Disclaimer: This isn’t legal advice, and I’m not a lawyer.
If you’ve been reading your emails, you know there have been some big changes to online privacy laws lately. Most of this chatter is about the EU’s General Data Protection Regulation (GDPR), which goes into effect in just a matter of days on May 25, 2018.
GDPR is all about how businesses process and store the personal data of people living in EU countries. When a business collects personal data, it will have to give those people information about the data it’s collecting about them and why, where it’s stored, and for how long. GDPR requires that this information be provided in clear and easy-to-understand language. No lawyer-ese.
But I’m not in the EU and neither are my customers
I’ve spoken with a number of small business owners who think GDPR doesn’t affect them because they’re located in the US and don’t do business with people living within the EU. If you’re one of those business owners, I’ve got some news for you.
GDPR affects you and your business if your website does any of the following:
- Use Google Analytics, the Facebook Pixel, or any other tracking software for your website’s analytics
- Have an online shop that EU residents can make purchases from
- Let users create accounts on your website
- Have a contact form on your website
- Allows users to leave comments on your website
I can’t think of a single business owner I’ve worked with whose website doesn’t include at least one, if not several, of these. If you aren’t GDPR compliant, you could be fined up to 4% of your annual revenue.
So, what should you do?
Update and Explore WordPress
You should be keeping your website up to date, but if you haven’t already updated to WordPress 4.9.6, you should do it now. This release contains all kinds of useful (and required) tools for GDPR compliance.
You’ll want to familiarize yourself with the new features in WordPress and the other tools you use either as part of or in conjunction with your website. GDPR gives EU residents the right to request a copy of all the data you’ve collected about them, so you should try out the new tools in WordPress that let you export data. You should also note any plugins that contain data that isn’t included in this export and make a plan for how you’ll get access to that data and share it.
EU residents can also request that you delete their data (aside from anything you need to run your business, like records of sales), so get familiar with the tools for that too.
You’ll need to respond to these requests within 30 days, so you may want to create a special email address (like [email protected]) and assign someone on your staff to handle requests.
- What data does this website collect about me?
- What does this site do with my data and why?
- Who does this site share my data with?
- How long does this site keep my data?
- How can I view, update, or remove the data collected about me?
If you’re not familiar with them, cookies are small pieces of information that are stored in your browser when you visit a website. For example, when you visit a website that uses Google Analytics, Google looks for a cookie that indicates you’ve been to this website before. If it doesn’t see one, it creates one for you.
If you use Google Analytics on your website, cookies are how Google tells you how many different users have visited your site. These cookies have some limitations, but that’s the broad overview.
With the new GDPR rules, you’ll need to:
- allows users to revoke cookie permission later
There are several WordPress plugins that can automate this, or at least make it easier. My favorite is Cookiebot, since it’s one of the few that works pretty much out of the box and is fully GDPR compliant.
(Un)check Your Checkboxes
Under GDPR, it’s not okay to pre-check checkboxes that cause visitors or customers on your site opt-in to your mailing list. Yes, this will probably diminish your list growth, but it’s not worth being on the wrong side of GDPR over it.
While you can simply provide an unchecked box that allows people to sign up to receive promotional emails from you, you’re better off adding a set of Yes/No radio buttons that users are required answer before proceeding. Studies show more people opt in to mailing lists when presented with a yes or no choice.
You can still require people to sign up for your mailing list in exchange for an eBook, coupon code, or other lead generation tool. You just need to be 100% clear about what folks are opting in to.
The Road to GDPR Compliance
Even though May 25 is just days away, GDPR compliance is a process that starts now and will continue into the future. I know it’s a bit scary, both in the scope of work to get compliant and the legal (and financial) ramifications if you aren’t.
The above resources are the biggest technical changes you’ll need to make to your business’s WordPress website, but these steps alone won’t make you GDPR compliant. Especially if you provide services to EU residents, you’ll want to consult with a trusted legal professional who’s well-versed in GDPR.
Even just starting with a plan means you can show that you’re working on compliance and not ignoring it, so don’t sleep on it!
Got GDPR questions? Not sure how to make your WordPress website compliant? Found a really useful GDPR tool? Let me know in the comments!