You might have heard of this thing called GDPR . . . if not, here’s the lowdown. The General Data Protection Regulation or GDPR is a EU law that went into effect on May 25, 2018. GDPR requires all website owners who store or use data on people inside the European Union to give the user control of their personal data (including name and email address). It also forces businesses to be upfront in the way they collect, store, and process this data. Any website that isn’t GDPR-compliant may face penalties or fines.
Ah, so that’s why your inbox has been clogged with privacy policy update notices!
What does this mean to small, U.S.-based businesses?
Since many of my website clients are small or solo businesses based in the United States, I’ve had quite a few questions about what they need to do to be GDPR-compliant. While I don’t foresee the EU coming after us small mom-and-pops, there are a few things website owners should do. Of course, I’m no lawyer, so the following information is only for guidance and not to be taken as legal advice.
Step 1: Do you collect or store personal data on EU citizens?
If you’re not sure, check your Google Analytics. Go to Audience > Geo > Location. You can also check your email newsletter service, like MailChimp, to see if you serve European users. If you are not storing or collecting personal data on EU citizens, then you should be okay. If you do have European users, read on.
Step 2: WordPress to the rescue! Create a Privacy Policy.
The latest version of WordPress, 4.9.6, includes this handy Privacy Policy generator that includes boilerplate text on what to include in your Privacy Policy. Sweet! Just go to Settings > Privacy and select or create your Privacy Policy page. I just created my Privacy Policy page today using this nifty tool.
While it does cover a lot of WordPress-specific privacy areas—blog comments, media, and cookies—you will need to add your own text regarding usage of contact forms, opt-in forms, analytics, and any other methods you use to collect and store personal data. So, check out any plugins or third-party tools on your site to make sure they are GDPR-compliant as well.
Once you’ve finished your Privacy Policy, don’t forget to add it to your website’s navigation. I placed mine in the footer as that’s where you generally see this type of information.
Step 3: Add consent checkboxes to all forms on your website where you collect personal data.
For any form on your website, add a checkbox that the user must check (it can’t be checked by default) that says they consent to the collection and storage of their personal data. You should also provide text about how you intend to use that data. For example, my free gift opt-in form includes a checkbox that says “I give consent to collect and store my information so Jill can stay in touch via a monthly(ish) email with tips on better websites and businesses.”
Step 4: Provide a way for users to be forgotten.
The latest update to WordPress also includes a way to Export Personal Data and Erase Personal Data. Services like MailChimp and Google Analytics provide this as well. If someone contacts you and wants to be forgotten—i.e. have all of their personal data deleted from your records—you need to comply.
What about the California Consumer Privacy Act (CCPA)?
The CCPA gives Californians the right to know about the personal information a business collects about them, and how it is used and shared. Find out more about the CCPA and if it applies to you.
So there you have it! Any questions? Please leave a comment 🙂
