You may or may not be aware, but May 25 was the date that GDPR went into effect! I recently sent the following information and resources to my clients, but thought it might be helpful to post it here as well. Don’t have too much fun with it 🙂 :
What is GDPR? General Data Protection Regulation. It’s a new European Union law concerning how websites must disclose how they collect and store site visitors’ personal data. It applies to any site that collects data from E.U. residents, regardless of where the website is based.
Does this apply to me in the US? If you use Google Analytics, then YES because European visitors can still access your site.
What should I do? I am not a lawyer and cannot make legal recommendations for you or your business. That said, GDPR should be taken seriously and there are a few steps you can take.
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
Second, changes to Google Analytics. Google likely sent you an email recently about what to do to accept the new data changes that are being made to Google analytics to help it comply with GDPR. It requests all users to take some steps to “accept” and update their company information. So you should do these things. (a copy of the email can be read here if you can’t find it in your inbox).
Important to note is a change to data retention. All of your site data older than 26 months will be deleted by default. You can change this retention period, but it is there for GDPR compliance.
The best plan with Google Analytics is to make sure you are collecting zero information that can be connected back to an individual. Articles I’ve read are a bit hazy still on what this means. If you are using the User ID feature to connect multiple sessions with the same user, you would be best served to turn this off. This violates GDPR. If you want to continue using this feature, you would need to update your site so that before Google Analytics is recorded the user is specifically asked to opt in to tracking. If you’re hoping to go this route, it would be best to involve legal council. Easiest route is to turn off User ID tracking. Additionally, for my clients using WordPress and the Monster Insights plugin to handle Google Analytics, I recommend going into Settings, choosing Demographics and hitting Anonymize IP addresses. This will anonymize IP addresses for all site visitors. Collecting IP addresses is considered a violation of GDPR as they are considered “personally identifiable.” For further compliance, I recommend buying the PRO version of Monster Insights Google Analytics Plugin, which includes an EU Compliance add on. With this add on, you can include pop ups and other opt in/opt on options for data collection. The Basic PRO version costs $39 per year.
Also: you also need to send a person any data you have about them within 20 days of them requesting it. You also need to delete their data from all of your systems at their request within 20 days.
Here are some other important articles:
Your risk may not be very high since I would assume you have very, very few European site visitors or customers. That said, some of these changes are easy to make and it is in your best interest to do so. I’ve read that GDPR will be strictly enforced for both large AND small businesses.
Here’s hoping you got through this! (whew!)