Disclaimer: This isn’t legal advice, and I’m not a lawyer.
If you’ve been reading your emails, you know there have been some big changes to online privacy laws lately. Most of this chatter is about the EU’s General Data Protection Regulation (GDPR), which goes into effect in just a matter of days on May 25, 2018.
GDPR is all about how businesses process and store the personal data of people living in EU countries. When a business collects personal data, it will have to give those people information about the data it’s collecting about them and why, where it’s stored, and for how long. GDPR requires that this information be provided in clear and easy-to-understand language. No lawyer-ese.
But I’m not in the EU and neither are my customers
I’ve spoken with a number of small business owners who think GDPR doesn’t affect them because they’re located in the US and don’t do business with people living within the EU. If you’re one of those business owners, I’ve got some news for you.
GDPR affects you and your business if your website does any of the following:
- Use Google Analytics, the Facebook Pixel, or any other tracking software for your website’s analytics
- Have an online shop that EU residents can make purchases from
- Let users create accounts on your website
- Have a contact form on your website
- Allows users to leave comments on your website
I can’t think of a single business owner I’ve worked with whose website doesn’t include at least one, if not several, of these. If you aren’t GDPR compliant, you could be fined up to 4% of your annual revenue.
So, what should you do?
Update and Explore WordPress
You should be keeping your website up to date, but if you haven’t already updated to WordPress 4.9.6, you should do it now. This release contains all kinds of useful (and required) tools for GDPR compliance.
You’ll want to familiarize yourself with the new features in WordPress and the other tools you use either as part of or in conjunction with your website. GDPR gives EU residents the right to request a copy of all the data you’ve collected about them, so you should try out the new tools in WordPress that let you export data. You should also note any plugins that contain data that isn’t included in this export and make a plan for how you’ll get access to that data and share it.
EU residents can also request that you delete their data (aside from anything you need to run your business, like records of sales), so get familiar with the tools for that too.
You’ll need to respond to these requests within 30 days, so you may want to create a special email address (like [email protected]) and assign someone on your staff to handle requests.
Set Up a Privacy Policy or Update Your Existing One
If it doesn’t already have one, your website needs a privacy policy. Broadly, a good privacy policy should help your visitors answer the following questions:
- What data does this website collect about me?
- What does this site do with my data and why?
- Who does this site share my data with?
- How long does this site keep my data?
- How can I view, update, or remove the data collected about me?
Those last two questions are new additions based on GDPR’s requirements. It’s likely that your existing privacy policy doesn’t include this information, so don’t rest on your laurels just because you already have a privacy policy.
Writing a privacy policy can be tedious and it’s difficult to be sure you’ve included everything you should. If you want to DIY it, WordPress will generate a simple policy for you under Settings > Privacy and WooCommerce has a great guide on writing a privacy policy that will help you fill in any blanks. Otherwise, I highly recommend a privacy policy generator like Iubenda, which is the service I trust for my own website and my clients’ websites.
Let Your Users Know Your Site Uses Cookies
You’ve seen cookie warnings on websites before. Usually they say something like “Our site uses cookies to give you the best experience. By continuing to use our site, you agree to our use of cookies.”
If you’re not familiar with them, cookies are small pieces of information that are stored in your browser when you visit a website. For example, when you visit a website that uses Google Analytics, Google looks for a cookie that indicates you’ve been to this website before. If it doesn’t see one, it creates one for you.
If you use Google Analytics on your website, cookies are how Google tells you how many different users have visited your site. These cookies have some limitations, but that’s the broad overview.
With the new GDPR rules, you’ll need to:
- list the cookies your site uses in your privacy policy
- let users know that your site uses cookies the first time they come to the site and provide a link to your privacy policy
- ask your users to positively consent to the way your site uses cookies
- allows users to revoke cookie permission later
There are several WordPress plugins that can automate this, or at least make it easier. My favorite is Cookiebot, since it’s one of the few that works pretty much out of the box and is fully GDPR compliant.
(Un)check Your Checkboxes
Under GDPR, it’s not okay to pre-check checkboxes that cause visitors or customers on your site opt-in to your mailing list. Yes, this will probably diminish your list growth, but it’s not worth being on the wrong side of GDPR over it.
While you can simply provide an unchecked box that allows people to sign up to receive promotional emails from you, you’re better off adding a set of Yes/No radio buttons that users are required answer before proceeding. Studies show more people opt in to mailing lists when presented with a yes or no choice.
You can still require people to sign up for your mailing list in exchange for an eBook, coupon code, or other lead generation tool. You just need to be 100% clear about what folks are opting in to.
The Road to GDPR Compliance
Even though May 25 is just days away, GDPR compliance is a process that starts now and will continue into the future. I know it’s a bit scary, both in the scope of work to get compliant and the legal (and financial) ramifications if you aren’t.
The above resources are the biggest technical changes you’ll need to make to your business’s WordPress website, but these steps alone won’t make you GDPR compliant. Especially if you provide services to EU residents, you’ll want to consult with a trusted legal professional who’s well-versed in GDPR.
Even just starting with a plan means you can show that you’re working on compliance and not ignoring it, so don’t sleep on it!
Got GDPR questions? Not sure how to make your WordPress website compliant? Found a really useful GDPR tool? Let me know in the comments!
Leave a Reply