A woman in focus as people sit around a conference table, with a laptop open displaying a pie chart

European privacy

How the GDPR affects you (and yes, it affects you)

Standard disclaimer: We are not lawyers, even though sometimes it sounds like it from the arguments around the dinner table. We are providing this information to the best of our knowledge, but it does not constitute legal advice. We also do not possess “the Force,” no matter how much Kait insists she moved the salt shaker.

The General Data Protection Regulation, or GDPR, is an updated law from the European Union governing data control, and it affects the internet in a big way. We’re going to try to keep this as short as possible (and it’s still pretty freaking long), so we’re going to skip the legislative history. However, because there’s no legal precedent to tell us exactly what’s changing, it’s best to look at it from base principles. We urge you to read this introduction, because it really helps to understand why the suggestions may seem so drastic.

Details

The largest change in the GDPR comes from a philosophical standpoint.

Many of the internet’s largest revenue streams stem from the idea of websites owning all the data they can collect on their users. The view is that when you visit a site, you are essentially telling the site you’re visiting that its owners can do whatever they want with your data.

It’s not even necessarily restricted to the internet — anyone who’s bought a car or gone to the bank in the last 10 years has probably received some page-length legal document about what that organization can do with your information in regard to marketing. And you, as the consumer, typically have the choice of letting them do whatever they want with your data, or not having the service provided to you.

The GDPR flips that idea on its head. Its base propositions include:

Funnily enough, most of us probably agree with those things as users, but are terrified of them as business owners/operators.

On the face of it, all of that sounds really hard to do for people who are just interested in blogging or opening a mini-store. And that’s true: In order to comply with these regulations, a lot of self-hosted or self-managed bloggers/business owners are going to have to learn more about what their website/store is actually doing.

However, in the long run this isn’t really a bad thing. Knowing what tools you have, what they’re doing and how they operate should actually increase your skill and enhance your business. We can’t tell you the number of times people told us they have installed plugins or started tracking things (analytics, sales, etc.) without actually having a plan for what they’re going to do with that information.

Plus, getting your site more secure and protecting the privacy of your users is pretty important even if it weren’t legally required.

The last thing we want to talk about in general before we dive in deep is who this applies to. It is true that this is a European Union regulation, which in most circumstances would not apply to companies operating in the U.S. (or indeed, anywhere outside the EU). However, the EU has explicitly stated that these rules apply to anyone who is using the data of a citizen of the European Union. That means even just trying to block the IP addresses of the EU (itself a fruitless task) would not be enough, because it also applies to EU citizens living outside the EU.

As we skim the surface, let’s talk about some tactics/loopholes/measures for avoidance that’ve been floating around the internet.

  1. You cannot stop all EU citizens from registering/purchasing from your website via technological means. It’s just not possible. Anyone who says they can do it with 100 percent accuracy is at the very least mistaken, if not outright lying.
  2. Every interaction with an EU citizen counts, not just those involving money. You’re still required to adhere to the GDPR even if you’re giving something away for free, or having registration for your site, or even just emailing visitors automatically. Furthermore, this also includes analytics for your site. If an EU citizen visits your site and you track them, it counts.
  3. As a corollary to Points 1 and 2, just putting up a banner saying “No EU citizens allowed” probably isn’t enough. Because once they’ve visited your website, you’ve already started tracking them. And if you haven’t made sure your third-party systems are already GDPR compliant, you may be initiating other processing, which you’re liable for. So sticking your head in the sand is probably not the way to go.
  4. You probably cannot achieve compliance solely through updates and/or more plugins. Most people are used to seeing a problem and finding a plugin to fix it. Because so many plugins operate semi-independently or autonomously, it is unlikely that you will be able to fix this just by installing a plugin. WordPress itself states that plugins cannot describe themselves as GDPR-compliant, simply because how the plugin is used matters greatly. You really need to look at your entire system.
  5. Being small does not necessarily mean you’ll be able to squeeze through the cracks. Yes, it’s likely that the first complaints, fines and lawsuits will come from the big players, but the GDPR does not have get-out-of-jail-free cards for small businesses. It does require more of larger players (for example, registering with various agencies) that you will likely not have to do, but that has more to do with having an established presence or explicit desire to market to EU consumers than the size of the enterprise. That being said, it’s inevitable that some people are going ignore the GDPR or think it doesn’t apply to them. They may get away with it, they may not. But if they are caught, and have done nothing toward achieving compliance, they will likely be punished more than if they had at least tried.

    There is actual good news, though!

If you’re trying to be compliant, you will likely not be fined for a first offense. People are worried about the (potentially) enormous fines — up to 20 million, or 4 percent of international revenue, whichever is HIGHER. Now, regardless of what you do, you’re likely not getting fined even $1 million. The potential for getting fined is there, but EU regulators have repeatedly said the point of GDPR is compliance, not fines. As long as you can show you’re trying to be compliant, even if a complaint is lodged against you, they would rather work with you toward compliance than issue a fine.

Shameless plug

We have extensive experience in dealing with regulatory issues, especially concerning GDPR. Even if you just want to ask questions, feel free to drop us a line and we'll be happy to chat!

Plug pengin

Achieving compliance

Let’s start to explore what you actually have to do, and some of the ways it can be accomplished. First, you need to figure out how you’re collecting user information. User Information includes but is not limited to:

  1. Name
  2. Address
  3. Email Address
  4. User ID
  5. Health info
  6. Income
  7. Localization
  8. Demographic information

This is the most basic stuff — there are even stricter rules about sensitive information (which includes things like sexual orientation, health, race, political and religious beliefs).

This brings up another point, which is don’t ask for information you don’t actually need. Why create more hassles for yourself? The default assumption used to be “vacuum up as much information as you can because magic AI will be able to target people more specifically.” This was both incorrect and creepy. Now you can’t! Wasn’t that easy?

Most sites will store personal information via user registrations, purchases, contact form entries, logging tools, security tools/plugins, and analytics, among others. You’re going to need to know specifically when your site collects data, how you store it and (most importantly) that the user consented to it being stored.

However, you also need to be aware what information is being processed by third-party scripts or plugins on your site, in addition to your own.

If a news website allows users to sort categories by their preference and saves it (either to the server in a user account or in a cookie), they have to let the user know that as well as how long that information will be stored.

If you have social media scripts on the page that track usage, or if you use a service that tracks steps along your conversion funnel, users have not only a right to know they’re being tracked but also have to opt in to such tracking. If tracking conversions is not a fundamental requirement to you serving up your content/service/product, then you cannot require it.

Please note that this does not mean that analytics are now illegal. Personalizing those analytics is. For most, this is going to mean analyzing what URLs and query strings (the part at the end of the url for things like utm_id=mlm133n) are currently being recorded in analytics, and ensuring no personalized information is tracked going forward. You’ll also need to anonymize IP addresses — Google Analytics has a setting for this, and most others should as well. Please remember that you cannot just do this for IP addresses emanating from Europe, as EU citizens can access your site from anywhere.

If you’re using advanced analytics, event tracking, tag manager, etc., you need to ensure that you’re not using personalized information. This is going to vary wildly on a case-by-case basis.

When it comes to gaining consent for things like analytics, it’s important to remember that the more hurdles you put in front of the user, the less likely they are to do whatever they set out to do in the first place. Consider the value of the analytics you’re gaining against the hassles of what you have to do to get those analytics. There are some great examples of throwing out genericized analytics solutions in favor of smaller, compliant systems that give actionable information.

You’re also going to need to ensure that you have a privacy policy that explicitly states what data you’re collecting, how it will be used and how long it will be stored. This needs to be accessible in a prominent place, and most important, written in lay language. Do not just copy an incomprehensibly dense privacy policy from somewhere else that covers everything you could ever want to do. It needs to be applicable specifically to what you are doing, and you need to make sure that what you’re doing with the data is related to the service you’re providing.

What follows are our three biggest tips for success - if you're only going to pick three rules to follow, make 'em these.

1. You can only ask for data that is required for a thing to happen

We’re very accustomed at this point to giving out our email addresses/Twitter handles/whatever in order to download a freebie, or to view this video, or whatever. The GDPR requires that you can only ask for personal information when it is necessary for a service. And no, “But I’m going to email it to them!” does not count as a good reason to collect an email address. And you DEFINITELY can’t collect their email address and sign them up to your marketing list in exchange for you sending them a PDF.

This does not apply to standard transactional emails like order confirmations, sending out tracking numbers, etc., because those are an integral part of the purchase process. But again, you can’t just take all your customers and throw them in “my customers” list and spam them with whatever you want. You’d have to ask for for affirmative consent. Which brings us to Big Idea #2.

2. You need affirmative consent for everything you're going to do with other people's data

Basically, people need to know exactly what you’re going to do with the data you give them. If they sign up for an account and you want to send them marketing emails, you have to have a checkbox on that form that says, “I want to receive marketing emails from you.” It cannot default to checked. (That’s why we use the phrase “affirmative consent” throughout this document — it can’t be passive. You also can’t just send an email that says “if you don’t respond, we’ll count that as you consenting.”) Facebook is currently trying to design its way out of this, and it’s probably going to come back and bite them.

Be specific about what marketing emails you’re going to be sending — if your signup link text is tailored to a specific course (sign up for more info here!), resist the urge to add them to a general list or send an email about a different product. And no, you can’t just use a blanket signup that says “I agree to every email ever.”

You’ll need a record of people affirmatively consenting to tracking and emails. This means that you probably need to re-consent EU citizens from whom you’ve already received consent, unless you have proof of a double opt-in from them. (This is why you got an email from every company you’ve ever heard of in the weeks leading up to the GDPR taking effect.) If you’re using an email vendor, they probably have an option for this.

As a side benefit for you, you can also get rid of non-EU citizens who don’t want to be on your list. Contrary to popular belief, a bigger email list is not the key to success. A small email list of people interested in your product is far more valuable than a list of everyone ever. Not only will those not interested not read your email, you’ll get marked as spam and then even people who are interested won’t get your messages. And hey, many services charge by the number of list members, so don’t you want to pay for only those who are relevant to your business? Really, this pruning process is a good thing.

Generally, the regulation states that you can’t do anything with the data of a user that the user wouldn’t approve of. It’s a pretty good guideline, if probably somewhat constricting to those more concerned about “marketing” than “how customers feel about said marketing.”

3. You need to have processes in place to protect data and provide information if asked

This sound like a big hassle, but for most sites it won’t be. You need to have some basic security on your site and notify users if a data breach has occurred. (You should have been doing this anyway). You also need to be able to respond to a request for access to a user’s information within a month (most sites will probably do this automatedly — though remember, just because WordPress has a “download user information” button doesn’t mean that all user information is going to come through automatically; it isn’t going to get your Google Analytics or Mailchimp info, for instance. This again comes back to knowing your setup and knowing where your data is stored.)

If a breach has occurred and EU citizens may have been affected, you need to notify the relevant EU regulatory within 72 hours of becoming aware of it (the relevant authority will depend on where the users live).

Also, you have to delete users’ information if they request it (subject to other regulatory needs — if you have to maintain X years of data for compliance with another law, then you can keep that data for X years). This, again, is something you really should have been doing all along, but expect more people to request because now they know it’s something they can do.

Big Takeaway

The GDPR is coming, and you need to be ready for it. It’s not impossible to be compliant, but it does take some work. Luckily, most of the work involves knowing more about how your business operates and what’s actually required for you to be effective, which should help you out immensely in the long run.