Anyone who does business with Europe — that is, any website that gets or uses information about European site visitors — has heard of its online-privacy protection, even if they don’t know it’s called General Data Protection Regulation (GDPR). The regulations are intended to serve more than just bureaucratic purposes: GDPR gives better control of personal data to the Euro-zone public.
Update: add to that the increasing number of international jurisdictions that are passing privacy-related laws that affect website owners. They include the UK, Canada, and California (US), with more assuredly coming.
Wherever You Are
GDPR is aimed at any website with visitors from the European countries, no matter where it or its business is located. Websites that do not provide the required control and protection of personal data may incur substantial penalties. Some question the jurisdiction of the Euro-zone regulation and how enforceable its penalties are.
See the GDPR Fines Tracker & Statistics
Our recommendation: it is a better strategy to comply than to risk discovering your obligations during the course of a court case, via financial levies, or having your website and even business transactions blocked in some countries. There is no good reason to increase your exposure to risk when the measures required for compliance are not difficult for most websites.
Note: this applies to more than e-commerce and detailed-data transactions. Even the simplest opt-in and contact forms should be reviewed for compliance. If you maintain email lists and conduct email campaigns, evaluate those for GDPR issues, too.
A quick summary is reflected in this page posted at EUgdpr.org. Other sections of the same website offer detail.
Non-Euro Businesses and GDPR
“The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.”
Data Retention Policies
The Google Analytics Data Retention controls provides the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from Analytics’ servers. We encourage site managers to read the entire page, which has a list of Analytics’ GDPR-related links and concludes with these instructions for website managers who have edit permissions in the relevant Google Analytics account:
- Sign in to Google Analytics.
- Click Admin, and navigate to the property you want to edit.
- In the PROPERTY column, click Tracking Info > Data Retention.
- User-data retention: select the retention period you want.
- Reset on new activity: turn the switch on or off.
EU-US Privacy Shield
Google states complies with the EU-US Privacy Shield. See their statement and a link to their certification.
GDPR and WordPress
The WordPress core collects users’ information, even if it’s just a lone admin user. If that user happens to live in the Euro-zone, the site must comply with GDPR. Of course, it might also be storing data about other users who have registered, whether as admins, editors, contributors, or subscribers. If even one of those lives in the Euro-zone, the law applies.
Managers of WordPress websites may wish to refer to the article by Code in WP, “The Complete WordPress GDPR Guide: What Does the New Data Regulation Mean for Your Website, Business and Data?”
Automattic, makers of the ubiquitous WooCommerce plugin for online store-inventory-shopping cart-transactions, have announced their products are expected to comply with GDPR by its effective date, May 25, 2018. WordPress site managers will need to be sure all related plugins are updated on that date and watch the Automattic blog or contact them directly for verification.
If your website uses WooCommerce, see their article, “An Introduction to GDPR Compliance for WooCommerce Stores.”
Needless to say, users of other e-commerce options should inquire about GDPR with those providers.
Note: in addition to the work being done by providers of form plugins, it might also be necessary for site managers to take certain steps. Pay attention to best practices as they develop around this subject. At this time, our notes include:
- Add an explicit, required opt-in field (with only one possible value: yes) for users to indicate they consent to the website collecting and storing the information they provide. The field must not be pre-checked or pre-filled in any way.
- Give users a simple way to request a copy of all their personal information you have and to request you delete their data from your records. In general, you are required to comply with those requests, though you might be permitted to retain certain data required by law or in order to fulfill your business obligations. The WordPress core has introduced utilities to support this, but you will want to confirm that those built-in utilities also include data collected by your plugins, etc.
- Do not automatically add users to a mailing list. Instead, provide a field in your forms for users to explicitly opt-in to receiving such emails. Like the above, it must not be pre-checked.
- Don’t use non-obvious ways to collect information about form users. This means, for example, not using cookies without users’ explicit permission, and not tracking them by their IP address, browser-related identifiers, etc.
- If any of your form plugins store, validate, or in any other way communicate form contents to the form maker’s servers — to any computer or storage, really, other than yours, your web server, and the visitor’s computer — have a data-processing agreement (DPA) with the form’s maker. If you’re ever audited for GDPR, the DPA may help document how the form’s processes comply.
Other Plugins for WordPress
To be perfectly clear and redundant, too: anything that collects even a little personal information about a website’s users — if even one of those users is in the Euro-zone — should be reviewed for compliance with GDPR.
And Outside the WordPress Ecosystem?
The trail doesn’t end when WordPress is in compliance. If any forms feed data to Constant Contact, MailChimp, or other third-party services, the data stored there also is subject to GDPR.
Disclaimer: The information contained here or anywhere else on this website does in no way constitute legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.