GDPR and You

You may or may not be aware, but May 25 was the date that GDPR went into effect! I recently sent the following information and resources to my clients, but thought it might be helpful to post it here as well. Don’t have too much fun with it ūüôā :

What is GDPR?¬†¬†General Data Protection Regulation. It’s a new European Union law concerning how websites must disclose how they collect and store site visitors’ personal data. It applies to any site that collects data from E.U. residents, regardless of where the website is based.

Does this apply to me in the US? If you use Google Analytics, then YES because European visitors can still access your site.

What should I do? I am not a lawyer and cannot make legal recommendations for you or your business. That said, GDPR should be taken seriously and there are a few steps you can take.

First, make sure you have a privacy policy publicly available on your site. This policy should be written in plain language and  should address:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

This article will give you more information.

Second,¬†changes to Google Analytics. Google likely sent you an email recently about what to do to accept the new data changes that are being made to Google analytics to help it comply with GDPR. It requests all users to take some steps to “accept” and update their company information. So you should do these things. (a copy of the email¬†can be read here if you can’t find it in your inbox).

Important to note is a change to data retention. All of your site data older than 26 months will be deleted by default. You can change this retention period, but it is there for GDPR compliance.

The best plan with Google Analytics is to make sure you are collecting zero information that can be connected back to an individual. Articles I’ve read are a bit hazy still on what this means. If you are using the User ID feature to connect multiple sessions with the same user, you would be best served to turn this off. This violates GDPR. If you want to continue using this feature, you would need to update your site so that before Google Analytics is recorded the user is specifically asked to opt in to tracking. If you’re hoping to go this route, it would be best to involve legal council. Easiest route is to turn off User ID tracking. Additionally, for my clients using WordPress and the Monster Insights plugin to handle Google Analytics, I recommend going into Settings, choosing Demographics and hitting Anonymize IP addresses. This will anonymize IP addresses for all site visitors. Collecting IP addresses is considered a violation of GDPR as they are considered “personally identifiable.” For further compliance, I recommend buying the PRO version of Monster Insights Google Analytics Plugin, which includes an EU Compliance add on. With this add on, you can include pop ups and other opt in/opt on options for data collection. The Basic PRO version costs $39 per year.

Third,¬†this may also impact how you collect emails for newsletter lists etc. MailChimp now has “GDPR compliant” fields. Basically, you can no longer opt people in by default, instead they should have to take action to opt in versus having to take action to opt out (ie no more pre-checked opt in boxes). Additionally, when signing up for your newsletter, they should be told how the data will be used.¬†Here’s a how-to on MailChimp for some new features they’ve added to make it easier to make your forms GDPR compliant.¬†I would recommend at minimum including a link to your privacy policy and a statement about it whenever someone signs up.

Also: you also need to send a person any data you have about them within 20 days of them requesting it. You also need to delete their data from all of your systems at their request within 20 days.

Here are some other important articles:

GDPR for eCommerce

5 Actionable Steps for GDPR Compliance with Google Analytics

Your risk may not be very high since I would assume you have very, very few European site visitors or customers. That said, some of these changes are easy to make and it is in your best interest to do so. I’ve read that GDPR will be strictly enforced for both large AND small businesses.

Again, I am not a lawyer and cannot tell you exactly what is or is not compliant with GDPR. If however, you want help updating the Monster Insights plugin, adding the Privacy Policy link to your footer etc let me know.

Here’s hoping you got through this! (whew!)