UPDATE: As new/more information keeps coming out, we've been updating this article with new information and resources.
Note: We at Webstix are not lawyers. To make sure you're compliant, you should seek legal counsel.
Ah, privacy. It's important - both here in the USA and in Europe, but over in Europe, they're taking more action at this point.
If you're wondering right now if the GDPR applies to you, it probably does not. If it did, you'd be working on it already but still please look over this article to find out more about it.
GDPR stands for General Data Protection Regulation and it begins on May 25, 2018 in Europe. To sum it up, it states that European citizens need to have complete control over their data/information. If you ask any of them for it, you need to state why you need it / what you're going to use it for. They, then, have to agree to give it to you.
More specifically:
GDPR for WordPress (gdprwp.com)
In (very) short. GDPR states that if a website collects, store or use any data related to an EU citizen. You must comply with the following:
– Tell the user: who you are, why you collect the data, for how long and who receives it.
– Get clear consent before collecting any data
– Let users access their data, and take it with them
– Let users delete their data
– Let users know if data breaches occur
If you're found to not be compliant with these standards, you could be fined up to 20 million Euros (that's $24,750,180 at the time of writing this article).
If you're in the United States and think that you're fine since your business is here, you may be wrong.
Here's some clarification:
Yes, The GDPR Will Affect Your U.S.-Based Business (forbes.com)
A very important change in the GDPR that hasn’t received the attention it deserves has do with the geographic scope of this new law.
To quickly summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.
...
Who are likely U.S. candidates to fall under the GDPR’s territorial scope? U.S.-based hospitality, travel, software services and e-commerce companies will certainly have to take a closer look at their online marketing practices. However, any U.S. company that has identified a market in an EU country and has localized Web content should review their Web operations.
U.S. companies, especially those with a strong Web presence, should be paying attention and changing practices now and not waiting to become a headline two years down the road.
The World Wide Web is global. Practically everyone has access to it everywhere. The technicalities here pertain to if you're specifically targeting European citizens - as we understand it. This is not most of our clients but it may be some of them.
If you have an email list with email addresses of European citizens, GDPR does affect you. You should update your Privacy Policy as a start, to make sure you're covered at a basic level. Again, please consult your attorney to make sure you're compliant. This is especially important for e-commerce websites and websites with forums.
Using a firewall to block certain countries (like Europe) may also help. Those citizens can still come here to the US on "holiday" (as they say) and visit your website but according to how we see things written, you shouldn't be held liable for that. Also, how is this enforced over in the United States since it's a European thing? You'd need to have an office in Europe.
Some websites have those notices that appear saying that by using their website, you accept that the website uses cookies. Have you seen those notices? It's kind of related to the GDRP.
What’s the Deal with Cookie Consent Notices? (premium.wpmudev.org)
Have you ever wondered why some sites display a cookie consent notice? Do you know whether or not your site should be displaying such a notice? Maybe you know that your site probably should have a notice displayed, but you haven’t gotten around to setting one up.
[...]
The law is enforced by governing bodies in the EU, and therefore cannot apply unilaterally to everyone. If you live outside of the EU, have a website hosted on a server outside of the EU, and are targeting consumers anywhere other than the EU, you don’t need a cookie consent notice.
[...]
In short, if your website is based in the EU or if you are targeting consumers in the EU, and your site uses even a single persistent cookie, you need to display a cookie consent notice.
It's another protection mechanism for EU (European Union) consumers. WordPress does use cookies, by the way.
If you find that you do need to be in compliance, then you have some work to do - both with your business and your website.
First, make sure you're asking for the absolute bare minimum when it comes to information. If you do take people's information, explain what you will use it for. Also state how long you'll have it and state how they can access it. This applies not only to shopping carts but contact us forms and other forms.
Second, your Terms of Service and Privacy Policy must be compliant. Here's where you can get a GDPR compliant privacy policy:
Third, hurry up! You have until May 25th, 2018... that's European time. Let us know how we can help you.
You may have seen Google send this note to you:
"Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data." (Google Help)
One thing they're doing is they're making you decide how long you want your data stored.
It's under the "Tracking Information" setting in Google Analytics. To get there, first go to "Admin" at the bottom.
You can then set it to not automatically expire.
We suggest that everyone does this.
Each WordPress plugin (if you're using WordPress) will have its own set of things it does, so make sure you check to see what information each plugin you're using collects. Some plugin developers are issuing help regarding privacy policies.
And then make sure you're doing WordPress plugin updates this next week because plugin developers are updating their plugins to be more GDPR compliant - or using our Website Care program would help take care of that, of course.
Here are some additional resources that you may find helpful:
