GDPR Compliance. Our Official Take.
Last Update: May 24, 2018
As many of you are very much aware of, there is a GDPR regulation being instituted by the EU (European Union) on May 25th, 2018. After this, their new privacy and personal data regulations become enforceable under the EU laws.
Today I want to open a discussion on the entire GDPR, what it is, what it means to you and your business, and discuss some of the major benefits and flaws that I interpret from these new regulations. I also want to offer you some solutions that you can implement on your website.
What is GDPR?
First off, let’s discuss exactly what the GDPR changes means to you or someone who runs a website. The General Data Protection Regulation (GDPR) is a law created within the EU, for people within the EU to help folks protect their data and privacy.
Here is a quote from Wikipedia, outlining the GDPR regulations.
"It addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU."
Then it goes on to state:
"Personal data may not be processed unless it is done under a lawful basis specified by the regulation, or the data controller or processor has received explicit, opt-in consent from the data's owner—which may be withdrawn at any time."
And then is summed up.
"A processor of personal data must disclose what data is being collected and how, why it is being processed, how long it is being retained, and if it is being shared with any other parties. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances."
So companies will now be obligated to provide you with a mechanism to delete personal data from within their platforms.
This is something that has conventionally been VERY difficult to do within larger social media platforms like Facebook, which has almost to a certain degree held us hostage with our personal data and has led to major issues like the Cambridge Analytica abuses.
You can learn more about the new regulations from the official GDPR website.
It blankets all the topics relevant to it, but there is a lot of remaining ambiguity and confusion which has led to widespread discussions online between webmasters, people sharing their private information, large corporations, and legal entities across the world.
I want to cover a few of these, again though, I don't want to undermine the importance of any regulation or update. They are all very important for you to understand, and if required, implement within your website/operations.
How Does the GDPR Impact You?
This is not global legislation, but it impacts companies around the world. The US and other sovereign companies are starting to rely on the EU in many respects to lead Internet regulations to protect consumers as well as personal and private information.
Although you may be located somewhere else, there is the potential that someone on your website will be visiting it from the EU, so it automatically becomes relevant. So you could either block all EU users from your website, handle visitors from the EU differently, or you could adopt the new GDPR regulations.
I personally think that adopting these regulations for the entirety of your website is the most efficient and natural approach and we fully support it. As a website owner it is important that you care about personal information and how it is managed, the same way you care about your how other companies use your personal data.
That is the approach all major corporations and social media platforms are following.
The Key Issues With GDPR?
There are many positives that come with the GDPR, particularly I have outlined 5 core issues I can see resulting from the new regulations implemented by the EU.
Smaller companies don't have the resources to properly implement. Although it would be a nice idea for every company and independent blogger to have a legal team that can help you bring your entire operations in line with GDPR, most people simply don't have access to the money or time required to implement such a stringent process. Because of this, there is going to be such a diverse set of GDPR approaches in the online world that this I believe is going to create actual confusion for the EU authorities that are hoping to implement and enact it.
Could Hurt Customers. Much of the personal data collected and used is for the good. Companies are using this data to make your experience much better, succinct and enjoyable within their platforms. When "fear of use" comes into play, which it does with stark warnings on websites, people refrain from sharing this information that is important to companies. As a result, user experience suffers.
An alternate country's regulation could create conflict. An example of this would be the FTC (United States Fair Trade Commission) creating conflicting regulation that could either mitigate, override, or even challenge some EU laws. As a company owner, blogger, affiliate...who's regulations do you follow? New Zealand has a new privacy bill that is currently working it's way through government so it will be interesting to see what sort of impact this has.
Ambiguity. There isn't a concise response from the EU on many issues, some of them surround the IP issues and whether that constitutes as personal data and under what circumstances. But with a bill this size and companies operating across a breadth of different industries and using many layers of technology, data, and 3rd party application interfaces, the wording of the GDPR is getting conflated very quickly (and understandably).
With change, comes frustration. This is certainly going to be the case with GDPR and this will continue into the foreseeable future as companies try to figure out the specifics of this, and in many cases, the specifics of the data within their companies, and how to laymanize the internal processes that are sometimes complex.
What About Google Analytics (and other plugins)?
There is much dilemma about plugins such as the ones provided to you by Google Analytics, Autoresponder companies, and any other company that ends up storing what could be deemed as personal data. Let's look at a few and open the idea of WHO is actually collecting the personal data, and whether it is actually personal data.
IP address surely is not a personal identifier. Nor is a referring source of traffic. An IP identifies some information about you, but there is no way to determine personal data about someone without the data from an Internet Service Provider (ISP). In other words, the ISP would need to have a data breach in order for them to be able to somehow cross-reference an IP to a person. Something that is not your responsibility.
However, it’s important to know that IP addresses are accessed by many people.
Consider a family of 4 all accessing the Internet while at home, or 1000’s of people accessing the internet at Starbucks everyday through one IP address. It’s next to impossible to identify who is behind a device to personally identify them. It’s still important to disclose that an IP address is collected whether it’s personally identifying or not.
You may be logged into your own Google Account, and this information is then personal data that Google can connect to a particular user. They can match details from Google Analytics, to those of a Gmail account, or YouTube activity or absolutely any entity or search behaviors on Google's incredibly far-reaching network. This information could then be bundled for a much more granular and demographically targeted advertising experience.
But YOU, the website owner are not storing data, certainly not personal data. And this one example is why this GDPR roll out is presenting lots of confusion.
And this leads me to...
It Won't Hurt to Mention Stuff, But Could it to Exclude?
You have a few choices, and ultimately 99.9% of the blogger world is going to be safe from this. At the end of the day, you are ALLOWED to store personal data, the EU just wants you to disclose it. And what you do with that data is also important.
I want to emphasize that companies storing people's information online is not bad, it is normal and it is required for the Internet to work, and any established company, blog, social network, to be able to operate and offer you a decent experience. It is nothing to be embarrassed about if you do store data and it surely is better to lean towards the "disclose everything even close" approach.
If you are storing someone’s email or name on your website (and in your database), disclose that you are, and where this takes place, and what you are doing with that data.
You likely do not have a legal counsel and if you do, they are likely going to be just as baffled as you by this.
Where Your Site May Collect Data (or have it in proximity).
Some of thee common locations where personal data may be collected are:
Local Marketing Campaigns
There are others of course. As you build out your website you should make an ongoing effort to keep your website privacy policies up to date with your activities. In many cases, this won't happen very often, if at all. For other more technical and complex websites where storing personal data is required and used, you may have more frequent changes.
Removal and Export of Personal Data from your Website
WordPress has new privacy settings which allow the website owner to erase (delete) personal data related to any user. If a visitor to your website who has left a comment, or created an account with your site, wants to have their information deleted, then you have a facility to do that. Likewise, under GDPR regulation website visitors can request to have their data exported and given to them, there is also a facility to do that. We will be creating some training on this, but you can find these settings in the latest version of WordPress by clicking on:
Tools >> erase personal data Tools >> export personal data
There is an email verification process that is required so that the user verifies they are in-fact who they say they are. Once verified there will be an option to EXPORT or DELETE the personal data. With the latest version of WordPress you have the data export and removal tools required to make sure you can remain GDPR complaint in a situation where a user who’s provided you with personal data wants to retrieve and/or delete their data.
There are many plugins out there that will add these little check boxes to your comment areas and/or contact forms, but one we found quite functional is called “WP GDPR Compliance” and it can be installed from your WP Admin area by clicking on “Appearance >> Plugins >> Add Plugins”. Do a search for “WP GDPR Compliance”, install and activate it.
There are a few simple settings in this plugin that you can tweak.
The settings are found under “Tools >> WP GDPR Compliance” from your main menu in the admin area of your site. Y
I have some good news for you. First, this GDPR stuff isn't bad. It may be a little confusing, but that is simply because like all bloated legislation like this there are many moving parts, and there is a lot of ambiguity in certain areas of it.
And as always, if you have any questions about the new GDPR updates, how it will impact you, opinions, suggestions, or insights, please leave them below.
Welcome to the new world of Internet Privacy.
Does referring people to an Affiliate count for anything? It's still confusing, so I'll keep working on my Notifications until I get them right. In the mean time, my website is suffering.
Any clarification will help a lot. Thanks. Ted
This article answers your question. What Is General Data Protection Regulation 2018, (GDPR)?
Thanks for the help. It looks like the small businesses we run are not impacted. Even Kyle's article didn't change much. Great! We were all panicking for nothing. Now I can go back to business. I'll be "following" you for more sage advice. Ted
If you are not using an autoresponder service, just delete that entire mailing lists section.
Thanks for the update Kyle!
Some of the other members here have recommended installing additional plugins (such as Cookie Notification bars, etc.).
Will those be necessary on top of your recommendations?
You can. Again, this comes down to many things, your jurisdiction and whether or not you are using cookies. If you are an affiliate, you are not using cookies...they are set on the merchant page, not your site.
Okay, that makes sense, but if we have things like Adsense it's probably wise to err on the safe side and let EU visitors know, as you mentioned in your post, right?
Maybe a lot of us are overthinking this but personally, I'd rather play it safe - as long as a Cookie notification bar won't steer a large number of visitors away from staying on my site.
I strongly believe that this new policy will lead to a drastic drop in the number of email subscribers, as they would be required to check a lot of boxes before providing their email addresses. For potential subscribers who do not want to read and understand, they would prefer not to leave their personal information. Besides they lose nothing. We are the ones to lose if they don't leave their email addresses.
This is awesome Kyle, thanks so much for making it easy to understand! This was all so confusing but I chose to wait to hear from you. Right now I am only using SEO techniques for organic traffic. Should I add the plug-in now or wait until I have an auto responder?
Great question Suzanne. I wonder the same and will wait with you for Kyle to respond. It is still a bit confusing, and Kyle did a great job here explaining.
Adding the WP GDPR Compliance plugin is something that you should do regardless whether or not you have an autoresponder. If you accept comments on your website or have a contact form, you should have this installed :)
I used the EU Cookie Law plugin that Loes demonstrated in her blog post here at WA. Do we need this WP GDPR Compliance plugin in addition?
Thank you for providing some clarification around this GDPR compliance issue. The waters do get very muddy when trying to factor in the policies of the various affiliate program providers, subscription services and analytical tool providers and how they inter-relate to your website operations.
Appreciate your work and template on this legal action!
Thanks, once again, Kyle, for coming to the rescue and clarifying all these stipulations, provisions and regulations in regard to Internet Privacy. There was a lot of speculation surrounding this issue and I'm relieved to have all the questions answered in your insightful post! Many thanks for always keeping us in tune with the times!
Thanks Kyle, Carson, and team, but this looks like yet another example of a law that will be unenforceable for some time. Even if they COULD enforce it would it be worth going against an individual with minimum resources?
I suggest that they might make a few test cases against larger companies, but I don't believe that a small concern or an individual would be a target.
There will most likely be numerous court cases against this policy as well. Can you imagine if EVERY country or continent had their own policies? What a nightmare that would be. I think that in the long run some international organization will be formed to form a universal policy. The EU does not exist in a vacuum.
Thank you Kyle, I also agree about the IP address, it really doesn't have anyone's name on it. I personally love that EU is making changes, it may be confusion, but we will get through it and I feel it is a step forward in the right direction. Thanks for the info, much appreciate it.
It doesn't have any application, without other actual personal data. However, even an ISP could not look up who is operating on an IP, they could determine who is paying the bill, but that is about the extent of it.
So IP in my opinion could never be considered "personal data" by itself, it could be complimentary data that could work along side actual personal identifying data.
See more comments
Thanks Kyle. In the end I think all of this will be a good thing for all of us. It would be fantastic if the more countries could agree on the same requirements. Maybe with time although nothing in history suggests that this is definitely even possible.
Well implicitly they are. After speaking with several lawyers in the US, they are tending to look up to the EU to implement internet based regulations because of the incredible partisan issues in the US (and their inability to get anything done).