In 2018, the European Union passed The General Data Protection Regulation (GDPR), the strictest privacy and security law around the world. These regulations fundamentally changed the way companies were allowed to collect and use data from users in the EU. Designed with the privacy of users in mind, the law ordered companies to follow certain guidelines and practices to operate in the EU or they may be forced to pay heavy fines.
Recently, Amazon was fined 746 million Euros for violating the GDPR. This is the steepest fine to date, beating out a previous 50 million Euro fine that Google received in 2019. Regulators in Ireland are proposing charging Facebook 40 million dollars in fines for alleged deceptive data collection. However, experts estimate that the revenue generated by Facebook earns this much money in under 3 hours, so some view this as much too soft a punishment for Facebook. Smaller companies are unlikely to withstand these substantial fines as easily without a significant decrease in revenue and profits.
What Does GDPR Mean?
The GDPR is a privacy law that aims to give residents of the EU more control over their data and how it is used by companies and marketers. It puts the burden on companies who manage user data to acquire consent from users to use the collected data, explain exactly how they are using it, and safeguard this data from potential threats to security and privacy. You may have noticed that since 2018, more websites feature pop-ups asking, “Do you accept this website’s cookies?” before they allow you to view the content on their pages. This is a direct result of this law.
While the GDPR is rather complex and difficult to understand, there are some general things that any company doing business in the EU or interacting with EU users should know to avoid unintentionally violating this law and incurring expensive fines.
What GDPR Means for Forms on Your Website
Under the GDPR, businesses can collect data from a user only if that user deliberately opts into data collection. It is not adequate to simply explain to your user how their data will be used. The user must specifically give their consent, or the business cannot collect this data. Furthermore, data can only be used in ways that have been clearly explained to the user and that they have consented to. It is also mandatory for a company to keep the records of these consents and make them available if needed.
To be compliant with GDPR, website forms must:
- Have an opt-in box for all users not located in the United States. This box cannot be automatically checked; a user must click on the box themselves.
- Explain the specific reasons a user’s data is being collected and all the intended uses of that data. This includes data collected by cookies and the collection of IP addresses.
- Make sure all inquiry and contact forms are sent through an SSL. After a user fills out these forms, a business’s website will often email that user a copy of the form with their information. These emails must also be sent and stored with GDPR compliant methods.
What Does GDPR Mean for US Companies?
Even companies that don’t market directly to a European market can still be fined if they violate the GDPR. Therefore, any US company that interacts with European users must be GDPR compliant. Under these regulations, a company cannot block any content from a user if that user does not consent to data collection, and all content must freely be available to all people in the EU regardless of whether they opt-in to data collection.
GDPR And Email Marketing
If your company publishes an electronic newsletter or sends marketing emails, an EU user must knowingly opt-in to receive these electronic communications. This means that if a user fills out a form on your company’s website but does not click on a box to receive a newsletter, even if they give their email address, your business cannot market to them through email. This opt-in box cannot be prechecked; the user must click on the box themselves to receive electronic newsletters.
If there is any doubt that your business is emailing EU consumers (or anyone of an unknown location) that may not have given consent to receiving a newsletter before 2018, then it is best to acquire re-permission from users to email them or purge them from your system. If you do not have complete records of users opting in, your company can be found out of compliance.
GDPR And Data Storage
For GDPR compliance, a website must safeguard all the user data it collects. If a data breach happens, the company has a set amount of time to notify the proper authorities of the data breach, or it can be held accountable. This amount of time is usually 72 hours after the business becomes aware that their collected data has become compromised.
GDPR And “Request to be Forgotten”
Under the GDPR, it must be easy for a user to withdraw their consent to anything they have previously consented to at any time. This is known as a “request to be forgotten.” Once this request has been made, you must erase all the user’s data from your system.
Plugins for Privacy Pop-Ups
This may all sound a bit confusing and overwhelming. However, compliance with the GDPR can be managed by using many plugins that auto-generate compliant privacy policies and ensure data collection techniques are in order. These plugins can help you easily use Google Analytics while adhering to the GDPR with compliant form generators and custom Cookie Notification pop-ups. Staying up to date on the latest compliant plugins is one the best ways to keep the EU regulators happy.
WordPress GDPR Compliance
GDPR compliance is a must for any website that may, even unintentionally, interact with people outside of the United States. The expert team at Sites By Sara has a thorough understanding of the laws and regulations and knows how to keep your website within regulation standards. Contact Sites By Sara for a free consultation today!