Website Privacy Policies – Is Your Website GDPR Compliant?

Confession time! I finally updated our Sidebar Saturdays privacy policy to comply with GDPR. Have you updated yours?

If you are asking yourself what the heck is GDPR, you have most likely seen the term associated with personal data collection. Like most Internet users, I am guessing you have suffered an onslaught of endless e-mails this year about privacy policy updates from all your favorite websites. Businesses from Amazon to YouTube have rushed to update company policies regarding personal data collection.

Why? Because effective May 25, 2018, a new European Union law called the General Data Protection Regulation (GDPR) requires businesses to be compliant with changes to website privacy policies and how they collect personal information from their website visitors.

I can hear the pushback already – Why are you bothering me with EU law when I am a writer or blogger in the US?

Because the Internet has no definable borders and reaches people all over the world, which is why the EU requires any business in the world that collects personal data of an EU citizen to adhere to the new stipulations in the GDPR. This includes all non-EU based bloggers and authors with readers/subscribers from the EU, regardless of whether the website makes money, offers free services, or just collects personal data to build an email list.

Got your attention now?

What you need to know about GDPR.

The regulations are somewhat complicated. But spend a little time with me and we will slog through this together. In the simplest terms, the GDPR manages the digital privacy of EU citizens by requiring businesses worldwide with an Internet presence to adhere to strict regulations if the business collects personal data from EU citizens. The goal of GDPR is to make sure the collection of personal information is necessary and handled fairly.

To meet this goal, the GDPR requires any business that collects personal information from their website users to have a privacy policy. Privacy policies are just another name for legal verbiage that explains what kind of personal information you gather from your website visitors, how you use that information, and how you keep it safe. Businesses must get consent from users to collect the users’ personal data. The data requested should only be necessary to make the business’ services work, i.e. the requested data must be “essential information.” If not, users can deny consent to use that information and still partake of the services offered.

Under the GDPR, personal data includes but is not limited to names, emails, billing and shipping addresses, phone numbers, credit card information, demographics, bank details, social security numbers, and IP addresses. Basically, any information that could identify an individual qualifies. Even if a business with an Internet presence does not collect personal data for itself, most business websites, including authors and bloggers, use third-party apps that collect various degrees of personal data (e.g. Google Analytics, ad links, social media sharing, mailing lists, Mailchimp).

Businesses must explain to users exactly how they use the data collected. Users must be able to access their own data if they wish. In the event of a data breach, businesses must notify users in 72 hours after discovery of the breach. The regulations also allow users the right to delete their data. If a business does not sell a product but offers freebies or giveaways, then the business must comply with GDPR regulations. If you have ad content or affiliated links or third-party apps that collect personal data, you must comply. Users must now opt-in to a website’s use of cookies, rather than opt-out like in the past.

The list of EU members

Here is a handy link with a list of EU countries (current as of the date of this post). This list may change (like if the UK Brexit deal is ever finalized), so make sure you have a current list.

The penalty for not being GDPR compliant

Businesses that are not compliant with the GDPR updated privacy policy changes could be fined up to 20 million Euros or 4% of their global revenue whichever is higher. It remains to be seen how fines and regulations will be enforced for non-EU businesses.

Make your privacy policy GDPR compliant

Thankfully, if you have an existing privacy policy, the steps will be minimal to bring your website privacy policy up to GDPR compliance. Our Sidebar Saturdays privacy policy only needed minor tweaking. For most, your privacy policy will only need more specification in some areas, which can easily be done by adding a few sentences where necessary. Here is how to update your privacy policy to meet GDPR specifications.

  1. Your privacy policy must be easy to read and understand. The more conversational and natural, the easier your privacy policy will be to understand. Drop the legalese whenever possible.
  2. Your privacy policy must include your business name and contact details (whether snail-mail address, phone number, and/or valid email address).
  3. Your privacy policy must explain the type of personal data collected, why it is necessary, and how it is used. The key is to be specific.
  4. Your privacy policy must disclose which third parties have access to the collected data (e.g. Google Analytics, MailChimp, Cookies, Paypal or Stripe). Users of your website have the right to know which parties use their personal data. Plus, it is your responsibility to ensure any third-party apps are GDPR compliant.
  5. Provide an opt-in sign-up on your website for readers who land on your site — one that requires an active subscription and a notation the subscriber agrees to your privacy policy and data collection.
  6. Your privacy policy must include instructions for opting out of any data collection and how to get a copy of the data already collected. Our Sidebar Saturdays sign-up will automatically send the subscriber upon sign-up an email listing the data collected. A user request to see their data collected by your website should be completed within 30 days and include a copy of the personal information collected.
  7. You must take measures to protect the collected data. This means protection against unauthorized use and accidental loss. SSL certificates and encryption are a good start. If you need help, consult a technical expert on data protection measures.
  8. Users must be notified of a data breach within 72 hours after the breach is discovered.
  9. You are required to delete a user’s personal data if requested. Make sure you have a process for this request.
  10. Businesses with more than 250 employees must appoint a separate Data Protection Officer (DPO). If you have a DPO, include how to contact the DPO for questions or concerns.
  11. Usually, most sites do not collect sensitive data from special categories like race, ethnicity, political opinions, religious beliefs, trade union memberships, genetic and biometric data, health data, or sexual orientation. State in your privacy policy you do not collect such sensitive information. If you do collect such sensitive personal data, then additional requirements apply for keeping such data secure. Consult with a lawyer who specializes in data collection to make sure you are GDPR compliant.
  12. If a user is under the age of 16, you must receive parental consent for the minor to use your site. Your privacy policy should state that data is not collected from anyone under the age of 16, and such individuals should not provide personal data on your website without parental consent.
  13. Email List Prior to May 2018 — For those subscribers who you have already collected personal data from prior to May 25, 2018, like those email lists you use for your newsletter distributions, thankfully you will not need to resubmit consent forms to the list provided the subscriber previously consented, especially if the subscriber had to authenticate their sign-up to your newsletter. When you signed up for our Sidebar Saturdays newsletter, we send an authentication email to the email address provided.
    • Consent from these subscribers must have been via a separate form, like a pop-up menu or sidebar request, and not made a condition to receive other products or services (unless the newsletter is necessary to deliver the service/information or how your subscriber or reader learns of the products or services available).
    • Consent must be active, like submitting the personal information on a form with no pre-filled boxes checked on the form consenting to the personal data collection (like those you normally saw with websites using cookies). No more automated opt-ins. No more freebies to get email addresses that you then use for another purpose, unless you are clear on your privacy policy about how you use the collected information.
    • If you want to be overly cautious, send your mailing list another authentication email to update their preferences. Explain again what data you collect and how you use it, so they know what they have signed up for originally.

 

While you may not think updating your privacy policy is important, the stricter rules help users both in the EU and US keep their personal information protected. The EU has always had the world’s strongest digital privacy rights. Right now, there is no similar, single governing privacy law in the US, which has been lax about it until the recent Facebook testimony before Congress. Undoubtedly, the US will follow suit with its own upgraded privacy policy regulations. Why not get ahead of the digital privacy train. Change your website privacy policy now.

If you have a lot of free time and are eager to devour more information about the overhaul of personal data privacy policies by GDPR, you can read the official 261-page GDPR document here. Knock yourself out!

 


Photo Credit: Cerillion | Visualhunt.com | CC BY

Legal Disclaimer: This information is provided for educational purposes only. Consult a qualified lawyer in your jurisdiction for all legal opinions for your specific situation.

Scroll to Top