What Does GDPR Mean for US-Based Websites?

Posted by in Privacy and Security, Software Development tagged with ,

In this post, we cover how the European Union law GDPR could impact US-based organizations and how to make your website GDPR-compliant.

As of May 25, 2018, the General Data Protection Regulation (GDPR) went into effect in the European Union (EU). Aimed to protect the personal data of EU residents, GDPR gives users more control over how their data is used and provides clear guidelines on what organizations can do with user data. While not a US-based regulation, GDPR does have ramifications for how website owners around the world may collect and use data from people in the EU. Let’s explore what GDPR means for those of us in the U.S.

GDPR Basics

While the full extent of GDPR includes many provisions, here are some basic guidelines:

  • Data can no longer be stored in publicly accessible spreadsheets or other unprotected documents.
  • Data can no longer be captured without explicit permission from users.
  • Data can no longer be captured without a detailed description of what it will be used for.
  • Users must have an easy way to withdraw consent and have their data erased.
  • Organizations must have clear processes in place to detect, report, and investigate data breaches.

What Does GDPR Mean for US-Based Organizations?

Non-EU countries are considered a ‘third country’ under GDPR. Restrictions are imposed under GDPR that will impact how data is transferred to international organizations in third countries.

For example, if your US-based organization collects email addresses from EU citizens—such as a newsletter signup form, live website chat, or via telephone calls, for example—you’ll need to comply with GDPR guidelines. While you may not be actively targeting EU customers, if they can sign-up or input data to your website or through social media accounts, even if the data ends up in a third-party email marketing or CRM system (and not on your website), you’re responsible for GDPR-compliance.

GDPR also requires that nonprofits, businesses, and other organizations receive informed consent from users with clear descriptions of how their data will be used. Organizations must prove they have received consent from users to collect their data, which will likely require new processes to record said consent. In addition to new data, this applies to existing recorded data as well, so if you don’t have that information you’ll need to acquire it.

Finally, if a customer requests that you remove all their data from your systems, you must comply.

What Does GDPR Mean for Your Website?

In simple terms, if your website or digital product collects or holds personal data from people residing within the EU, you must offer clear, optional, and understandable ways for them to opt in and out. You must also clearly explain how you will use obtained data and you must delete their data from your records if they request you to do so. You must also let them know if you have a data breach.

We created a quick GDPR website compliance checklist to help you easily understand what GDPR means for your website.

GDPR Website Checklist

To make your website GDPR-compliant, do these things:

  1. Add an SSL certificate to your website. This is a good idea for many reasons, including better SEO performance and user experience in the Chrome browser. It’s also a best practice for privacy and security.
  2. Create a cookie policy that clearly states which cookies are yours and which are from third parties. Users must be given the option to use your site without cookies.
  3. Similarly, you will need a privacy policy on your site which clearly and explicitly explains how you collect and protect user data.
  4. You must be able to prove comprehensible consent from users, so keep records of all user interactions.
  5. Don’t use pre-ticked boxes on website sign-up forms, such as newsletters. Users must opt-in not opt-out.
  6. Similarly, separate opt-in tick boxes must be used for each instance you gather data on your site, such as, for example, a marketing newsletter and terms of service for an on-site purchase.
  7. If you use third-party payment gateways for purchases, donations, etc. you will need to be Privacy Shield-compliant in the US (GDPR-compliant in the EU).
  8. Give easy options for users to withdraw consent and have their data removed from your or third-party systems (known as ‘request to be forgotten’).
  9. Website contact and inquiry forms must be sent securely through an SSL. If copies of form data are also emailed to recipients, those emails must also be stored and sent via GDPR-compliant methods. Check your email provider’s terms of service policy to ensure compliance.
  10. If your website uses a third-party live chat feature, you will need to reference its privacy policy and terms in your own.  
  11. Similarly, social media accounts are also considered third-party data controllers, so any information collected through them needs to follow GDPR guidelines: include them in your privacy policy and make sure any collected information is not held in the social media account.
  12. Likewise, Google Analytics and any other third-party tracking software will need to not only be referenced in your privacy policy but also need to be GDPR and Privacy Shield-compliant as well. While Google Analytics will be compliant—you need to accept their updated data processing terms to conform—lesser-known tracking services may not.
  13. CRM systems also collect user data and are subject to the same rules as other third-party data collectors. Additionally, they collect date, time, reason for capture, and other information, which is included when users make a request to be forgotten.
  14. If your website stores user account information, your database will need to identify users by username only, not by account information—a process known as pseudonymization or anonymization.

Do I Have to Update My Website?

These are all good privacy and security practices regardless, but GDPR provides added incentives for US-based organizations to update their websites, email marketing practices, and so on. It is worth noting that GDPR non-compliance could result in stiff penalties. On the upper end:

Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements…

Based on current exchanges rates, that’s almost $24M! It seems inevitable that similar US-specific legislation will follow suit, though that may be a ways off yet. Even so, given the potential for costly lawsuits, it’s a good idea to craft a compliance plan as quickly as you can. At Mightybytes, we have updated our privacy policy to reflect the above and are in the process of making changes to how we collect and report on user information.

Although complying with this legislation may seem overwhelming at first, it will have positive impact on users and potentially even the environment. Those are pretty strong reasons to start updating your website.

If you need help with any of the above or if you have specific questions about GDPR, please feel free to contact us.

Tim Frick founded Mightybytes in 1998 to help mission-driven organizations solve problems, amplify their impact, and meet business and marketing goals. He is the author of four books, including Designing for Sustainability: A Guide to Building Greener Digital Products and Services from O'Reilly Media. Connect with Tim on LinkedIn.