Since we provide services for a number of businesses that provide their products internationally, we’ve been receiving quite a large number of request for information about GDPR (General Data Protection Regulation). Despite being written into law over 2 years ago, there is a last minute rush to get things into compliance ahead of the 5/25 deadline. We’ve prepared this post to help provide a high level understanding of what GDPR might mean for your business, and a few things you should most definitely NOT do as a response.
Disclaimer: While Hive Digital works with a large number of law firms across many verticals, we are not lawyers, our lawyers haven’t reviewed this information, and we are not responsible if you screw things up and get fined by the EU. If you feel you might be impacted by GDPR, we highly recommend you do an audit of your exposure to determine if/how you might be impacted, and then consult an attorney to CYA.
If you do not offer services, products, etc. to people based in the EU, and you have no intention of doing so, then you should be generally fine to do nothing different from a legal perspective. However, we would suggest taking the hint that users do care, and your days of undisclosed mining of your website visitors personal information for more BI and marketing value may be coming to an end.
However, if you have website visitors that are in the EU when they visit, and your site indicates it may be meant for them, then pay attention!
Signs you might target visitors from the EU:
- Language translations for EU countries
- hreflang tags for EU countries,
- EU currency selectors
- EU cctlds (e.g. www.website.nl, .de., fr., etc.)
- EU subdomains (e.g. nl.website.com, fr.website.com, etc.)
- EU subfolders (e.g. website.com/de/, website.com/fr, etc.)
- References to worldwide shipping, or shipping calculators that include EU member countries
- References to EU pop culture, news, etc.
- Travel advice, assistance, information, tours, for visitors to/in the EU
- or other similar indicator that you are catering to people searching from within the EU
If you do any one or more of these items, then you would be required to collect and store any of those EU based visitors personally identifiable information (PII) following the regulations of GDPR, or be exposed to potential fines.
PRIOR to performing any data collection:
You must have a clear consent form showing:
- exactly what information you are collecting
- how that information will be used
- affirming the information is protected
- consent options for each data usage
The consent form should not only detail the information you are collecting, but also:
- how/where you are collecting it
- where you are storing it (specific 3rd parties, etc.)
- how long the information is retained
- how to request information removal
If for example, you don’t have analytics tracking collecting that type of personal information/data, but you have an email newsletter form, then you would need to have the disclosure and required consent before accepting the users email address on your website. The disclosure must be made fully visible (no links to T&C pages) and might say something along the lines of
“When you sign-up for our newsletter, we will collect your email address and name from the form and store it in a database at our email service provider, mailchimp. We will collect personal usage data through mailchimp, such as how often you open and read our emails, and the links you click from within our emails. This tracking is meant to help us ensure high quality newsletter content that engages our subscribers. Each email you receive will include a link that allows you to opt-out of our system. Should you choose to opt-out, we will process removing your email address and it’s associated data from our email newsletter platform (currently mailchimp, subject to change).”
For the data storage:
Data must be stored in the equivalent of current “PCI Compliance”, with security and encryption to protect the consumer’s data. Remember, you are also responsible for the places you store your customer’s data. Many companies are choosing to warehouse their EU customer data in EU data centers, as they feel more confident those data centers will be compliant.
Be prepared for a data breach:
Be prepared for a breach with any of your data servers, or those of your vendors. In the event that your server/data/vendor becomes compromised, you must notify the EU regulatory body within 72 hours, or you will be subject to a starting fine (I believe) equal to 2% of your global revenue. If the compromise includes sensitive personal information such as a credit card numbers, address, phone numbers, passwords, personal records, etc. (I believe it is defined as data that could affect their well-being) then you must notify the customers who have been compromised in addition to notifying the regulatory body.
Thing’s you SHOULD NOT DO!
Sadly, we have heard a number of “clever” ideas to get around GDPR concerns, but some of them could cause serious issues for SEO. Here are a handful of things you should not do unless you lawyer tells you to… in which case you should have your lawyer call us so we can try to help figure out a more graceful solution:
- Block everyone visiting from the EU: This is a bad idea for a number of reasons. Greatest of which is that sometimes your non-EU customers might be traveling and need to access your website from the EU. I’ve heard financial institutions toss this idea around, and quickly explained that if I was traveling across Europe and suddenly was blocked from logging in to my bank account or even seeing my bank’s website, I’d probably freak out. From an SEO perspective: You might also have links from EU sites, and blocking EU crawlers would prevent any of that link equity from passing through to your site.
- Redirect all EU traffic to a disclosure/compliance page: While this may seem like a good idea at first, remember that Google is a visitor too, and they might crawl from EU IPs, etc… So if you go this route, you’ll likely lose all of your rankings in the EU, as you’ve just redirected them to a page that likely doesn’t have any . A better solution would be a pop-up that requires consent but allows the page to load (sans tracking pixels that collect personal info). Once they consent, you can then load all of your “approved” tracking codes.
- Show EU users one page and Google something else for the same URL. This could be considered cloaking by Google. You are likely okay from any issues with certain pop-ups or “hero banner” disclaimers that are placed by IP tables, but if you treat those visitors differently than you treat Google, you could run into some issues and potentially even be penalized. This could get a little tricky considering Google will is free to also crawl your EU pages from US crawlers.
- Ignore GDPR if you meet criteria of someone who should not ignore GDPR (see: “Signs you might target visitors from the EU” above). Not only does this subject you to fines, but it will likely be obvious to those potential customers, and could result in some serious backlash to your brand that may be difficult to recover. Remember, this isn’t just some governing body handing down laws, these are protections being made into law at the request of consumers.
This is by no means a comprehensive list and we kindly ask for any thoughts/questions/ideas that we could use to improve this for our visitors and clients. We hope this inspires some thought with your team as you evaluate how/where you collect personal information, and internally flow-chart where that data is stored, how it is used, and ways you can be more transparent with your customers.
image credit: https://securityboulevard.com/2018/02/gdpr-a-deadline-you-cant-afford-to-ignore/
Additional reading: Analytics data and impacts from GDPR
- https://www.jeffalytics.com/data-retention-controls-google-analytics/
- https://www.upbuild.io/blog/gdpr-compliance-guide/
WEB ANALYTICS | SEARCH OPTIMIZATION | PAID ADVERTISING | COMPANY NEWS
It feels like GDPR is a wake up call even outside of the EU. It offers a number of protections that are making a lot of companies re-examine how they gather and store information. Very great read. I’ve seen a number of websites making the cloaking mistake. Nobody wants to be penalized in the eyes of Google.
When it comes to SEO its always necessary to have to good and transparent ways to deal. Since SEO involves giving access to their website so owners and users data might be in risk if the agency doesn’t be transparent. GDPR will help companies in protecting their private data. Hope more good agencies are created. Even big companies like Google has been suede for EU rules and regulations.
Great article, love your insights.
After a detailed research, talking with the people from my industry, and studying through the official GDPR document, I have written about GDPR myself, but from a different angle. Namely, I have analyzed how the new data privacy regulation will impact the SEO and digital marketing industries. I would love to hear your opinion about it and maybe we can even discuss some of the controversial approaches some businesses turn to, such as cutting off people from the EU completely in order to comply with the regulation. You can find the article here: https://www.seoptimer.com/blog/how-gdpr-impacts-seo-and-digital-marketing/
I would love to hear your opinion on it?
Kind regards,
Andy
GDPR impact on SEO …A much needed topic idea in recent times
As for the possible effects on rankings, Google has not made any official announcements about any GDPR-related algorithm changes. The GDPR is a huge step towards data protection across the world. With information moving at a very fast pace, this comes in as very timely, and would really ensure that data is used properly and ethically. GDPR will help companies in protecting their private data.
it feels like GDPR is a wake up call even outside of the EU. It offers a number of protections that are making a lot of companies re-examine how they gather and store information. Very great read. I’ve seen a number of websites making the cloaking mistake. Nobody wants to be penalized in the eyes of Google.
it feels like GDPR is a wake up call even outside of the EU. It offers a number of protections that are making a lot of companies re-examine how they gather and store information. Very great read. I’ve seen a number of websites making the cloaking mistake. Nobody wants to be penalized in the eyes of Google.
When it comes to SEO its always necessary to have to good and transparent ways to deal. Since SEO involves giving access to their website so owners and users data might be in risk if the agency doesn’t be transparent. GDPR will help companies in protecting their private data. Hope more good agencies are created. Even big companies like Google has been suede for EU rules and regulations.
The enforcement of GDPR has little impact on most SEO ranking factors. That being said, you still want to make sure you’re following SEO best practices through page titles, meta descriptions, URL structure, crawlability, website security and more. Below are some areas on which to focus your SEO efforts to boost visibility while staying compliant.