Since we provide services for a number of businesses that provide their products internationally, we’ve been receiving quite a large number of request for information about GDPR (General Data Protection Regulation). Despite being written into law over 2 years ago, there is a last minute rush to get things into compliance ahead of the 5/25 deadline. We’ve prepared this post to help provide a high level understanding of what GDPR might mean for your business, and a few things you should most definitely NOT do as a response.
Disclaimer: While Hive Digital works with a large number of law firms across many verticals, we are not lawyers, our lawyers haven’t reviewed this information, and we are not responsible if you screw things up and get fined by the EU. If you feel you might be impacted by GDPR, we highly recommend you do an audit of your exposure to determine if/how you might be impacted, and then consult an attorney to CYA.
If you do not offer services, products, etc. to people based in the EU, and you have no intention of doing so, then you should be generally fine to do nothing different from a legal perspective. However, we would suggest taking the hint that users do care, and your days of undisclosed mining of your website visitors personal information for more BI and marketing value may be coming to an end.
However, if you have website visitors that are in the EU when they visit, and your site indicates it may be meant for them, then pay attention!
Signs you might target visitors from the EU:
- Language translations for EU countries
- hreflang tags for EU countries,
- EU currency selectors
- EU cctlds (e.g. www.website.nl, .de., fr., etc.)
- EU subdomains (e.g. nl.website.com, fr.website.com, etc.)
- EU subfolders (e.g. website.com/de/, website.com/fr, etc.)
- References to worldwide shipping, or shipping calculators that include EU member countries
- References to EU pop culture, news, etc.
- Travel advice, assistance, information, tours, for visitors to/in the EU
- or other similar indicator that you are catering to people searching from within the EU
If you do any one or more of these items, then you would be required to collect and store any of those EU based visitors personally identifiable information (PII) following the regulations of GDPR, or be exposed to potential fines.
PRIOR to performing any data collection:
You must have a clear consent form showing:
- exactly what information you are collecting
- how that information will be used
- affirming the information is protected
- consent options for each data usage
The consent form should not only detail the information you are collecting, but also:
- how/where you are collecting it
- where you are storing it (specific 3rd parties, etc.)
- how long the information is retained
- how to request information removal
If for example, you don’t have analytics tracking collecting that type of personal information/data, but you have an email newsletter form, then you would need to have the disclosure and required consent before accepting the users email address on your website. The disclosure must be made fully visible (no links to T&C pages) and might say something along the lines of
“When you sign-up for our newsletter, we will collect your email address and name from the form and store it in a database at our email service provider, mailchimp. We will collect personal usage data through mailchimp, such as how often you open and read our emails, and the links you click from within our emails. This tracking is meant to help us ensure high quality newsletter content that engages our subscribers. Each email you receive will include a link that allows you to opt-out of our system. Should you choose to opt-out, we will process removing your email address and it’s associated data from our email newsletter platform (currently mailchimp, subject to change).”
For the data storage:
Data must be stored in the equivalent of current “PCI Compliance”, with security and encryption to protect the consumer’s data. Remember, you are also responsible for the places you store your customer’s data. Many companies are choosing to warehouse their EU customer data in EU data centers, as they feel more confident those data centers will be compliant.
Be prepared for a data breach:
Be prepared for a breach with any of your data servers, or those of your vendors. In the event that your server/data/vendor becomes compromised, you must notify the EU regulatory body within 72 hours, or you will be subject to a starting fine (I believe) equal to 2% of your global revenue. If the compromise includes sensitive personal information such as a credit card numbers, address, phone numbers, passwords, personal records, etc. (I believe it is defined as data that could affect their well-being) then you must notify the customers who have been compromised in addition to notifying the regulatory body.
Thing’s you SHOULD NOT DO!
Sadly, we have heard a number of “clever” ideas to get around GDPR concerns, but some of them could cause serious issues for SEO. Here are a handful of things you should not do unless you lawyer tells you to… in which case you should have your lawyer call us so we can try to help figure out a more graceful solution:
- Block everyone visiting from the EU: This is a bad idea for a number of reasons. Greatest of which is that sometimes your non-EU customers might be traveling and need to access your website from the EU. I’ve heard financial institutions toss this idea around, and quickly explained that if I was traveling across Europe and suddenly was blocked from logging in to my bank account or even seeing my bank’s website, I’d probably freak out. From an SEO perspective: You might also have links from EU sites, and blocking EU crawlers would prevent any of that link equity from passing through to your site.
- Redirect all EU traffic to a disclosure/compliance page: While this may seem like a good idea at first, remember that Google is a visitor too, and they might crawl from EU IPs, etc… So if you go this route, you’ll likely lose all of your rankings in the EU, as you’ve just redirected them to a page that likely doesn’t have any . A better solution would be a pop-up that requires consent but allows the page to load (sans tracking pixels that collect personal info). Once they consent, you can then load all of your “approved” tracking codes.
- Show EU users one page and Google something else for the same URL. This could be considered cloaking by Google. You are likely okay from any issues with certain pop-ups or “hero banner” disclaimers that are placed by IP tables, but if you treat those visitors differently than you treat Google, you could run into some issues and potentially even be penalized. This could get a little tricky considering Google will is free to also crawl your EU pages from US crawlers.
- Ignore GDPR if you meet criteria of someone who should not ignore GDPR (see: “Signs you might target visitors from the EU” above). Not only does this subject you to fines, but it will likely be obvious to those potential customers, and could result in some serious backlash to your brand that may be difficult to recover. Remember, this isn’t just some governing body handing down laws, these are protections being made into law at the request of consumers.
This is by no means a comprehensive list and we kindly ask for any thoughts/questions/ideas that we could use to improve this for our visitors and clients. We hope this inspires some thought with your team as you evaluate how/where you collect personal information, and internally flow-chart where that data is stored, how it is used, and ways you can be more transparent with your customers.
image credit: https://securityboulevard.com/2018/02/gdpr-a-deadline-you-cant-afford-to-ignore/
Additional reading: Analytics data and impacts from GDPR