Last week, I wrote an article for Search Engine Journal: What is GDPR and How Does it Affect Me? After the article was published, I was contacted by several self-proclaimed “experts” in GDPR who assured me that I was wrong in much of what I wrote. I absolutely stand by what I wrote in that article, so please read it to gain context. I’ll wait. Ok, so my newsfeed, my inbox, and my Facebook wall lit up after I posted that. I decided that what I should do is follow up with some FAQs, including some bad advice I’ve seen touted by other self-proclaimed “experts”. I am not an expert. I’m not an attorney. I don’t even play one on TV. No matter what I say in this article, you need to fact check it and consult with your own attorney. The bottom line is that there is very little verifiable information around GDPR at this time.
If I do business in the EU, how can I make sure I’m in compliance?Talk to your attorney. Then hire a firm that specializes in GDPR compliance. Don’t hire someone US based, they don’t have the background in EU law that is going to be necessary to navigate these treacherous waters. This article (requires registration) has some good starting points: https://www.csoonline.com/article/3230128/regulation/preparing-for-gdpr-compliance-where-you-need-to-be-now-and-how-to-get-there.html
If I do business primarily in the US but sometimes have EU customers, do I need to make changes?Yes, you should act like you are EU based. See above.
If I do business only in the US and only have US customers, I’m ok right?No. Unfortunately if you even have a visitor from the EU that decides to visit your website while staying in a hotel in Duluth, MN (Hi Marty!), that visitor expects your site to comply with GDPR.
What if I don’t collect any personally identifiable information (PII)?Are you sure you don’t? If you track IP addresses, engage in retargeting, remarketing, set cookies, or have an email list, you collect PII.
What if I really don’t collect any of that data?Then you’re ok. Continue living in the dark ages. Consider hiring a marketer though; you could be making a lot more money.
Along with the question above: What if I can’t afford an attorney?Suck it up and pay for one. It’s a cost of doing business. Seriously. If you don’t have an attorney on speed dial, you’ve probably got much bigger risk exposure.
What will I lose in Google Analytics starting on May 25?If you have not changed the default setting, you will lose any PII from 26 months before.
What in Google Analytics is considered PII?Anything that could conceivably be tied to an individual. IP address for sure, but possibly referral data, demographic data, affinity data, browser details, location, etc. If you have custom segments set up for any data like this, it’s likely those will be limited or data will be removed from them. The reason Google isn’t specific on the type of data is that the problem is the intersections of this data. When you pull together a custom report and get something like this: Then you can be assured that Google’s data crunching has determined that report gets too close to an individual’s PII. From https://support.google.com/analytics/answer/2799357: If you have any reports where a threshold is currently being applied, you need to revisit that and see if there is either another way to pull the data, or if you may be collecting PII after all.
What should I do about Google Analytics data?Consult an attorney. Or just leave it at the new default, 26 months.
What other risk might I have and not be aware of?If you are collecting data anywhere else – using an API to put it into a spreadsheet, keeping data in Salesforce, storing comments in wordpress, etc. then you may be at risk of violating GDPR. If you are using any third party data collection (cloud storage, backup services, payroll providers) then they must also be in compliance with GDPR, and if they are not, your company can be held liable. If you provide mobile devices to your employees that they can download apps on, all of those apps must also be GDPR compliant, or your company can be held liable for non-compliance.
Now for some falsehoods I’ve seen bandied about:
I’m too small, GDPR enforcers will go after the big guys like Amazon and Facebook first.Maybe so, but are you willing to bet the farm on that? All it takes is one disgruntled EU visitor to make your life a living hell.
It’s EU law; it’s not enforceable in the US.It is enforceable under international law. EU and US have a nice solid relationship when it comes to international law. Don’t be surprised when your case gets moved to an EU court. Another possibility raised by one of my many commenters – US people may decide to sue you based on how you discriminate against them – keeping their personal data while you expunge the personal data of your EU visitors. Compliance with GDPR cases don’t have to take the normal route. Expect to see some civil suits around it too, where jurisdiction is often less of a limiting factor.
I don’t have any EU customers and I don’t even ship to EU!Good for you. You don’t have to ship a product and no money has to change hands for GDPR to be in effect.
Screw those high and mighty EU people. I’m an American and I’ll just block them.Good luck with that. You can’t be assured that blocking by IP will work because:
- IP addresses are a proxy for the ISP, not the individual (mine says I’m physically 40 miles from where I am – my google location SERPs suck)
- People use VPNs and proxies
- EU people travel to the US