What is GDPR, and how does it affect your website?
Most likely you have heard a lot about this already, and seen emails come by asking to re-confirm that you still want to be on someone’s mailing list. But still you may be asking, what is GDPR?
GDPR stands for General Data Protection Regulation, and it has been active in the EU since 25th of May, 2018. But what does this kinda-complicated law really mean for your website, blog and email list, and how to make sure that your are compliant?
Let’s break it down, shall we?
(but before we do, a little disclaimer, this is not legal advice as I am not a legal professional, so always consult your legal council if you want to be 100% sure on the laws and regulation in your country)
What is GDPR all about?
For us as regular folks in the EU the GDPR is of course a very good initiative. It is agreed by the European Parliament as a replacement of the “Data Protection Directive 94/46/ec” as the primary law on how to regulate EU citizen’s data.
In short, it is set to protect the EU residents by protecting their personal and consumer data, and to make sure that whatever data is collected, people consent to how it is being used.
Not only do consumers have the right to know how their data is being used, but they also have to right to view this data, and to be “forgotten”, which means that the data should be deleted if requested.
So far, not too bad, it makes sense, right?
It’s only fair that companies like Facebook cannot sell our data and do whatever they want with it without us knowing about it.
But on the other side of the coin, as an entrepreneur or blogger you are probably scratching your head thinking whether this is also relevant to lil’old me, or only for these multinationals and large corporations?
Not in EU? GDPR is also for you!
But wait a minute, you say. I’m not in EU, so I why should I worry about this?
The truth is that GDPR is probably for you too. Unless you run a totally local business somewhere outside of EU, with no EU customers or users, and no website that could be visited by EU residents, ever (in which case, we can part ways here).
But if you are still reading this, you probably have a blog or website in English, meaning people from anywhere around the world could visit it for information, or to buy something from you.
Even if you are not located in the EU area, you need to take the GDPR into account.
Whether you are selling goods or services, not selling anything but collecting emails to your mailing list, or even if you are not doing either of those things but do have Google Analytics running on the background, you are essentially collecting data. And when you are collecting data, GDPR needs to be taken into account.
So what’s the good news? The good news is that we-can-do-this! Because it’s not as complicated as it sounds.
What is considered personal data for GDPR?
The GDPR does not forbid us from using customer data, but it requires that we are really transparent and clear about how this data is used.
Personal data is considered to be any kind of information whereby a person can be identified with. This is also called Personally Identifying Information (PII).
- Email (physical email or IP address)
- Financial information
- Health information
- Demographic information (age, ethnicity, gender)
If you are collecting any of these, you need an explicit consent from the user. They need to know that their data is being collected, they need to be able to agree or decline, and this all needs to be explained in a clear language (not in some legal jargon nobody understands). You need to clearly explanation what you are doing with that data.
And mostly we are doing one or more of the following things…
GRPD and a mailing list
Usually the first form of collecting actual data is in the form of a mailing list. So let’s say you have a mailing list, and you are collecting names and emails by offering some kind of incentive or a freebie.
As mentioned before, if people residing in the EU can also sign up, you will need to comply with the GDPR rules. This means you need to pimp up your forms.
So what does this mean in practise?
The spot where you are collecting the data, so the sign-up form, needs to state how the name and email will be used. So you cannot only say “Write down your email and I’ll send you the freebie” if in fact this also means that you are going to add this person onto your email list.
And, if you are going to add the person on to your email list, they need to know what kind of information they can expect from you.
For example, you cannot say it’s only for information sharing, if at some point you are also going to sell something to them. If you are not yet selling anything, but could be in the future, it’s safer to include the words “promotional material” into the text already, so you are good to go in the future when you do want to sell something.
Btw, it doesn’t have to be serious business, you can explain all of this in your own language, something that fits your target audience.
The good news here is that most of the people know that when they download your freebie, they will be added to some kind of list.
So you are only stating the obvious (but you still need to state it). And most of the Email Service Providers make it easy on you to be compliant, so that’s a great help!
For example, ConvertKit makes it easy on you by having a ready-made form to collect the GDPR consent. This means that you don’t have to make check-boxes on own website, because ConvertKit will simply redirect visitors to a special GDPR consent page after they sign up.
They can then opt in for promotional emails from you, and decide separately if they allow their data to be used for marketing purposes (e.g. targeted adds).
Convertkit also has a feature which allows you to make a tag to identify the subscribers that are from the EU area. This makes it easy if you need to send any GDPR related information to this group only, so you are not bothering your entire list about this, if most of your subscribers are outside of the EU.
More info here. (not an affiliate link btw)
MailChimp has also extensive guide-lines and step-by-step instructions on how to build their forms for GDPR (again, not an affiliate link).
Check your own Email service provider for more information. I’m sure all of them provide some kind of GDPR consent guidance, but for the purpose of this article I did not research them all.
Is double opt-in required for GDPR?
Talking about email lists and sign-ups, how about the opt-in process?
A double opt-in is when someone subscribes to your list, and an mail is sent to them asking to verify the email before the person is actually added into your list (and before they can receive your free download).
Compared to a single opt-in where someone just enters their email address, and no further action is needed from their side, and they are added to your list.
The benefit of double opt-in is that you know the email address is legit, and that they are really genuinely interested in what you have to offer.
GDPR does not require a double opt-in, but it does require a proof of consent, and a double opt-in is one good way of getting this proof.
Should you be audited for being GDPR compliant, and you don’t use double opt-in but are using check-box forms from your email service providers, than you could always contact your service provider and ask for the data you need.
Getting consent from older subscribers
What if you have a mailing list that goes beyond May 2018? Well, if you haven’t done it already, you will need to ask your EU subscribers permission to keep them on your list.
If your Email service provider allows segregating the subscribers into EU and non-EU, you could only send a campaign to your EU list members telling them that if they want to keep receiving your awesome content, they need to re-apply.
This is not always a fool-proof method, as you can have people using VPN connections, so you never know 100% where your audience is located. If you want to play it safe, you could ask consent from all of the members that signed up before May 2018.
Google Analytics and GDPR
Another common thing to have running on your website or blog is Google Analytics. Even if you are not having a mailing list, you may think that you don’t need consent since you are not collecting anything, right? Wrong…
Google Analytics can be used to track user ID, IP address and other personal data so that you can see who visits your site, where they are located and what the demographics are.
In order to make this GDPR compliant, you would either need to make the data anonymous on Google Analytics, or add a notification on your site stating that you are using cookies and asking for user consent.
You have probably seen the last option pretty much on every website you visit. It’s essentially a pop-up or a banner appearing as soon as you enter a website.
It states usually that if you want to continue you have to consent to cookies. I’m using a WordPress plugin called GDPR Cookie Consent, which is quite fast and simple to set up.
You can read my step-by-step guide here: How to install a simple Cookie Consent Banner on WordPress
Both of these options (anonymizing Google Analytics, and setting up Cookie Consent plugin on WordPress) deserve a post of their own, so stay tuned for that.
On this page you can have more detailed, and legal information on how you collect, use and disclose data on your website.
If you have an existing page made already, you can link it here as well. The cookie pop-up I talked about earlier (via GDPR Cookie Consent plugin) also links to this page.
You could also use something like the Website Policies to generate various policies without a huge price tag. Safest is still to have them be checked by a lawyer.
What are the penalties for not being GDPR compliant?
OK, so what if you are going to be a rebel about it, and not comply? I can hear you thinking: Isn’t this more for the huge corporations anyways, not your everyday bloggers?
The truth is that the fines for not being compliant can get really hefty. Businesses that are not compliant with the GDPR can face fines up to 4% of the company’s annual global revenue, OR 20 million, whichever is a greater amount.
But no reason to panic if all of your forms are not up to bar right now.
If any GDPR violations are detected, there would first be a warning, then a reprimand, then a suspension of data processing, and if you still continue to break this law, you had it coming and may have to pay up.
I don’t what your risk appetite is, but mine tells me “just comply!” You never know when someone decides to make lil-old-us the precedent, like folks were made with downloading music and movies.
You simply just don’t want to be that guy.
Other reads you might like:
Need help with your website?
Contact me and let’s work together!
Your free resources
Do you want to DIY your website, but need some tips and tricks on how to do it? With this FREE Workbook you will learn the 10 easy steps to DIY your own website today!
I won’t spam! Unsubscribe anytime.