It’s one of the biggest data privacy laws in over 20 years. The European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. These regulations will impact businesses that utilize personal data of EU citizens, even if the company does not have a physical presence in Europe. This means that the GDPR will be applicable for US websites as well.
If you are a US company with a website and you receive traffic from European Union visitors, regardless whether you market your products or services to European markets, listen up.
Here’s what every US business needs to know about the new data privacy rules, GDPR requirements and deadlines.
GDPR Meaning
What is GDPR? What does GDPR Mean?
GDPR, which stands for General Data Protection Regulation, was passed back in May 2016. In an effort to establish “digital rights” for European Union citizens, the EU gave websites two years to comply with the new set of personal data protection and privacy rules.
GDPR Goes Into Effect May 25, 2018.
No matter where you are based, the GDPR will apply to any organization that collects and stores personal data* on European Union users on their website as of May 25, 2018.
What Does Personal Data Include Under GDPR?
According to the European Commission, personal data* includes, “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
- Identification information: name, telephone, physical and email address and government ID numbers
- Website data: location, IP address, cookie histories and RFID tags
- Health, mental and genetic data
- Biometric data
- Racial, cultural or ethnic data
- Political opinions
- Sexual orientation
- Tagged photos
How will GDPR Impact US Websites?
Considered data controllers, all US business websites that collect personal information will be held accountable for any data collected, processed or dispersed on an EU citizen.
If an infringement of a customers’ information occurs on a US website or a breach of security is not reported correctly, organizations could risk steep financial and legal penalties. If you don’t do anything to comply, you’re looking at potential fines of up to 4% of annual global revenue or 20 million euros ($23,714,240 U.S. dollars), whichever is greater.
Steps to Ensure GDPR Compliance for US Websites
As you can imagine, compliance will be difficult for small (even large) U.S. businesses who operate websites and may receive web visits from European residents.
GDPR requires companies that collect personal data on their websites to first ask for consent.
For example, let’s say you run an advertisement promoting a white paper. But in order for users to access your piece of content, you ask them to complete a form with their name and email address.
What can be done with this captured data?
In a business to business (B2B) scenario, you can use the email to send the white paper, however, you must give the recipients the option to opt-out of future emails, include a privacy notice on how their data will be processed and link to your GDPR compliant privacy policy as well.
You no longer have the right to keep their details on your US website since the “transaction” has been fulfilled by sending them the white paper. Unless you make some changes…
Thankfully we have some tips to help you get in compliance with GDPR in 2021:
- Edit all forms by asking for their company name and adding a description of what the user is signing up for
- Ensure all forms and other data collection methods on websites are explicitly opt-in (note, a tick-box must not be pre-ticked)
- Make it easy for users to opt-out or unsubscribe
- Add a cookie alert banner
- Update privacy policy/ terms and conditions to reference GDPR terminology
If you already have a form that has a pre-ticked box, you’ll need to update that before May 25 to reflect the above.
Now, what about all that personal information that’s already stored within US. websites?
By law, organizations are not allowed to market to anyone on that list who did not explicitly agree to be marketed to. So, before May 25, send all of your contacts an email with a form asking them to re-consent to receiving your newsletter and product or service offerings.
GDPR Updates for 2021
In the three years since GDPR went into effect, the law has only gotten stronger. Nearly all of the EU’s member states have fully implemented GDPR.
The definition of “joint controller” was recently updated. The role of joint controller often comes into play when agencies are managing other companies’ social media accounts or displaying social media plugins on their websites. In situations where two or more entities are responsible for the collection of consumer data, both of those entities (joint controllers) can now be held responsible in the event of non-compliance.
Another major development occurred in May 2020, when the EU updated its GDPR guidance to clarify a number of points on cookie consent. Specifically, it was clarified that cookie walls should not be used, and scrolling or swiping from website content doesn’t equal implied consent.
Facebook Compliance with GDPR
As a Facebook advertiser, GDPR has changed the rules for collecting, processing, and storing data on EU individuals. Additionally, those using Facebook pixels on a website and/or custom audiences are also liable to comply with GDPR regulations.
Marketers may continue to advertise on Facebook, but they are responsible for ensuring GDPR compliance. Complying with GDPR within Facebook means that brands must first gain users’ consent before utilizing their information, inform subscribers on how their data will be used, and show or delete users’ information if requested.
Mailchimp Compliance with GDPR
One of the key requirements of the GDPR regulation is that user consent must be “freely given, specific, informed and unambiguous.” This means that if your business collects personal data, such as names and email addresses and has been sending email newsletters or promotions without confirming their consent, you could be in hot water.
Mailchimp offers simple tools related to consent to help businesses stay compliant with the latest GDPR laws.
- Start a new GDPR-compliant list for all future email campaigns.
- Design GDPR-friendly forms that are consistent with your brand.
- Respond quickly to data requests from contacts.
- Stay protected with transparent data policies.
Google Analytics Compliance with GDPR
The changes brought on by GDPR directly impact online marketing efforts, particularly those used for Google Analytics. Every business must adapt to the new requirements, which can be tricky at first.
To ensure your business is using Analytics in compliance with GDPR, start by auditing all current data, anonymize potentially personal identifying information (PII) on users, such as an IP address and obtain explicit consent before moving forward with loading the Google Analytics script. Pop-ups or widgets offer first-time visitors – as well as returning visitors – the opportunity to opt in/out.
Which Countries Does GDPR Affect?
The physical location of an organization does not impact GDPR compliance; it is the physical location of the individual whose data is being collected, processed or stored that matters. Even if you’re a US company, chances are probably that you have European Union residents in your database.
UPDATED: GDPR covers all of the 27 European Union (EU) Member States, which includes: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden. The United Kingdom, including Channel Isles, England, Northern Ireland, Scotland and Wales, is still part of the EU, thus governed by GDPR.
GDPR also includes European Economic Area Countries, such as Iceland, Lichtenstein, and Norway as well as dependent territories/countries that are technically in the EU – though not in Europe – governed by GDPR. These include: Azores, Canary Islands, Guadeloupe, French Guiana, Madeira, Martinique, Mayotte, Reunion and Saint Martin.
GDPR For Dummies
In the most simple terms, the General Data Protection Regulation (GDPR) is a game-changing data privacy law that has set guidelines for collecting and processing the personal information of individuals within the European Union (EU). It is the biggest change in data protection laws in the past 20 years.
The rule enforces the following:
- The right for people to lawfully agree with companies to use their private information
- The right for users to have their private information no longer accessible by a company
- The right to for individuals to allow their private information to become public or not
Those who don’t comply with the GDPR law may face a fine of up to 20,000,000 euros, or up to 4% of the company’s profits from the previous year, whichever is higher.
Simply put, GDPR is a regulation that businesses must take seriously.
What Is The California Consumer Privacy Act
Following in the footsteps of GDPR, California approved a new regulation set to go into effect January 1, 2020. The California Consumer Privacy Act is very similar to the GDPR law, providing residents living in CA the right to control the data that companies collect on them.
To prepare for this new regulation, businesses must first become aware. Check. And then start identifying potential data risks, keeping only the personal information necessary to service direct business and legal needs.
What Is The California Privacy Rights Act (CPRA)
Despite having a similar name to the California Consumer Privacy Act, the California Privacy Rights Act was developed to serve a very different purpose. When the CPRA goes into effect in January 2023, it will go beyond the CCPA to give even more protection to Californians’ private data. This includes data involving a consumer’s race, religion, sexual orientation, health data, or government ID. It will triple the fine for breaches of minors’ data and give Californians the right to request that their data be corrected.
GDPR Article 28: What Processors Need To Do
According to Article 28, a data processor must be GDPR compliant; processing data according to the requirements of the data controller. Under the GDPR, a processor refers to a legal person, public authority, agency or other body which processes personal data on behalf of the controller. The controller is “a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” Two common examples of a controller are a business obtaining client or employee details or a school holding student records.
These requirements must be specified in a controller/processor contract and must also contribute to any compliance audits.
Facebook and Google Hit with GDPR Lawsuits
On the first day that the GDPR law went into effect, both Facebook (WhatsApp) and Google (Android operating system) were hit with lawsuits accusing them of coercing users into sharing their personal data through terms and conditions.
The lawsuits suggested that both companies were in breach of GDPR because they followed a “take it or leave it approach” to gaining user consent. Both Facebook and Google claimed that the necessary steps had been taken to ensure compliance with the new regulations.
UPDATED: In 2021, WhatsApp was fined $267 million by Ireland’s Data Protection Commission for breaching GDPR, although the company announced plans to appeal. Google was also fined 50 million by France’s privacy regulator for GDPR advertising violations. Other companies that have run into issues include Amazon, H&M, British Airways, Marriott, and BBVA. YouTube, Netflix, Apple, Spotify, and Soundcloud have also been accused of violating GDPR by failing to supply additional information to which people are entitled, such as a list of other companies with whom their data was shared.
As some of the largest handlers and processors of people’s data in the world, it’s not a surprise that Google and WhatsApp were some of the first to be hit with record fines for breaching the GDPR. But it’s not just global businesses that need to be aware. Almost all large companies, as well as many small to medium-sized businesses, must modify business models and provision of services.
Shopify GDPR: What Online Store Owners Need to Know
While every business is different, GDPR compliance remains the same for shop owners. First, regardless of where a business is based, GDPR applies to all companies that offer products or services to consumers located in Europe. The law empowers Europeans to have a say in exactly how their data is being used. As a result, store owners should only collect the data they need, not assume compliance, and make terms and conditions really (really) clear.
Put it all out in the open. It’s the simplest (and safest) ways to stay protected from concerns about GDPR compliance.
How To Make WordPress Website GDPR Compliant
Unsure how GDPR is impacting your WordPress site? If you are storing or processing data, such as contact forms, analytics, online marketing, membership sites, online stores, etc., it’s vital to ensure your website is GDPR compliant.
Consider adding an extra layer of transparency, especially if you are storing information for marketing purposes. Do this by getting explicit consent from users via a simple consent checkbox with a clear explanation and also complying with data-deletion requests.
WordPress GDPR Plugin
Several WordPress plugins can help to automate compliance for GDPR. From privacy preference management, data breach notification logs and telemetry trackers for visualizing website data, this plugin is designed to assist Controllers, Data Processors, and Data Protection Officers (DPO) in their efforts to meet the obligations enacted under the GDPR.
However, be aware that due to the dynamic nature of websites, no single plugin can offer 100% compliance. Therefore, it is advised to double check all settings, refine consent management and assess unique responsibilities to meet obligations required by law.
The 7 GDPR Principles
When collecting, processing and/or managing personal information data, organizations must follow seven key principles, according to GDPR. These principles should lie at the heart of your approach to processing personal data.
- Consent- You need clear and affirmative action from individuals to process their personal data.
- Right to Access – Individuals have the right to know what data you have of theirs and what you are going to do with it. You must be prepared to provide them an electronic copy upon request.
- Right to Erasure – Individuals have the right to require the deletion of their data at any time.
- Data Portability – Individuals have the right to require organizations transmit their data to another company.
- Breach Notification – In the event of a data breach, individuals must be notified with 72 hours.
- Privacy by Design – Data protection measures must be incorporated into the design of systems from the very beginning, not just added later. And companies can only hold and process the data unless absolutely necessary (data minimalization). They must also limit access to that data.
- Data Protection Officers – Large-scale data processing companies must hire a Data Protection Officer, who acts independently in order to assess regulatory compliance.
GDPR and Salesforce
Ensuring that your Salesforce is GDPR compliant for e-commerce begins with reviewing existing customer data you have on file, monitoring the customer data you collect, and establishing a strategy.
Always document compliance, copies of privacy notices and consent forms; conduct regular risk assessments to review controls and processes; and notify data controllers of any data breaches as soon as they occur.
GDPR Hubspot
While every business is different, data collection and storage practices (including marketing and sales processes) must comply with GDPR. If you use tools like Hubspot or Salesforce, make sure you have a system for recording consent. Include the how and when you received it and any updates made to consent information.
The GDPR regulation builds in two new rights for data subjects: a “right to be forgotten” that requires controllers to alert downstream recipients of deletion requests and a “right to data portability” that allows data subjects to demand a copy of their data in a common format. In other words, your contacts should be able to easily opt in or out of different kinds of communication (email, SMS, phone messages, marketing messages, etc.).
The Cost of GDPR Non-Compliance
It pays to play nice. If you take steps to mitigate any possible damage, warnings may be issued. However, negligence or any attempt to hide bad practices can lead to steep penalties.
As stated above, expect to see fines of up to 20 million Euros ($22,734,300) or 4 percent of annual global turnover, whichever of both is highest.
Understanding which infringements these penalties apply to could be key to your business avoiding fines. If you receive a written warning, take it seriously, as you most likely won’t get one again.
Twitter GDPR
According to the FAQ page, Twitter complies with the GDPR by using the Twitter International Company (an Irish commercial entity) as the controller of data outside the United States. In addition, Twitter International Company has Data Transfer and Processing Agreements with Twitter, Inc., within the U.S., and its affiliates, which allow Twitter, Inc., to process personal data.
In other words, if you are using Twitter for business (or Instagram, Facebook, LinkedIn, etc.), ensure your organization is taking good care of the data you’re working with and that you are providing clear consent for the data gathered.
Opt-In: GDPR-Friendly Email Marketing
One of the biggest questions when it comes to GDPR and email marketing is the contact list and if you can keep emailing those who were on your mailing list prior to May 25, 2018.
If your mailing list includes subscribers who were automatically opted-in – whether through a pre-checked box or via a purchased mailing list, then you will need to gain consent from them again. Recital 32 states, “Silence, pre-ticked boxes or inactivity should not constitute consent.”
In addition, make it easy for them to withdraw consent. And explain how. According to Article 7(3), “The data subject shall have the right to withdraw his or her consent at any time. (…) It shall be as easy to withdraw as to give consent.”
Unsure how to regain consent? Just ask! Just remember to get permission and store a record of it when you do.
GDPR Examples
Consent doesn’t just mean gaining affirmative consent. It also requires your organization to make it easier for people to understand what their consent actually means. As you might imagine, urging your audience to actively consent to have their data used for marketing purposes is much easier said than done.
When it comes to best practices, provide a straightforward message with clear consent wording and include a cookie consent notice. Google provides a concise description about how they use cookies along with a video to ensure users understand.
GDPR Unsubscribe Rules
If contacts want to unsubscribe from emails and newsletters, make it easy for them. The unsubscribe process must be clear and simple with a visible unsubscribe link in every email where you subscriber can do the following:
- Unsubscribe to that particular marketing communication
- Easily unsubscribe to all of your communications
- Contact a specific return email address
GDPR Website Checklist
According to GDPR, websites must notify visitors that they are using cookies, location data and any other personal information that users are about to provide.
Are you ready? Here are a few points that website owners should take care of to be GDPR compliant:
- Offer the option to withdraw consent (opt-out).
- Provide a separate consent from the Terms & Conditions.
- Ask for less information.
- Ensure nothing is checked off by default.
- Boost overall security of the website through an SSL certificate.
- Secure the company data with a Data Protection Officer.
- Notify users if a website has integrated a 3rd party tool to track IP addresses.
- Gain clear consent to process data for cookies.
- In the event of a data breach, have a procedure in place to notify all users.
- Create a unique privacy policy so customers know what data they are providing and what information websites are acquiring.
As you can see, this transition is going to be tricky. If you need help making your US websites GDPR compliant, get in touch ASAP to see how CMDS can help.