

The above are some of the headlines that have been purported as truth in the media. (Thanks to Scientific American for these.)

So what is the problem with allowing people to edit the headlines and description?

Most people just want you to click on their site, but are not intending to pass off false information. There are more nefarious types out there though whose main goal is to make you believe things that are just not true.

Fake News cartoon by Frederick Burr Opper

This isn’t anything new. As the image above shows, Fake News has been an issue for a lot longer than Facebook or the Internet. The image is a portion of an illustration of reporters with “fake news” dating to 1894 by Frederick Burr Opper

There are more examples of fake news being propagate in history in this article by Scientific American.

Now, it may be that the headline and description are merely provocative, and if you were to read the actual post it would not be ‘fake news.’ The problem is that, as we mentioned earlier, most readers don’t bother to click and read more. They actually believe the headlines and descriptions, and share that information as if it were the wisdom of the ages.

After all, if we read it online if must be true. Right? Not right? Really?

Our goal is to support publisher workflows and app functionality, while limiting malicious misrepresentations of underlying link content. As content customization evolves we continue to work closely with our partners to support the best tools for sharing links on Facebook.

Even though Facebook is attempting to clean up the information stream that they control, it is still smart to question anything that you see online. Even if it is “everywhere”–probably even more so if it is everywhere!

Facebook of course is not the only entity facing this issue. Most of the social media outlets are looking at their policies, and trying to determine how much policing they should, or want to do.

Fake News is News Worthy!

PolitiFact is actually covering Fake News as a newsworthy topic!

There’s an interesting discussion happening now about the spread of fake news on the Internet and what companies like Facebook, Google and Twitter, among others, should do to stop it. That’s a healthy conversation to have, and one we hope continues in the weeks and months ahead. But that doesn’t mean we can’t do something now. Here at PolitiFact, we’re beefing up our coverage of fake news to help our readers better sort out fact from fiction on their social media feeds. The claims can be about anything — politics, entertainment, a fishy-sounding medical cure.

There is no 100% fool proof way to verify that what you are reading is the truth. Reading the real article and not the “cliff notes” version is a good start. Be willing to read and engage your brain. Rather than having a knee jerk reaction and sharing everything you see, pause, take a deep breath.

Let us take a little bit of responsibility for what we believe. Maybe we’re being unkind. Scientific American in their article, How Fake News Goes Viral says that maybe we’re aren’t just super gullible. It could be that we are just overwhelmed with information.

“If you live in a world where you are bombarded with junk—even if you’re good at discriminating—you’re only seeing a portion of what’s out there, so you still may share misinformation,” explains computer scientist Filippo Menczer of Indiana University Bloomington

But, even SA admits that the solution may rest on the shoulders of the readers. At least, that is what they said in February: The Ultimate Cure for the Fake News Epidemic Will Be More Skeptical Readers. Despite computer algorithms, we have to be more discerning.

Is it true is it kind is it necessary

And in the words of the poet Mary Ann Pietzker, ask yourself, “Is it True? Is it Necessary? Is it Kind?

In an example of the internet getting it wrong, this quote has been claimed, with some slight variations, to be the words of Buddha, of Sai Baba, and an ancient Arabian Proverb. No doubt there are others who have claimed the words, or attributed them to someone else entirely!

Thanks to Facebook, Scientific American, and PolitiFact for providing us with just the facts, ma’am.

Image of the special Fake News keyboard credited to Credit: Peter Dazeley Getty Images and appears on Scientific American, from their article “How Fake News Goes Viral—Here’s the Math”

Read more about Fake News on Scientific American: