The web is abuzz about GDPR and it’s something that website owners cannot ignore. While GDPR is focused on websites servicing the EU, in reality, virtually any website, anywhere in the world needs to be concerned about this ruling because so many of us cater to people worldwide.
The struggle with WordPress is not the implementation, but WordPress’ user base. While WordPress provides superior CMS support for users from solopreneurs to enterprise organizations, the vast majority of WordPress’ core user base is individuals and small businesses. I’m pretty sure I can speak for all of us “little guys” when I say GDPR feels overwhelming!
What is GDPR?
The General Data Protection Regulation, aka “GDPR” is an EU regulation focusing on data protection and privacy for all individuals within the European Union. Not only that, it addresses the export of personal data outside the EU.
This means GDPR isn’t just an EU issue. It applies everywhere.
The GDPR aims primarily to give control to residents over their personal data and to simplify the regulatory environment for international business.
It was adopted on April 14, 2016, and becomes enforceable on May 25, 2018. There was a two-year transition period.
The GDPR replaces the 1995 Data Protection Directive. Because GDPR is a regulation it does not require national governments to pass any enabling legislation and is directly binding and applicable.
Who Does GDPR Govern?
Everyone who collects any type of personal data. This regulation has a far-reaching geographic scope.
Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.
First, the law only applies if the data subjects, aka consumers, are in the EU when the data is collected. This makes sense. EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.
Second, a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects “personal data”, or “personally identifiable information”, as part of a marketing survey or blog subscription for example, then the data would have to be protected as noted in the GDPR.
When Does the Law Take Effect?
Very soon. The regulation goes into effect May 25, 2018.
The reality is that the regulation has yet to be tested in the courts, so it will be some time before the interpretations of its applicability outside the EU are tested.
What WordPress Websites are Affected by GDPR?
Speaking specifically about US companies, namely those in the hospitality, travel, software services, and e-commerce industries, companies will certainly have to take a closer look at their online marketing practices. However, any U.S. company that has identified a market in an EU country and has localized Web content should review their Web operations.
The regulation does not limit its scope to the physical location of the data being stored, only that the data is concerning EU citizens. If your Amazon S3 data center is on the East Coast of the US, but the database contains personal information about EU citizens, GDPR applies to you.
Think about all the ways your WordPress website may store personal data:
- A blog subscription may request a name or only email address. Anyone can sign up, wherever they are from. If you pass that information directly to a mailing service, such as MailChimp, you as the controller of the data transfer, are responsible to ensure that your data processor, MailChimp in this case, is compliant.
- An exit intent pop-up form asking for your email address in exchange for your latest ebook.
- An e-commerce site selling elevator parts, or children’s books, or puzzles. Even if you don’t require customers to register to make a purchase, ie a guest purchase, you still require them to provide a name, shipping address, an email address for communication. You may pass through the billing information to your gateway but as the controller of the process, you are responsible that the processor, your payment gateway, is GDPR compliant.
- Your Google Analytics tracking code is grabbing all sorts of information from your website visitors, specifically their IP address. This is personally identifiable information when combined with other data points. Google has recently updated their data retention policies enabling you, as the data process controller, to determine how long the data collected on your behalf will be held, and how to remove it from their storage.
How You Can Stay in Compliance
Mail service providers are updating their policies to make GDPR compliance a smooth process. Recently, MailChimp announced updates to its signup forms to help its users comply with rules about gathering consent. The new forms have checkboxes for opt-in consent and include editable sections where users can explain how and why the collected data will be used.
The company also included a step-by-step primer on how to use the forms to gather consent in compliance with GDPR.
WordPress is adding a variety of data extraction and erasure features to the core project. It is expected to be available as soon as v4.9.5 is released.
If your e-commerce store runs on WooCommerce, you are covered. Woo has a wealth of new features to help make your e-commerce site fully GDPR compliant with v3.4 of the core product, expect to be released on May 23rd.
What website doesn’t offer some type of form for visitors to fill out and submit? Gravity Forms offers a well laid out plan for using its flagship product in a GDPR-compliant way. Combining a small code snippet and 3rd party integration tools will help get all your data gathering forms where they need to be.
Next Steps for WordPress Website Owners
Start now. Take your time. Work through your processes.
At the heart of the GDPR is the protection of a person’s private information. They entrust you, as the merchant, to safeguard their most valuable commodity – personal information. The GDPR requires companies to know what they are doing with personal data, how companies are processing it, where it is being used, permit people to see what data companies have, find out how long companies are going to use it, and be sure to erase it when people want it to be erased or at the very least, when companies are done with it.
As a US-based company, review your data collection processes. Document the processes. Fully spell it out in your privacy policy. Make that privacy policy available to your website visitors. Set limits on data being stored and get rid of everything that is not needed for your documented purposes. Establish internal processes to cleanse that data you have on a regular basis.
It’s a big task. Too much for you to take on alone? Give us a call. Web Savvy Marketing can help you. We are not your legal team, but we are skilled technical and business savvy professionals ready to work with you to put you in the best position to be fully GDPR compliant.
Additional GDPR Resources
- GDPR Portal
- Google’s Tools to Help Publishers Comply With the GDPR
- The Kinney Firm GDPR Review
- Intersoft Consulting: General Data Protection Regulation
- 5 Ways GDPR Will Change Your World
- WordPress Site Owner’s Guide to GDPR
- Automattic and the General Data Protection Regulation (GDPR)
- The Lowdown on GDPR Compliance for WordPress Users
- What Does GDPR Mean for the Enterprise?
- Worried about WordPress and GDPR? Start Here
- 7 Questions to Ask Before Creating A Data Compliance Strategy
- GDPR Compliance and WordPress Forms: Everything You Need to Know
- WordPress, Gravity Forms, and GDPR Compliance
- How we’re tackling GDPR in WooCommerce core
From my understand, it doesn’t cover all businesses, just those that actively pursue business in the EU. https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-affect-your-u-s-based-business/#79c1dacd6ff2 – see page 2 of article
Any website – regardless of physical location – that accepts data from people in the EU would be affected by this law.
While I don’t have an active presence in Europe, I do have clients there and I do receive inquiries and subscription requests from Europeans. Thus I am in need of compliance.
Local US-based companies that serve a micro market – like the local pizza place – do not need to worry about this regulation as they would not typically have EU website visitors.
GDPR is overwhelming!! Thanks for adding a some clarification.
Do small local US based businesses really need to be concerned? Is there a statement that can be added to a privacy policy or terms of use clarifying the site is not intended for EU users like many have done with COPPA (Child Online Protection Act)? Such as, “we will not knowingly collect any information from anyone under 13 years of age. Our website is directed to people who are at least 13 years old or older.”
Can visitors from EU be prevented from visiting a website? For example: a small one location pizza joint in the Midwest that does not and has no intention of marketing to any one in the EU and does not collect any information on their website other than a Mailchimp newsletter signup.
“The organization would have to target a data subject in an EU country. Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.
Accepting currency of that country and having a domain suffix — say a U.S. website that can be reached with a .nl from the Netherlands — would certainly seal the case.
Who are likely U.S. candidates to fall under the GDPR’s territorial scope? U.S.-based hospitality, travel, software services and e-commerce companies will certainly have to take a closer look at their online marketing practices. However, any U.S. company that has identified a market in an EU country and has localized Web content should review their Web operations.”
Valerie the pizza example was provided to illustrate a micro business. Someone that would never really have an EU visitor, because their target market is so small it only covers a city in the US.
I was not referring to larger websites where they may not target the EU, but EU visitors could still arrive and submit data. I consider that an entirely different situation.
The point I was trying to make is the mom and pop pizza joint on the street corner in rural Michigan probably doesn’t need to worry about this ruling because it simply doesn’t apply to them.
Thank you for further clarifying this for the small local business owner.
Thank you for this knowledgable and thorough resource Rebecca.
I too am overwhelmed with all the GDPR compliant policies and updates required to software that I use for myself and my clients.
I can always count on you to succinctly read my mind and provide me exactly the type of information that I’m seeking at any moment!
Let’s say I am a US company that does have EU customers. But the company is completely based in the US and has no legal presence in the EU.
I know the GDPR law says that it covers any company dealing with EU citizens, but can it really? How can a sovereign nation (or union of nations in this case) make a law that affects the citizens of another sovereign nation?
In the US, wouldn’t there need to be a treaty with those nations ratified by the US congress for it to apply?
If we were all subject to the laws that any other nation created we would have all sorts of chaos of conflicting laws.
Please understand that I’m not saying that some of the protections in the GDPR are not good. But I have not yet seen a good answer to these questions.