General Data Protection Regulation (GDPR)
The European Union’s General Data Protection Regulation and How it Affects U.S. Bloggers
Data protection and informed consent is a subject which even the most novice of bloggers must understand. This helps them avoid trouble with various US regulatory bodies. The US regulates the way bloggers and web-based companies collect and protect the data obtained from its users. The European Union has complicated this data protection process by enacting legislation that not only impacts EU based bloggers and companies but also US-based ones.
You may not think that you’re blog is impacted by this EU regulation but you may want to keep reading because more than likely you too must be in compliance with the EU GDPR.
If you employ marketing practices that collect user information to drive your marketing and gain readership, you probably need to be in compliance with the GDPR. While the scope of the regulation is not yet fully realized, if your website contains EU specific content or promotes directly to EU users, you need to be in compliance with this regulation or risk steep fines.
Whether you realize it or not, your website likely collects user data regularly.
While financial transactions are a major concern for data protection, this is not the only type of data collected by websites. Various forms of data collection are now subject to additional protection under the new EU regulations.
Ways your website collects user’s private information:
Cookies: Cookies are installed on your user’s web browser and allow your site (or 3rd party tools such as Google Analytics) to track user activity on your site. This enables you to analyze your traffic and update your content based on user trends.
Cookies are also used to collect your user's browser history.
Have you ever noticed that when you google a certain product, all of a sudden all of your web advertisements are for that or a similar product? That’s because websites such as Google, Facebook, Amazon, and eBay, etc. collect your browser history in order to personalize advertisements that you see. This is data collection and in the US and now in the EU, your users need to give consent for this data collection. The GDPR takes it a step further, however, requiring explicit and unambiguous consent.
Email Address Collection: Building mailing lists is a marketing strategy employed by bloggers and web-based businesses in order to drive traffic and create marketing funnels leading up to sales. With the changes to the GDPR users now must provide their explicit consent for you to collect email addresses. You are also required to provide clear language which explains exactly how you will use the data collected.
IP Addresses: If your website or a 3rd party affiliate collects IP addresses, you likely need to be in compliance with the GDPR. Obtaining IP addresses helps you analyze where your users are located. This helps you understand traffic trends but also allows you to provide location-specific goods and services. Again, this is private information your website collects from its users and you now must obtain explicit consent.
How to obtain Consent
If your website targets people located in the EU, contains EU specific content or offers goods and services to consumers located in the EU, you must update your website to ensure you are in compliance with changes to the GDPR.
It is no longer acceptable to simply guide your users to a Terms and Conditions page — though you still need one. You now must obtain consent for each type of data collection.
Each time your website interacts with a user and there is an exchange of data, you must include a form or pop-up which allows your user to provide their consent. Check boxes for consent can no longer be pre-checked for ease of use. The user must provide the consent themselves by checking off the box.
72-hour breach notification
Once you collect user data, you must also protect that data according to the EU regulation. This, however, likely won’t change much from US data protection regulations with the exception of the new “72-hour breach notification rule.” If your website is compromised and your collected data is at risk of being lost or stolen, the EU Regulation requires that you notify the EU regulatory body within 72 hours of that breach.
If you become aware of a data breach, you must first analyze whether EU consumers may be impacted by this breach. If you determine this to be true, then you must inform the EU regulatory body and sometimes even users themselves within that 72-hour time frame.
What type of online businesses are affected?
If you run a blog or website that targets EU users directly, then you must be in compliance with the changes made to the GDPR by May of 2018.
U.S Based websites that are directly affected include hospitality or travel blogs, software services, and e-commerce sites. Remember, even if you do not sell products, having affiliate links on your site makes your site for profit.
If your website contains EU specific content and advertises to its users, you may want to protect yourself by getting in compliance with the GDPR. This includes history and genealogical websites and services, photography bloggers, even gardening bloggers may under the GDPR’s umbrella if you discuss plant identification and countries that plants are native too.
The full scope of the EU regulation’s ability to reach US-based bloggers and websites is not yet fully clear. It may take years to determine who exactly is impacted by this regulation and how the EU can regulate international websites. Given the large fines imposed by the EU for websites out of the compliance, you may want to take steps to protect yourself and your users rather than risking it.
Why you should comply
User privacy and data protection should be a major component of your web-based business plan regardless of these regulatory changes. Protecting your user's private information directly impacts your credibility and integrity as a business owner while saving you time and money in the even of a data attack on your website. The EU has enacted major fines for those who do not report data breaches within 72-hours (assuming you fall under those categories which must comply with this regulation).
As web-based commerce and data sharing increases in scope and more business owners take to the web, data protection will continue to become a major source of concern and regulation. Protect yourself and your assets now by staying up to date and within compliance of any regulation that may affect your business.
Author: Abigail Levandoski