Okay, you guys. Let’s talk General Data Protection Regulation (GDPR). The idea of GDPR is a good thing: its purpose is to protect people in the European Union from privacy and data breaches, and it goes into effect on May 25, 2018. This is a major thing for companies everywhere, since it applies to anyone processing the personal data of people residing in the EU, regardless of where the company is actually located. In other words, if you’re based in Puerto Rico and you sell an online product to people in Germany (or any other member of the EU), you need to be compliant. Or else you can get fined. And fines = not fun.
In this post, I want to cover some of the common things most of y’all (meaning our target audience, which is bloggers, photographers, and small business owners) will want to consider. Note though, that if you aren’t making any money off your blog or website, you probably will be ok not doing anything.
*Super Important Disclaimer: the information provided in this post is not legal advice or even a legal description of GDPR, but rather a quick snapshot from a layperson. For legal advice, please consult a lawyer.
Also, please note that there is a lot of conflicting information out there regarding what is required to become GDPR compliant, and even how GDPR is interpreted. The purpose of this post is just to provide you with some practical advice to help you along.
Pay Attention To: How You Collect Subscribers For Your Email List, And What You Do With Them
If you are collecting emails on your website via a email marketing platform like Mailchimp or ConvertKit, you need to pay attention…especially if you’re a shady scumbag that uses shady scumbag tricks to get people to opt-in to your email list. Here are some things you can’t do if you want to be GDPR compliant:
- Automatically subscribing someone to your email list when they give you their contact information. Let’s say you make a purchase from my website. I can’t automatically subscribe you to my general email list. I would need to ask you to opt-in first.
- Passive opt-in: Let’s say you give your people the choice to opt-in. You can’t have the box pre-checked for them, by default, or hidden in a bunch of terminology.
You also can’t use purchased or scraped email lists to get in touch with people who have never heard of you or your business before.
Transparency is key here, and you should think on a granular level. You need to tell people exactly what you plan to do with their email address if they give it to you. Plan on sending them a freebie and subscribing them to your general mailing list? Cool, but you need to give them an option (e.g. checkbox that is NOT prechecked) to consent to both of those things. Here is an example:
If they don’t check that box (and they’re in the EU), you can’t email them for any other purpose except sending that PDF. Really, this is a good thing because it promotes trust between you and those signing up for your list.
What You Need To Do: review the opt-in forms you have placed on your site; ensure passive opt-in techniques are not employed
Pay Attention To: EU People Who Are Already Subscribed To Your Email List
If you have people who reside in the European Union on your email list and they didn’t opt-in to receive your emails in the way described above, you need to take action.
If your email marketing service has a way to segment by location (check with them!!), you can separate EU subscribers from non-EU peeps. From there, you can either A) delete the EU subscribers or B) run a re-engagement campaign and ask them to opt-in again. If they don’t opt in again, you gotta delete them.
What You Need To Do: find your EU subscribers and either delete them or get them to opt-in again
Pay Attention To: Giving Your Email Subscribers A Way To Opt-Out
If you’re using one of the aforementioned email marketing services, this isn’t a problem. Most of them have a built-in unsubscribe link that automatically goes out with every email you send to the people on your list. But you might wanna double check!
What You Need To Do: ensure every marketing email you send out has the option for the recipient to unsubscribe
Pay Attention To: Your Contact Forms
In general, you’ll want to keep your contact forms privacy-friendly. Collect as little personal information that you can get by with and still do your job properly. What else? Let’s break it down a little further (I’ll be using this great, logical interpretation as a guide).
Let’s say you have a general contact form on your website. This form is typically used for people who have pre-sales questions about your product or service. When they submit a form, you respond to them one-on-one via email or phone. Once your conversation is done, it’s a wrap. You don’t do anything else with their contact or personal information.
If that’s the case, then you should be good to go.
However, if after that conversation, you turn around and subscribe them to your email marketing list without their consent, that’s a major no-no and a violation of GDPR regulations. Also, if you store your contact form entries on your website/within your database, you need to either stop doing that OR include that note in your privacy policy, and make sure EU people consent to that before sending the form in. (This sounds like a pain but in practice probably isn’t too difficult. Contact Form 7 already has a way to add in an acceptance checkbox, for example.
What You Need To Do: if contact form entries are stored, you must notify the sender of the form and get their consent before they hit the send button. If you automatically subscribe form senders to your email marketing list, stop doing this — you need to get their consent for this first
Pay Attention To: Giving Users A Way To Delete Their Account (And Any Personal Information Associated With It)
So, there are a variety of scenarios in which you may allow people to register for an account on your website. For example, maybe you run a membership website that requires people to have an account to view your content. Or maybe you allow customers to create an account when they purchase a product (many websites running WooCommerce do). You need to give users a way to delete their account if they choose. You can do this with a plugin like Delete Me (I haven’t tested this one yet, FYI), or have a line in your privacy policy that users can contact you to complete this request. You also need to let users access the data you’ve collected on them and provide it to them in an easy-to-view way.
What You Need To Do: Give users a way to automatically delete or request their account be deleted; be able to provide the user with any info you’ve collected on them
Pay Attention To: Blog Comments
If you have a blog and comments are enabled, GDPR applies to this too (kinda crazy, huh?). If you’re using WordPress’s default comments, they are working on making the form more GDPR-friendly, so keep an eye out for that update and make sure you do the latest WordPress core update when it becomes available. If you’re using a comments plugin, make sure it is GDPR compliant.
What You Need To Do: likely nothing, as WordPress itself is working on adding the proper opt-in areas to comment forms. Make sure you stay up to date with the latest version of WordPress!
Pay Attention To: Your Analytics
If you have Google Analytics installed on your website, or any other software that tracks and collects similar information, this applies to you. Under GDPR, an IP address is considered personal information. IP addresses are collected by Google, but they aren’t exposed in reporting. So, do you need to do anything? For now, it’s best to turn on the IP anonymization feature available to you. You can do this within Google Analytics, or if you’re using a plugin (I like this one, it should be in the settings area).
There is some debate going around regarding if you need to do anything else, like get consent from people before you even track them in the first place. I can’t answer this for certain. I suggest researching it further or consulting legal counsel if you are concerned!
What You Need To Do: at minimum, turn on IP anonymization for Google Analytics
Pay Attention To: Your Privacy Policy
If you don’t have a privacy policy yet, it’s time to make one! If you already have one, some updates may be required. Your policy should clearly and concisely answer these questions:
- What information is being collected?
- Who is collecting it?
- How is it being collected?
- Why is it being collected?
- How long will it be stored?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
What You Need To Do: update your privacy policy to cover the above points
Pay Attention To: Your Plugins & APIs
If you’re running a WordPress site and have plugins installed (which you probably do), you need to figure out if any of those plugins are storing personal information and how exactly they’re doing that. Most popular big name plugins should already be at least on their way to becoming GDPR compliant, so make sure you keep your plugins up to date and are running the latest version! In your privacy policy, you should add the plugin to the list of 3rd parties that collect personal information. Check with the plugin developer or their support page on WordPress for the latest updates on GDPR compliance as it relates to their plugin.
An API is an application programming interface. It’s basically a piece of code that allows someone to access external sources without leaving your website. Wait, what? It kind of connects your website to the outside world. For example, if you have an Instagram feed displayed on your website, it uses an API. You should know what APIs you use + what data is sent + if the API is GDPR compliant. Unless you’re doing crazy stuff on your site, APIs are generally only added by plugins. So, again, stay up-to-date and in-the-know when it comes to what plugins you’re running.
What You Need To Do: conduct a plugin/API audit (good to do anyway!); if one of these processes personal information, make sure it’s a reliable plugin that is GDPR-friendly, add it to the list of 3rd parties that can access user data in your privacy policy
And Now….A Deep Breath
Got a headache yet? I wouldn’t blame you if you do! Even though you, as the website owner, are responsible for ensuring your stuff is GDPR compliant, you don’t have to do it all on your own. For example, most email marketing services have already implemented an easy way to add those checkboxes to your forms that are necessary for GDPR-friendly consent. Likewise, most plugin developers are working toward making their developments GDPR-friendly too. This means that you don’t need to find a way to code in a special consent checkbox. Most plugins that are worth your time should have this built right in, either as a current feature or as one coming soon.