Note: This article does not constitute legal advice or recommendations. The following article is for informational purposes only.
U.S. business owners have been inundated the past few months with headlines and articles about the European Union rules that go into effect this week requiring clear privacy policy notices and personal data protection, among other requisites.
Now that the May 25 deadline is looming, business owners with Websites everywhere have been feverishly writing and publishing new privacy policies and notifications.
Should you, a small or medium-sized business owner whose target market resides solely in the U.S., be concerned about the EU’s General Data Protection Regulation or GDPR?
Who is Impacted by the GDPR?
The GDPR applies to businesses that specifically market to European Internet users within EU borders. A U.S.-based company selling in India whose Website is visited by an Austrian on holiday in that country will not be subject to the EU rules.
This article by Yaki Faitelson, published by Forbes Technology Council, outlines how the GDPR rules impact U.S. businesses that market their products or services in any EU country, regardless of where the company is located.
So, if your business is U.S.-based, but you market your products/services in EU countries, you will want to strictly abide by the GDPR rules. Consider rewriting your privacy policy and how you implement any privacy notices.
If the new rules do not impact your business, it is still a good idea to review your current privacy policy practices to conform with local state privacy laws and the federal Electronic Communications Privacy Act of 1986.
In addition to ethical best practices in collecting Website visitors’ information, it is possible that a similar law could pass in the United States, despite Congress’s Internet Privacy Law rollback last year.
As Exterro writer Tim Rollins noted earlier this year, after the Facebook Cambridge Analytica scandal broke, U.S. Senator Ed Markey (D-MA), in an NPR interview, mentioned that the U.S. needs an Internet “privacy Bill of Rights.”
Update Your Website Privacy Policy
Read through your existing privacy policy. The basics it should have are what information you collect from visitors, how it is obtained, and what you do with it. Here is a great article from Small Biz Technology that outlines seven items to include in your policy.
There are many free and paid templates available that you can use to create a privacy policy. These might be sufficient if your business is small and does not collect much information beyond an email and name.
However, if you have tracking codes installed on your Website, have Adsense or other advertising or affiliate marketing links, use cookies, and have forms that collect a significant amount of data, you might want to consult a lawyer to draft a customized policy.
It is a good idea to update your privacy policy every few years, especially if you add additional ways you collect information from Website visitors or new Internet consumer privacy laws go into effect.
I updated my privacy policy to include notices about social sharing buttons that I use and the Facebook Comments box that you will see below this article.
Install a Privacy Policy Cookie Notice
Cookies are small data files that collect information about a visitor and their actions, such as pages visited or links clicked on a Website. The data is installed on the visitor’s browser once a Web page loads. Some cookies expire once a browser is closed. Others are stored in a browser for a defined period.
If you have Google Analytics tracking code or Facebook pixels installed on your site, you have cookie tracking on your Website.
The EU implemented a cookie law in 2011 that requires precise and straightforward notice that cookies exist on a site, what information you are collecting, and how you will use it. A Website visitor must consent to the tracking, or the cookies must be disabled.
The cookie notice—those pesky pop-up notices with an Accept button— is how most Websites deal with the informed consent (or non-consent) of the tracking.
As with the GDPR, cookie consent is only legally required in the EU, so it is up to you to decide whether it is necessary to install a cookie notice. I installed it on my site, “just in case,” which many marketers do.
If you use a platform like Shopify, Weebly, or Wix for your Website, you might want to consult with that platform’s customer support about installing a cookie notice.
Some, like Weebly, already include the option to enable/disable cookie notices on your Website and will soon provide it in banner form.
If a Web developer custom-built your site, contact them for help to install a cookie notice or hire a professional.
Alternatively, if you are comfortable installing code on your site, the European Commission has supplied a page with all the information you need about cookies. It also provides a Cookie Consent Kit. The kit contains JavaScript that installs a header banner on your site and a cookie page notice template.
How to Install a Cookie Notice on a WordPress Site
WordPress site owners have several simple options to install cookie notices, the easiest of which is a plugin.
I use the EU Cookie Law plugin on this Website, which is super simple to set up.
After installing and activating the plugin, you can customize the message that pops up. The plugin can also be set to automatically disable cookies until a visitor consents.
There are other options, such as choosing scrolling consent. If users continue scrolling down a page, they have automatically permitted the cookie tracking. But you must inform them about this type of approval in the popup notice.
It is not entirely clear if this plugin conforms to GDPR rules. But it is an excellent way to be upfront with your Website visitors about how you use their information.
You might also want to link your cookie notice to a privacy policy or cookie consent page. The page should inform visitors about the types of cookies on your site and how they are used.
Provide Privacy Policy Form Notices
I have signup forms installed throughout my Website in various formats. Some collect only email and a name, others require a phone number and other information.
Along with those forms, I now have written notices about what it means to submit your information on my Website. These notifications are another way to detail how a user’s data will be used.
Here is the notice I use:
Marketing Permissions: Crackerjack Scribe will use the information you provide on this form to contact you and to provide updates and marketing notices. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us or by contacting us at support@crackerjackscribe.com/stage. We will treat your information with respect. For more information about our privacy practices, please see our Privacy Policy. By clicking “Submit,” you agree that we may process your information in agreement with these terms.
I customize the message per form.
Email Privacy Notices
If you use email marketing platforms, most, like MailChimp and Zoho, have already notified customers how they are helping with GDPR messaging.
Here’s a great outline from MailChimp about the messaging and consent checkboxes that are available on that platform.
In Summary
While the GDPR may not directly impact how your business operates its Website and marketing efforts, it is still a good idea to set up your data collection practices to inform visitors about what type of information you collect and how you use it.
This will make your Website visitors feel safe and establish trust. You will also be ready if the U.S. decides to go GDPR style with its citizens’ Internet privacy protection.
Over to You
What do you think about Internet privacy laws and how companies collect information about Website visitors? Let us know in the comments section.