Enough With the GDPR Compliance Already!
I’m sure you are as tired as I am of hearing about GDPR compliance! My inbox has been overflowing with warnings about GDPR compliance and updated privacy policies. There is a lot of bad information floating around out on the web. Website owners have been dealing with varying degrees of panic as to how GDPR compliance is going to affect them and what they will need to do to satisfy the requirements.
If you do business with customers located in the European Union (EU), you do need to be aware of the new regulation and how it will affect your business. For many of us, however, the percentage of our customers and clients that are located in the EU is miniscule. If that describes you, then GDPR compliance may be the least of your worries.
Step 1: Don’t Panic!
This whole brouhaha reminds me of the Y2K frenzy. Computer software companies made a ton of money from software fixes over the couple of years prior to 12/31/1999. All that effort was responsible for the fact that the world didn’t end at midnight that night, but a lot of effort was expended where it didn’t really need to be because of the widespread panic over the whole issue.
GDPR compliance is a huge change in the way personal data is to be handled and it is important, but it’s important to maintain a cool head. The GDPR goes into effect 5/25/2018 (tomorrow as I write this), but the GDPR police will not be knocking on your virtual door at 12:01 AM wanting to “see your papers”, so to speak. Wiser people than I have said it could take up to two years before all this gets sorted out and the final version of the rules is decided on and implemented.
Does that mean you shouldn’t take any action? Not at all. Understand that GDPR is great for consumers and takes our FTC regulations to another level. The thing to remember is that it’s in your best interest to take care of your customers, clients and website visitors and it makes sense to provide the kind of data security they deserve. Between the FTC and GDPR, that’s the goal and it’s worth shooting for. It’s just not necessary to stress yourself out and take massive, potentially incorrect action just to be done by the May 25th implementation date.
US-Based Businesses Need To Be FTC Compliant First
You’re probably aware of the Federal Trade Commission, the United States agency that governs business relationships with consumers. Whether you sell to consumers or not, if you are collecting information about your website visitors, you are subject to FTC regulations. The GDPR takes data privacy to another level, but in fact, the FTC has been on this case for years.
My point is: if you are compliant with all FTC regulations, there isn’t much more you need to do for GDPR compliance. The question is: if you are a US-based business, are you FTC compliant? A very large percentage of websites are not and are probably not aware of it. If you’re not sure, see the resources at the end of this post.
FTC vs. GDPR Compliance
New WordPress GDPR Compliance Tools
In addition, WordPress has added new items under the Tools menu. These are: Export Personal Data and Erase Personal Data. When you get a request from a registered user on your site to provide the personal data that you have for them, you can export it for them. You will likely get requests to remove a user’s personal data. Erasing Personal Data accomplishes this. GDPR compliance requires that you be able to handle a user’s personal data in these two ways.
What About Those GDPR Compliance Plugins?
There are plugins springing up like weeds that claim to magically provide GDPR compliance. From what I’ve seen, the prevailing strategies seem to be giving EU visitors (identified by their IP address) the choice to accept or reject the site’s policy, or blocking EU visitors altogether. While the idea seems logical, the reality is that it’s difficult to accurately determine someone’s location via their IP address. There are many possible “edge cases” where someone might live in a non-EU country but be visiting an EU country, for example. VPNs make it easy for visitors to appear to be located somewhere very different than their actual location. So, counting on IP location is iffy, at best.
That said, I am currently evaluating a plugin that provides some excellent features for GDPR compliance. One such feature is a cookie notice that you can edit to suit your site’s policies. This isn’t technically a GDPR thing as cookies are governed under the EU’s cookie regulations from a few years ago, but my understanding is that the two will be merged into one set of rules going forward. In any case, you can decide whether to show the cookie notice only to EU visitors or to everyone.
Is Your Site FTC Compliant?
I have two resources for you to help with that today. First, for $7 you can get an audit of your site that will give you insights into whether your site is FTC compliant and let you know what’s needed if it’s not. You can access that resource here:
If you’re not compliant or need to verify the basic FTC documents for your site, go here to get a free basic membership to FTC Guardian:
Full disclosure: both of the above links are affiliate links and if you purchase the audit or an upgraded account I will receive a commission.
FTC Guardian is the only resource of its kind that I’m aware of and was founded by an Internet lawyer and and an Internet marketer. They know the rules and how they affect web businesses. The documents produced are excellent and cover the most common situations. They are not to be considered legal advice, however, so if you have a special situation you will need to consult your own attorney for guidance.