GDPR - What's it all about?
You will maybe have started reading or hearing about something called the GDPR (General Data Protection Regulation).
This is actually just the tip of the iceberg with most website owners largely unprepared for the upcoming legislation changes that affect every website in the world that wishes to receive traffic from within the European union*.
Mark the date in your calendar...
May 25, 2018 is a big day for owners of websites (and businesses in general) around the world. New laws regarding the privacy of citizens of the European Union come into effect on this date, in the form of the GDPR, and for those who are not prepared it could mean significant fines (4% of revenue or up to €20 million, whichever is higher).
The full suite of changes that website owners who wish to accept traffic form European citizens is extensive.
If you use any in-page user tracking, analytics, tracking pixels or other tags that gather any personal data (which now includes tracking cookies, and even user IP), then when a European user enters your site (and before any of your tracking or analytics tags even load) you must:
- Ask for explicit permission from users to continue or opt in or out of this data collection and allow a user to select which types of personal data they are happy for you to collect and process.
- Offer full transparency of data collection, including how it is being used and where it is being shared.
Once they have agreed to enter your website and made their selections, your website must also provide:
- A valid ‘legal basis’ for every piece of personal data you collect, and everything you do with that personal data thereafter.
- An easy and clear way for users to change or fully revoke and data processing consents previously given.
- A form that allows a European user to request all of the data you have on them, ask for it to be changed, deleted or downloaded.
Depending on the type of business you are in the obligations extend even beyond the above, but are too exhaustive to go into in this post.
The good news is that there is a choice that more and more websites are likely to take up, at least in the short term:
Simply don't serve your website content to European customers
If you are outside of Europe and have a website and are not looking at European visitors as a great source of revenue or a primary part of your target audience, it could make sense to simply block them from accessing your site.
Now we don't feel that this is a great long term solution ,because while this current legislation relates specifically to data protection and privacy for website visitors originating in Europe, there is already discussion that similar laws will be developed in the US and UK (post-Brexit) with other nations expected to follow suit not long after. So eventually, we think compliance with data protection regulations similar to the GDPR will become a necessity even for non-EU businesses.
But as a short term band aid measure and given how close May 25th is, we believe it makes sense for many websites not primarily serving EU visitors to do this.
There are now online tools that offer assistance with this.
EziGDPR.com is just such a site.
EziGDPR allows you to, in just a few minutes and without any financial commitment, generate a single line of code to place in the head of your website that handles the whole process.
This bit of code checks to see where your website visitor has come from (with 99.8% accuracy) and if it is Europe, it redirects them to a page explaining that at present your site is not quite ready to meet the EU privacy data compliance laws. It does allow the user to deny the redirect by explicitly saying "I am not a European Citizen" at which point they will be directed back to your site.
It may seem like an extreme measure but it is in response to an extremely serious threat of fines. It is also worth noting that there is nothing in the legislation to stop an individual or a group of individuals (hello class action) from suing a website that is not compliant with these new laws.
So if you are not compliant, maybe consider a tool like EziGDPR.com.
I should mention - we built this tool for our clients and know from experience that this the only viable choice for many website owners at this time.
We will also be developing a suite of tools to help those who wish to commit to achieving compliance.
Stay tuned for more on that option very soon.