The General Data Protection Regulation – better known simply as GDPR – is a European regulation for data privacy and protection. It was set up to guide companies in protecting their customers’ personal data.

Basically, GDPR stipulates that if a company collects any kind of personal information from someone, they have to clearly state:

• What information they are collecting
• How they are protecting the information
• What they’re going to do with the information
• How long they will keep the information
• How someone can opt out/permanently remove their information

This has obvious implications for any business that has a website.

So GDPR basically applies to companies who engage in e-commerce?

Actually, no. GDPR defines personal data as much more than simply names, phone numbers or email addresses, so this regulation extends well beyond companies selling products, services, or memberships online. In fact, any information that can be used to identify a specific individual is considered personal data, which includes things like IP addresses and cookie information in the definition.  So under GDPR, even if a company uses Google Analytics, they need to let their users know, and give them a way to opt out.

My company is in the US though! Does this really apply to me?

It depends. If you have a website that’s marketing towards customers in the US exclusively and someone from Europe visits your site, you’ll probably be fine.

However, if you’re selling products or services, managing memberships, or engaging in any form of e-commerce with Europeans, then GDPR definitely applies to you.

What should I do?

It never hurts to look at how you’re doing things and see what you could be doing better. A good start would be with your website’s privacy policy (you do have one, don’t you? Here’s a link to ours.).  Is it easy to read, or do you need a lawyer to translate? Does it clearly spell out what information is collected and how you intend to use it?

Find out what personal data your website is collecting, and whether or not you’re collecting/storing it or using a third party to do so. GDPR is all about making it easy for people to know what’s happening with their personal data and providing ways for them to have control over it.

For example, if you use an e-mail marketing service such as MailChimp or Constant Contact and have a signup form on your website, it should clearly state in your privacy policy that you will only use their email to send them the information they subscribed for, and that they can unsubscribe at any time and remove themselves from the list.

What about Google Analytics?

If you use Google Analytics, you should say so in your privacy policy to let your visitors know.  You should also provide a way for them to opt out of being part of your analytics data. If your website is built in WordPress, there are a few plugins out there that help you do exactly this.

More Information

The article above is a brief summary of GDPR intended for small US-based businesses. It should not be considered legal advice. If you have additional questions or concerns, you should consult your organization’s legal advisor.