UPDATED December 2019: Although the following article is about GDPR, the new California Consumer Privacy Act (CCPA) has similar requirements and is being used as a template by other states interested in creating their own laws.
What is GDPR
It is a wide ranging regulation that can impact many areas of a business, but for simplicity we will cover how it impacts most websites.
The GDPR is a set of rules designed to give EU citizens more control over their personal data. However, it extends beyond the EU. It applies to anyone, anywhere, who processes the personal data of an EU citizen. Given the global nature of the internet, this effectively applies to every site at this point.
Given the global nature of the internet, this effectively applies to every site
Within the GDPR, the definition of “personal data” has been expanded to include much more general information about a visitor. If you use Google Analytics, and someone from Germany visits your site, it immediately applies to you. So every site owner needs to address it at some level.
What should I do
Just as with the ADA, the General Data Protection reinforces many practices that should already be in place. In its simplest terms you need to:
- Tell people what personal data you want to collect about them
- Give people the opportunity to decide if they want to give you that data
- If they allow you to collect that data, protect it
For a standard small business owner, this is relatively straightforward at the web site level. It can be addressed with good security practices, a privacy policy, and some documentation that outlines the rules that your staff needs to follow.
Privacy
Even if you don’t have a web form, you need to address general privacy concerns. Log files, analytics data, etc. all need to be addressed within your privacy policy. Often your privacy policy can also provide visitors with a way to opt out of being tracked. Privacy is a big issue for everyone, under the GDPR or otherwise, so it makes sense to cover these items even if you don’t deal with foreign visitors.
Security
Keeping personal data secure is a big deal as well, regardless. When people allow you to collect information about them, they are trusting that you will keep that information safe. Make sure you follow good basic security practices, and if you have WordPress or a similar CMS, make sure that you keep it up to date.
What happens if I ignore the GDPR
The penalties for violating the GDPR are quite significant, but the severity of fines will depend on whether or not a company is deemed to have taken compliance and security seriously. And of course the level of interaction you have with EU citizens can greatly impact the level to which you need to address the GDPR. If you are still unsure you should definitely reach out to an expert with any concerns.
...the severity of fines will depend on whether or not a company is deemed to have taken compliance and security seriously
To us, following the rules if the GDPR on every site just makes sense, and we typically recommend most of the items that are written into it regardless. The rules essentially support the privacy of your visitors and promote good security practices. Both are critically important these days, no matter who you are or where you are browsing from.