Last Updated on July 31, 2020
European Legislation in America?
After four years of deliberation, the European Union officially adopted the General Data Protection Regulation (GDPR) in 2016. GDPR gives citizens who live in the European Economic Area (EEA) and Switzerland more control over how their personal data is collected and used online. As a result, businesses collecting any user information online are potentially impacted by the new standards. With the General Data Privacy Regulation (GDPR) into effect as of May 25th, 2018, the following information is meant to help U.S.-based businesses be in compliance for web visitors and customers from the EU.Ready to Talk?
What is GDPR?
GDPR gives citizens who live in the European Union more control over their online personal data. Here’s the the official legal text of the regulation if you’d like to read. The most significant changes are:
- Companies have to be transparent about what information they’re collecting, what it will be used for, how long the data will be stored, how they’re collecting it, and if that information will be shared with anyone else. Companies should limit the period for which the personal data are stored to a strict minimum. Companies should also inform users of the risks, rules, safeguards and rights in relation to the processing of their personal data and how to exercise their rights in relation to such processing. They can only collect information that is directly related to its intended use. If the company later decides to use the collected data for a different purpose, it must get permission from each individual again.
- Any information and communication relating to the processing of those personal data (e.g. privacy policies and disclosures) should be easily accessible, easy to understand, and put in clear and plain language.
- Individuals have to take a clear affirmative act establishing a “freely given, specific, informed and unambiguous” consent to their data being collected and processed, such as by an oral statement, or a written statement, including by electronic means. Pre-ticked boxes or agreed-by-default policies and notifications that rely on inaction will no longer work as a way of getting user’s consent. Companies have to send clear and concise consent requests, and they can no longer block users from accessing services or content if they refuse to have their information collected. Companies should also make it as easy to withdraw as to give consent.
- Individuals have the right to access their collected data, withdraw consent for personal data collection, and/or request for rectification or erasure of their personal data. Companies are obliged to respond to requests from the users without undue delay and at the latest within one month and to give reasons where they don’t intend to comply with any such requests. If someone decides to revoke their permission, the company has to erase the data from the systems, as well as anywhere else it has shared that data.
- Companies need to take reasonable steps to ensure appropriate security and confidentiality of the personal data, and that personal data which are inaccurate are rectified or deleted. If a personal data breach occurs, companies should notify the personal data breach to the supervisory authority and consumers within 72 hours after having become aware of it.
- In order to demonstrate compliance with GDPR, companies should maintain records of processing activities under its responsibility.
- Failing to comply with GDPR can come with some very steep consequences. If a data breach occurs because of non-compliance, a company can be fined as high as €20 million or 4% of the company’s annual global revenue, whichever amount is greater.
Should I worry about GDPR?
GDPR is only supposed to apply to the EU and EU residents. However, just because your business isn’t Europe-based doesn’t necessarily mean that GDPR won’t apply to you. If your company conducts business in Europe, collects data about users from Europe, advertises itself in Europe, or has employees who work in Europe, GDPR applies to you, no matter where you’re based.
On the other hand, if it’s clear that your company’s products and services are only available to consumers in the United States, or anywhere else outside the EEA, GDPR won’t apply to you.
What should I do to become GDPR compliant:
Go Through Your Data and Check Your Google Analytics
When you are using Google Analytics, Google is your data processor, and you and your company are considered the data controller in this situation. Since Google handles data from people all over the world, it has had to take steps to become compliant with GDPR. However, you and your company also need to make sure your Google Analytics account is set up to meet the new GDPR standards.
There are several things you can do in Analytics to be GDPR compliant:
- In Analytics, you now have the ability to delete the information of individual users if they request it.
- In Analytics, under the Admin tab > Property column > Tracking Info > Data Retention, you can control how long individual user data is saved before being automatically deleted. Google has set this to be 26 months as the default setting. If your company is US-based and strictly conducts business in the United States, you can set it to never expire if you want to.
- Audit all the data you collect to make sure it’s all relevant to its intended purpose and that you aren’t accidentally sending any personally identifiable information (PII) to Google Analytics. PII includes anything that can potentially be used to identify a specific person, whether on its own or when combined with another piece of data, like a birthdate, a home address, an email address, an IP address, or a zip code.
- To keep getting geographical insights about the visitors to your site, turn on IP anonymization.
- If you use Google Tag Manager, IP anonymization is relatively easy. Just open your Google Analytics tag or its settings variable, choose “More Settings,” and select “Fields to Set.” Then, choose “anonymizeip” in the “Field Name” box, enter “true” in the “Value” box,” and save your changes.
- If you need assistance with your Google Analytics or Tag Manager account, let us know. We can check your settings, make sure goals are tracked accurately, and train you on reports to monitor.
- Make sure pseudonymous information like user IDs and transaction IDs is protected and put in alphanumeric database identifiers, instead of plain text.
- Follow the steps Google has mentioned in some of those emails they’ve sent out. As long as GDPR applies to you, you’ll need to go into your organization settings in Analytics and provide contact information for your organization. Additionally, if you’re based outside the EEA, accept the updated terms of processing by going into your Google Analytics account settings. If you’re based in the EEA, the updated terms have already been included in your data processing terms.
If your company has a legal department, it may be most ideal to involve them in this process to ensure you’re fully compliant.
Check Your Email Marketing and Marketing Automation
Make sure to follow best industry standards. Only send messages to those who opt-in to your list and make it easy for people to unsubscribe. If you are not sure how your contacts opted in, or any of them don’t have their country listed, you may want to either remove them from your list, or put them on a separate segment so they don’t get any messages from you until you can get that figured out, or send them a new opt-in email asking them to confirm if they’d still like to receive messages from you.
Update Your Gated Content and Forms
Gated content include things like free reports, white papers, or webinars. It is often used by companies as a way to generate leads. Under this strategy, web visitors trade personal information (PII) for access to the content. Since GDPR prohibits blocking access to content if a person doesn’t consent to their information being collected, this process is now trickier.
GDPR requires companies to prove that the information they collect is necessary for them to provide the deliverable. It also requires that any forms used on a site for gated content need to clearly state how the information being collected will be used.
If you don’t get a lot of leads from EEA users, you can just block all gated content from European visitors. Or, you can make that information freely available to all visitors from Europe.
Harden Your Site Security
Do everything you can to harden your site security: keep your themes and plugins up to date, and remove unused ones. Only use trusted themes and plugins. Regularly backup your site. Monitor incoming attacks. Use SSL for data security. Use a secure hosting environment. Conduct periodic security audits and core reviews. And the list goes on and on. Not only for the sake of being GDPR compliant, you should do all of these anyways.
Keep A Record of Everything You’ve Done to be Compliant
GDPR requires companies to maintain records of processing activities under its responsibility, in order to demonstrate compliance. So make sure to keep records of everything you’ve done to be compliant, including documenting how people opt in to being on your marketing lists, and data security documentation regarding how you are protecting your users’ data.
GDPR In A Nutshell
GDPR is a broad reform that gives EEA and Switzerland citizens more control over their personal data collected and used online. To become compliant and avoid potential fines and punishments, consider checking:
- Collected data,
- Google Analytics settings,
- Forms and cookie notices,
- Email marketing and marketing automation practices,
- Gated content,
- Any other online marketing process that involves user data collection.
If you have questions about how GDPR applies to you, we suggest talking with your legal department or legal counsel.