What is GDPR? 
GDPR stands for General Data Protection Regulation – a personal data privacy regulation going into effect in the European Union on May 25, 2018.

Do I need to pay attention to all of this?
Yes, chances are there are visitors to your website that live outside of the United States. Plus, it’s more than likely that the U.S. will follow suit with stricter data privacy regulations in the near future.

What if my website does not collect data?
All websites collect data, even if it’s anonymous. At minimum your site probably tracks a user’s IP address if you have any kind of analytics or security installed. Some track users by placing anonymous cookies into the user’s browser.

Okay, so what do I do?
First, you’ll want to create a Privacy Policy for your website, if you don’t already have one. Prior to creating one, do a full data audit of how you collect user information on your website. Any place there is a registration, contact form, email signup, or advertising/analytics integration.

The privacy policy should be easy to access and prominently displayed. The privacy policy should be concise and easy to understand for the average internet user. It should state:

  • Who you are, the legal name of your business and its physical location
  • Ways to contact you
  • How you collect user data. Even if you don’t have any form on your site, it collects data in the background (especially if you use any type of advertising or analytics including Facebook (pixel), Google Adsense, or Google Analytics
  • Why you collect the user’s data, what you do with it, and how you use it.
  • How a user can opt-out of giving you their data.
  • How a user can opt-out of being on your email list.
  • How a user can access, view, and edit their own data in a timely manner.
  • How a user can delete their personal data from your website.
  • How long you will keep their data for both active and inactive accounts.
  • A statement saying you will not knowingly collect personal data from any minor under the age of 16.
  • How and why your website uses cookies.

How do I know if my website uses cookies?
Cookies are pieces of data that dropped from the website to the browser to keep track of a user.

The best way to tell if your website uses cookies is to use a secondary browser (not the one you normally use). Go to your website. If there’s registration, register. Then go to your browser’s preferences and view your cookies. Search for your website and see if any cookies were dropped.

 

You’ve probably seen the popups saying that a site uses cookies and by using the site you specifically consent to this. You’ll also need this, at least for your EU visitors, so that they can consent to having cookies dropped from your website.

Mailing List Signups
You are no longer allowed to “automatically” sign up users for an email list without explicit consent. That means if they’re registering for your website, you cannot have the box checked by default for “Sign up for our mailing list.” If you have an incentive you give for signing up for an email list, you should give the user a way to get the incentive without requiring them to sign up for the list. If that defeats the freebie’s purpose, then make sure you make it clear that they are SIGNING UP FOR YOUR MAILING LIST as the prominent call to action, and also getting a bonus to do so.

Some companies are going as far as to emailing all of their subscribers, specifically for the purpose of letting them opt-out, with no additional marketing or messages.

If you use MailChimp for your email newsletter or marketing, please read their blogpost on how to comply with GDPR within their system.

Data Breaches
If your website is hacked and you’re storing user data in your database, you must inform the users within 72 hours of the breach.

More Questions?
Contact Moss Web Works if you have any other questions about GDPR or need help completing your data audit and implementing a privacy policy.