What You Need to do to Comply with GDPR
What is GDPR?
GDPR stands for General Data Protection Regulation – a personal data privacy regulation going into effect in the European Union on May 25, 2018.
Do I need to pay attention to all of this?
Yes, chances are there are visitors to your website that live outside of the United States. Plus, it’s more than likely that the U.S. will follow suit with stricter data privacy regulations in the near future.
What if my website does not collect data?
All websites collect data, even if it’s anonymous. At minimum your site probably tracks a user’s IP address if you have any kind of analytics or security installed. Some track users by placing anonymous cookies into the user’s browser.
Okay, so what do I do?
- Who you are, the legal name of your business and its physical location
- Ways to contact you
- How you collect user data. Even if you don’t have any form on your site, it collects data in the background (especially if you use any type of advertising or analytics including Facebook (pixel), Google Adsense, or Google Analytics
- Why you collect the user’s data, what you do with it, and how you use it.
- How a user can opt-out of giving you their data.
- How a user can opt-out of being on your email list.
- How a user can access, view, and edit their own data in a timely manner.
- How a user can delete their personal data from your website.
- How long you will keep their data for both active and inactive accounts.
- A statement saying you will not knowingly collect personal data from any minor under the age of 16.
Cookies are pieces of data that dropped from the website to the browser to keep track of a user.
Mailing List Signups
You are no longer allowed to “automatically” sign up users for an email list without explicit consent. That means if they’re registering for your website, you cannot have the box checked by default for “Sign up for our mailing list.” If you have an incentive you give for signing up for an email list, you should give the user a way to get the incentive without requiring them to sign up for the list. If that defeats the freebie’s purpose, then make sure you make it clear that they are SIGNING UP FOR YOUR MAILING LIST as the prominent call to action, and also getting a bonus to do so.
Some companies are going as far as to emailing all of their subscribers, specifically for the purpose of letting them opt-out, with no additional marketing or messages.
If you use MailChimp for your email newsletter or marketing, please read their blogpost on how to comply with GDPR within their system.
If your website is hacked and you’re storing user data in your database, you must inform the users within 72 hours of the breach.