As an online business owner or entrepreneur, I’m sure you’ve heard lots of buzz surrounding the GDPR. I’ve seen tons of great information online, but I wanted to prepare a specific guide for online business owners and bloggers, especially those based in the US (since that’s where I am too), on how to comply. There’s a lot to cover, so let’s get into what EVERY online biz owner must know about the GDPR and how you can get compliant asap.
First a disclaimer –
(Disclaimer: I’m a US-based attorney so this info is directed towards US bloggers, but it may also apply to international bloggers. Check your country’s laws for more information about laws and regulations in your country. Further this article is my interpretation of the GDPR, but this is a complex law, so you should always seek your own professional legal advice as necessary and this article is for informational purposes only.)
What is the GDPR?
The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. This new law sets up better protections for consumers’ data and personal information and requires companies that collect data on European Union (EU) citizens to comply with stricter rules for protection of consumer data. The law applies to transactions that occur within EU countries. With all of the recent hacks and data breaches, this is the EU’s way of helping to protect its citizens’ privacy.
Overall, this will be a big change and move in the right direction regarding protecting privacy. So as an online business in the US, what do you need to know so can you comply? Read on!
Relates Post: Get Your Biz and Blog Legal – Frequently Asked Questions
Do US online business owners and bloggers need to comply?
Under Article 3 of the GDPR, the law applies whenever your business collects data about a consumer who is IN the EU at the time of the data collection. This would include EU residents, but also someone who is visiting your site while in the EU. There doesn’t need to be a financial transaction in order for the law to kick in. It applies anytime personally identifiable information (PII) is collected (I’ll talk more about PII below).
Since we are running online businesses, it’s feasible and highly likely that an EU visitor will stumble onto our sites at some point. So this means, it’s a good idea to comply with the GDPR. It can be a little work up front, but it’s always better to be safe than sorry, especially since penalties for violation can be HUGE. (More on that below.)
Which companies does the GDPR apply to?
Basically, the GDPR applies to all companies, but it treats small businesses differently from larger corporations. For example, certain record-keeping requirements in GDPR apply only to companies with more than 250 employees. The GDPR requires larger companies to hire or contract with key people within their organization for data protection, but for your small business, you aren’t expected to hire someone else solely for GDPR compliance.
This basically means it’s on you to make sure you and your website are compliant.
What information qualifies as PII under the GDPR?
The definition of PII is pretty broad and is any data that can be used to identify a specific individual. This includes things like:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
So this basically means any sort of personal information, from things like what you seek out to collect through things like forms for your email list or people’s name and email address when they leave a blog comment, but also things like demographic or IP data that may be collected more in the background, through something like Google Analytics (more on that below too).
Related Post: 7 Things Your Blog Needs to be Legal
Ok, so how do I comply?
As a business in the US, the main points of the GDPR that you affect us are the following:
You always need to obtain specific consent from users on your website. This means, you will need to update your marketing forms, email sign ups and interactions in order to obtain explicit consumer consent, before you obtain your users’ info. The GDPR specifically explains this to be consent that is “freely given, specific, informed and unambiguous.”
If someone makes a purchase, then you’ll need to obtain explicit permission for each type of processing done on the person’s information, including things like email promotions or sharing info with third party affiliates, by having the consumer check separate boxes in order to get their consent.
Additionally, if you are dealing with the date of children under 16, parental consent is required.
Here are some key factors in obtaining informed consent before you collect information:
- Be clear who you are (so the user knows who they are giving their info to)
- Make it easy for people to withdraw their data
- Make it clear how, when and where someone’s personal data is being used
- Silence doesn’t equally consent, so you can’t just have pre-checked boxes on your forms
- Minimize data collection – collect only what’s necessary
- Overall – consent must be “freely given, specific, informed and unambiguous”
Basically a lot of this is common sense and what I’ve previously preached when it comes to your email list anyways – don’t be shady and only add people to your email list who want to be added. This means, no auto-adding people who’ve left a blog comment or sharing lists with someone else.
You should also check your email service provider to ensure that they have opt in requirements, easy ways to opt out and the ability to complete delete someone’s information.
For people you have already collected data on, such as your current email list subscribers, you need to bring them up compliance. If you didn’t get their affirmative consent to collect their information, then you need to either do that now or delete them from your list.
2. Dealing with data breaches
If a breach should occur, you must notify the supervisory authorities within 72 hours. If there is also a “high risk” of exposure of things like credit card numbers or passwords or other highly sensitive data, then you will also need to notify the actual individuals. Basically this means to be aware of what’s going on with your data and be sure to notify the appropriate officials if necessary.
3. Right to be forgotten
Under the GDPR, everyone has the right to request the deletion of their personal data when the data is no longer needed. This means, you need to be prepared to delete any user data asap if you’re requested to do so, meaning you need to be aware where the information is stored and how to get it deleted.
It’s still unclear how the EU will enforce the law against US businesses and bloggers, but it is better to be prepared and not face possible issues. Overall, it’s important that you will be able to show/ prove compliance and that you’ve been obtaining consent.
And remember, the key is consent – you shouldn’t be collected any information without the user’s knowledge and permission. Plus you shouldn’t be collecting information that you don’t need.
What about tracking cookies / Google Analytics?
For me, this was a big question and not so easy to find a clear answer for. Everything else is pretty straightforward – don’t collect info you don’t need, don’t collect info/add people to your list without their consent and don’t be shady with people’s info. Makes sense. But what about those things that are running in the background…?
If you are utilizing Google Analytics Advertising, this means that Google is collecting demographic and interests of your audience to share with advertisers. Under Google Analytics Advertising guidelines, they advise that you must obtain prior consent from your users prior to allowing any of this information to be collected. This means you should either 1. cease using GA Advertising or 2. add a consent button to your website, so that whenever a new user (who has not already consented) arrives on your site, she is required to consent affirmatively (or subsequently has implicitly consented if she still continues to use your website).
Additionally Google has been long working on GDPR compliance and you should have been receiving updates from them, including their requirements for staying in compliance yourself. You can update your settings to direct what information is collected, as well as the time period that data is stored prior to being automatically deleted.
Related Post: Researching the Legalese Your Blog Needs
Another important reason to comply…
The potential penalties for non-compliance are huge and have been getting a lot of attention. For example a “major breach” can result in a fine of up to €20 million while lesser breaches can still have fines of up to €10 million. Yikes. So this is definitely a case of do everything you can to avoid that!
Besides the possibility of scary fines, when new laws are released, it’s always a good idea to comply because it shows that you take your responsibility as a business owner seriously – and that you take the privacy and security of your users seriously too.
People like working with people who show that they are educated and up to date on laws and best business practices and who value keeping them safe and secure.
There isn’t much time left but you can still get your blog and your website GDPR compliant before the May 25, 2018 deadline!
Since this is such a huge topic, I’d love for you to share, since this new law affects all of us (and since this post took me quite a long time to research and prepare), hint hint. Just click one of the links on the left to share with your audience!
You can also get more legal information from me by signing up for my mailing list by entering your information below –
Disclaimer: I am an attorney, but I am not your attorney. The information in this article is for general informational purposes only and is not legal advice. This article does not create an attorney-client relationship. The author is not liable for any losses or damages related to actions of failure to act related to the content in this article. If you need specific legal advice, consult with an attorney who specializes in your subject matter and jurisdiction.