Disclaimer: This post is for general information purposes only and is not intended to be legal advice. Consult with a legal professional to understand the full impact of GDPR as it applies to your specific situation.

Have you noticed how many “Improvements to Our Privacy Policy” emails you’ve been deleting lately? Or how many times Google Analytics has sent messages with instructions to update your settings? You ignored those. That was ok, right?

Sorry, friend. You need to step back.

EU’s Privacy Regulations Ripple Across the Pond

On April 14, 2016, the European Union passed a new regulation to protect the data and personal information of EU residents. This is the General Data Protection Regulation, or GDPR. It’s a wide-ranging, yet strict set of requirements on organizations that collect data from EU residents. There are many fantastic articles already written that dive deep into the specific principles of GDPR. You should read a few of these as well.

What follows is a general overview based on my personal understanding of the issues as they are today. This post updated May 22, 2018.

So, why does GDPR matter to U.S. businesses? These regulations protect EU residents as they visit websites and use online services. Regardless of where the website or service is based, GDPR demands that the EU residents who use it must be protected a certain way and given certain options to manage their personal data.

That’s why your inbox and app notifications have filled up with notifications about privacy policy changes. Internet giants and small-fry alike are busy working on meeting the requirements of these regulations.

How Are US Businesses Affected by GDPR?

Since the internet is a global technology and your website (yes, your website) is part of the world wide web, you may be getting visitors or even orders from EU residents right now. However, each website’s GDPR compliance requirements will be different based on the website’s intended audience.

The GDPR regulations only affect websites that intend to offer goods or services to EU residents or if that website processes the data specifically for the purpose of monitoring residents’ behavior. Check out Article 3 of GDPR for the legal text and consult a lawyer if you’re unsure if it applies to your business.

For example, are you trying to make sales or get subscribers from the EU? Do you analyze your user tracking data for the purpose of monitoring the behavior of EU residents? My rule of thumb right now is this: If the EU is one of your geographic markets, then you need to comply with GDPR.

If the EU is not a market for you, then you probably don’t have to worry about complying with GDPR specifically. I think you still have action steps, like updating your Privacy Policy, as we’ll explore below.

Your Three GDPR Compliance Goals

If you determine that GDPR applies to you, then I think there are three big goals to achieve that are reasonable for all affected websites.

First, ask EU residents for consent to use Google Analytics and other tracking codes to collect information about their visit to your website. Wouldn’t you like to be asked before someone starts collecting and saving information about what you view and click on?

Second, clearly state and explain how your website tracks visitors, what you do with that tracking record, and who you are sharing records with.

Third, make it easy for website visitors to request a copy of your records about them. In addition, make it easy for website visitors to ask you to delete or remove their records from your collection.

Achieve GDPR Website Compliance

Now’s a great time to mention that I’m not your lawyer. If you have a significant number of customers from the EU, you should keep reading and take the steps I recommend. But you should also schedule a chat with your legal counsel to hear what they have to say about this important development in consumer data protection regulations.

The following recommendations may not completely cover your compliance requirements (check with a lawyer) but I believe they form a straightforward and reasonable foundation.

Use a Website Banner To Ask For Consent

You need to ask EU residents if they agree to be tracked and disable your tracking tools until they say yes. And if they decline, you must keep your tracking tools disabled for them.

EU-based websites have dealt with early versions of this regulation for some time now and the general approach is to use a cookie consent banner on a website. Cookies are a generic name for the code which is used to track website visitors as they browse a website. They keep you logged in to sites like Facebook or Amazon as you click around and help Google Analytics keep historical records of visitor activity.

If your website uses Google Analytics or any similar tracking tool, you have to get consent.

The cookie consent banner displays the first time the visitor comes to your website and includes a short message and buttons to indicate if they agree to be tracked or not. Use a cookie consent banner tool that checks to see where visitors are coming from and only shows this banner to people covered by GDPR regulations.

Cookie banners like I’ve described require sophisticated programming. Check out a service like iubenda or Cookiebot which provide cookie blocking tools and banner options. You may need help from a web developer to set this up for you.

Update Your Website Privacy Policy

You should actually have a privacy policy already. In the US, privacy laws vary from state to state, but a 2014 law in California made it a requirement to either respond to the “Do Not Track” web browser setting or put a notice in your privacy policy that your website does not work with that setting.

This law applies to California companies and any website that might have visitors from California. Sounds a little like GDPR! And it means all websites with no posted privacy policy (including yours) have been at risk of legal troubles originating from this California law since at least 2014.

Wouldn’t you agree it’s high time we all wrote privacy policies? (Even if you don’t want customers from California or the EU) You can either block your website from displaying for those people (don’t do that) or get on board. Get your lawyer to help you write one that addresses GDPR or use iubenda, mentioned before, to manage this important document.

An updated privacy policy is something every website should have, whether or not you are required to comply with GDPR.

Add Removal Request Form

While using cookie consent banners and keeping an updated privacy policy seem like obvious and reasonable improvements, the GDPR pushes the envelope a bit too. Europe is the first place where people have asked to be removed or deleted from online services and tracking tools.

They’re asking for the “right to be forgotten.” GDPR compliance requires website owners to keep records of the individuals they’ve been tracking and allow for specific people to request to be removed. It should be as easy to take your information back as it is to give it up.

This sounds great. I love the idea. But I will candidly say that I don’t have the sure-fire, works-for-everyone solution. Not yet. The data you collect about website visitors is spread across a variety of repositories, not just your own website. You may not be able to guarantee that you can remove it all. Not yet, but soon.

Be on the lookout for updates to your website’s operating system adding privacy features. WordPress has already released a new version that helps sites manage their users and remove them on request.

For most affected website owners, the big thing will be learning to use a tool from Google Analytics that allows individual users to request to be removed from your data. Expect Google to release details on this close to the deadline.

There’s also one more thing you need to do with Google Analytics, and it’s important if you don’t want to lose your analytics history.

Set GA Data Retention to “Do Not Expire”

Part of the GDPR is a provision designed to minimize the time user data is kept. GDPR wants you to get consent, collect the data, process it, and analyze it, then delete it as soon as it’s reasonable for you. So, Google tried to make it easy by giving you an option to automatically expire and delete all of your data every once in a while, like every 26 months.

Google is doing that for everyone, even if you are not required to comply with GDPR.

Without getting too technical, expiring your data like that will goof up ad-hoc reporting and custom segments. You’ll be able to run the basic aggregate reports, but the loss of all that historical data will disable the fun, nerdy statistical analysis part.

Don’t lose that data. Go to your Google Analytics and change the Data Retention settings for all of your properties to “Do Not Expire.” Check more information and instructions from Jeffalytics.

You’ll still be in compliance with GDPR if you do this, because this analysis is reasonably considered historical research used to improve your website. However, if you’re somehow doing something else with your GA stats (like profiling and targeting specific users or being extra-creepy) it may be a different story and you’ve got bigger problems.

Don’t Panic. Write Your Privacy Policy.

GDPR seems like a lot right now. But the first step is to update your Google Analytics Data Retention settings to preserve the data you have. Then audit your website so you know all the tracking codes that are active. Include their names in your new or updated privacy policy. And implement a geofenced cookie-consent banner. Do these and you’ll be so far ahead.

Looking for help implementing your GDPR update? Give us a call.

and Lorraine spent some time chatting about this topic recently. Listen to the episode now:
Like what you heard? Subscribe now https://roundpeg.podbean.com/