How to update your website for GDPR compliance
Disclaimer: the following is not legal advice, consult your lawyer to ensure GDPR compliance.
You may have heard about the GDPR (General Data Protection Regulation), a new European law which comes into effect on May 25th, 2018. The GDPR introduces new regulations for any business collecting personal data from anyone located in the EU, even if your business is not physically located there.
You may be receiving complicated emails from companies such as Google and MailChimp about GDPR-compliance and urging you to update your website. Those emails left me feeling confused, overwhelmed and with a lot of questions.
One of the key focuses of the GDPR is requiring consent to collect data. Here are some examples of how this can affect your website.
Privacy Policy
Your website needs a privacy policy which is easily accessible. You can hire a lawyer to create one or use an online generator. e.g. Shopify and iuBenda provide such a tool. (Disclaimer: I cannot vouch for their legal services).
Google Analytics
Normally, the only personal information captured by Google Analytics are IP addresses. These can be anonymized to prevent requiring explicit consent from your users.
If you’re using the Google Analytics for WordPress by MonsterInsights plugin, this is found on the Insights – Tracking – Demographics page within WordPress. Other plugins should provide similar functionality, or you can adjust the Analytics code directly.
Your privacy policy should include details of how users can opt out of being tracked.
You should also log into your Google Analytics account and sign the Google Data Processing Amendment. This is found at the bottom of your account settings.
Lastly, you should make sure you aren’t tracking any personal information mistakenly – for example special URLs where someone’s email address occurs in the URL to auto-populate a form.
Ads (and Other Tracking Code)
Contact your provider to determine what steps need to be taken to ensure you are GDPR-compliant.
Forms & Mailing Lists
Many websites store cookies and form data in WordPress itself and/or a third-party system (mailing list, CRM etc).
If your website has a newsletter subscription form, and the only information you’re collecting is exactly for that purpose, you’re unlikely to need to change anything. See here for more.
However, if your website has a contact form, or a form to receive a free download, and you’re using their email address to send them other emails later on (e.g. offers and newsletters), then you must update your form by adding in checkboxes asking consent for each action. This involves both design and coding changes (and no more nicely compact subscribe forms). Contact us to implement these for you.
Commenting Systems
Commenting systems store cookies and commenter data in WordPress itself and/or a third-party system. If you’re using WordPress’ commenting system, you may need to adjust your comment form to gain consent to store commenters’ personal information. Contact us to implement this for you. (Disqus is working on being GDPR-compliant.)
Other Plugins
Many plugins may also be affected by GDPR. For example, JetPack is working on compliance.
Further Reading
I highly recommend Thomas Baekdal’s articles:
- Publishers Haven’t Realized Just How Big a Deal GDPR is
- Putting GDPR into Action for Publishers (paid report but free for you as I’m a subscriber and have permission to share it with you)
I sincerely hope you find this information useful. Need help implementing these changes? Please contact us.