Are you confused about GDPR (General Data Protection Regulation)? If so, you are not alone. When I first wrote about GDPR in my newsletter, it seemed like a tiny issue that probably shouldn’t matter to most businesses outside of Europe, but it appears that this is not true.
I have read countless articles on GDPR and its impact on SEO and although all of these are really well written, I’m still really confused. Here are some good articles that I would suggest reading:
What is GDPR and how does it affect me - By Jenny Halasz on Search Engine Journal
Don’t let Google trash your analytics data - By Jeremy Rivera from Raven Tools
How to prepare your Google Analytics account for GDPR - On the Jeffalytics site
Does GDPR affect SEO? - By Jake Bohall from Hive Digital
If you run a digital marketing company then you are likely getting emails from clients, asking what they should do about this email:
And if you are like most agencies, you likely do not know exactly how to respond to this.
My advice to my clients, as an SEO, on GDPR
First, I want to thoroughly disclaim that I’m not a lawyer, I’m not an expert on GDPR, and there is a good chance that some of this information is not perfectly accurate. How is that for a statement to inspire trust in this article? However, I have put together some thoughts after many hours of reading and discussing this issue. My main point in writing this is to be able to point my clients to something that can point them in the right direction.
The following are questions that have arisen about GDPR and SEO along with my thoughts:
If I am outside of the European Union do I have to care about GDPR at all?
The answer to this is “probably yes”. There are two reasons why you have to care about this issue:
1) If your website receives visits from Europe, then you fall under this regulation. You may wonder how a regulatory body in another country can affect you, but it sounds like you truly can be fined for not complying. It does sound like it will be difficult for this to be enforced outside of the EU, but it is best to comply just to be sure.
2) It is possible that you will lose Google Analytics data if you don’t make changes right now to your GA settings. I’ll write more on this below.
What do I do about GDPR if my business is based in the EU, or very obviously has customers there?
If this applies to you, then I would highly suggest consulting with your lawyer. My main point in writing this article is to answer the questions that are being asked by companies outside of the EU who don’t know what to do.
What constitutes “doing business with the EU”?
If you’re a local small business who doesn’t interact at all with the EU, I think that you are probably fine to mostly ignore this regulation. I still would recommend making some changes to your privacy policy, as I’ve written about below and also making the recommended changes in this article to your Google Analytics settings.
But what about a business like mine? I have customers all around the world. I have a newsletter that has European subscribers. Even though I’m based in Canada, I really should make the changes recommended at the end of this article.
Could I just block people from Europe from visiting my site?
That certainly is an option, but it seems extreme to me.
https://twitter.com/sugarrae/status/993627048299155456
Perhaps I will change my stance on this as more information becomes available, but for now I would not recommend blocking EU visitors to your site.
GDPR and Google Analytics
This is where things get even more confusing. I’d like to thank Jeremy Rivera and Joe Hall for this great Twitter discussion in which they gave their thoughts on my GDPR questions:
Getting loads of emails from business owners asking about GDPR and GA. Every resource I can find is too technical for even me to understand.
I think what we all want to know is whether the average person truly needs to make changes to GA and whether we're going to lose data.
— Marie Haynes (@Marie_Haynes) May 8, 2018
The main point that I took away from our discussion is the following:
Even if you have no business at all in the EU, you are at risk for losing Google Analytics data if you don’t take action now.
To get ready for GDPR, Google Analytics added the ability to choose how long we keep personalized data. If you do not make changes now, you are at risk for losing some data.
What data will be lost?
Google says the following:
Here is how I interpret this:
- If you just want to be able to look at traffic trends, that data is not likely to be lost.
- But, if you have any custom stuff added to GA, then there is a good chance you’ll lose that if you do not change some settings in GA. “Custom stuff” could mean a segment (such as if you’ve bucketed data into things like, users under the age of 18, or users whose actions resulted in a certain amount of revenue, or any other type of custom report. I was originally unsure whether this data included goal completions. According to Jenny Halasz, the standard type of goal completion will not be affected. But, if you have goals that are connected to user info, such as age, demographics, etc. then those goals will likely be removed.
Even if you don’t currently have custom reports or segments currently set up, there is a possibility that you might want to do so in the future. As such, if you are not heavily involved in dealing with EU customers, I am advising that you do make changes to your GA settings.
Changes you should consider making today
First, Go into Google Analytics → Admin → Account settings and Click on “Review Amendment”, and accept and save the agreement.
Go back to admin and click on “tracking info”, then “data retention”:
You’ll see that, by default, your account is set to delete some information after 26 months:
Change this to “do not automatically expire” and then hit save:
Note: If you are actively involved in business in the EU, then this is where you need to consult with your lawyer. I do think that you may have to keep this at 26 months. It is possible that the length of time you are allowed to keep data may differ from country to country.
What changes should you make with your privacy policy in order to comply with GDPR?
This is where things get confusing again! This is a section that really does require legal advice. There is good information, along with a template in this article that you can use to help you rewrite your privacy policy.
Here is what I am advising my clients:
- First, if at all possible, consult with your lawyer to get help with writing this policy.
- Include information on the following:
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- Will the data be shared with any third parties?
- How will the information be used?
- How long will the data be stored for?
- What rights does the data subject have?
- How can the data subject raise a complaint?
- Make sure that your privacy policy is easily found on your website. A link from your footer should suffice.
What should you do if you do email marketing?
Most of the common email providers have made changes to make it easy to comply with GDPR. If you are sending emails to customers in the EU, then you really should make sure that you comply. I use Convertkit for my emails. They have a document that explains what they have done to become GDPR compliant. It includes things like making it possible for users to close their account or request deletion of data. They are also soon to be adding a custom signup form which you can use for EU customers so that they can specifically opt in to your emails in a GDPR compliant way.
I am advising my clients with newsletters to check in with their email provider to see if they should make changes. I think though, that if you’re using one of the recognizable providers, they should have things covered for you.
tl;dr
Here is a summary of my recommendations at this point:
- If you are in the EU or have a customer base in the EU, you really do need to consult with your lawyer. The rest of this list does not apply to you.
- If you either have no EU clients or possibly have some visit your website or get your emails then you really should make changes.
- You should consider changing your data retention settings in Google Analytics so that you do not lose data. Even if you are not using custom segments, you never know what you may want to do in the future. I’m going to set my GA settings to “do not automatically expire.” To cover myself here, I’m going to say that you should consult with a lawyer to determine whether you should do this too.
- You should have a privacy policy that is linked to from your footer and thoroughly explains how you deal with personal information.
- If you have a newsletter or send emails to a subscriber list, you should make sure that your email provider is GDPR compliant.
What have I missed?
I debated on whether or not to write this article, as I am not a GDPR expert. However, I could not find a good resource that answered the average small business owner’s questions in plain English. (No offence to the authors of the posts listed above. They are all really good resources and I learned a lot from reading them.)
If you are concerned about GDPR, ideally, legal consult is the best way to go. But, I know that many of you just want to know whether or not you need to do anything. Hopefully I have helped answer those questions.
If you disagree with any of the information in this post, or have additional info to add, please do leave a comment. I will update the post as I get more clear information. Also, if you would like to stay updated, you can subscribe to my newsletter and I’ll keep adding new information on GDPR as I learn it.
Comments
Hi Marie
I am in the EU and in the process of doing my GDPR, this is a required declaration
“All collected data can be provided to you free of charge in electronic form.
If you would like your name, address and phone number to be removed please email us and all details will be deleted.
Should there be any breach of private data you will be notified within 72 hours of becoming aware of the breach”
Opt in forms for emails etc and where you store everything including the tea and biscuits and you should be covered!
Regards Tracie
Thanks Tracie. This sounds like good verbiage to have in our privacy policies.
Most hosts, shopping carts, and ad networks are playing chicken with the release of their plans for GDPR. Finally, today, my host just emailed a message full of blather…
“we are asking all users of [redacted] to review the information that will be provided over the next several weeks. You may receive emails or other alerts that require your prompt attention and action”
… that says nothing. and GDPR is two weeks away. They are waiting to see what their competitors are doing so they can be copycats and jump on it. Or they don’t want to release their plans and be pointed at because their pants are down.
I emailed my host and told them to stop collecting log files and gathering stats. I emailed my shopping cart to ask what they are doing. Nothing meaningful in their replies. My ad providers have said nothing of substance. Google is keeping their mouth shut other than a webinar with less than 24 hours notice.
However, the legal newsletters are beating the GDPR drum, saying nothing of substance because they want you pay them for their advice. IMO the solution is mostly technical, but impossible because millions of individuals in the EU are accessing the web from multiple IPs and devices which are shared amount multiple individuals. Impossible.
Hi Marie,
You are really providing some use useful information. I just subscribed your blog. And I have revied notifications about GDPR but did not bother about that.
But a big thanks to you for telling me to know about this through your amazing post.
Regards,
Robin Khokhar
Marie,
Thank you for this info! I’m surprised how technical all the language about GDPR is and how many people have little clue what any of it means. Most of us are business owners, not lawyers and many of us have websites that are accessible from anywhere in the world, yet we don’t do business with clients in the European Union.
Garrett
Hello Marie,
Thank you so much for the explanation.
The analytics change is a must. I will have to dedicate a day or two to fix it across board for all the site I manage.
I’ve put some good effort into deciding how to handle the GDPR issues related to my website. We do not collect, store, or process any personally identifiable data from people in the EU, however, our host, analytics provider, shopping cart provider, and ad network provider may collect and/or process such data.
My conclusion is that I can meet my obligation by adding one paragraph to my “conditions of use” page. That paragraph would indicate that we do not collect or process any personally identifiable data. However, our host, analytics provider, shopping cart provider, and ad network provider may collect and/or process personally identifiable data. Details about their activity can be obtained here, here, here and here. (with the word’s “here” being hyperlinks to pages on the websites of these service providers where they explain their activities)
Unfortunately, these service providers do not have pages on their website where they publish information that I believe should be linked to.
So, if your service provider does not publish this information – and keep it updated – then you will have to explain the stuff that they do and explain how they do the stuff that they do every time they change the stuff that they do.
The bottom line is that small businesses who use hosts, shopping carts, analytics and ad providers can only be consistently GDPR compliant if their service providers are GDPR compliant and communicate it explicitly. And, for that reason, if the EU ever goes after anybody for not being GDPR compliant their first several years should be spent going after the providers of hosting, shopping carts, analytics, advertising and other services to operate at a lower level of collection, storage, or processing of personal information or collect, store or process none of that information.
I have also felt confused when it came 2 understanding general data protection regulation but I am glad I am not alone. I will read the articles you suggested and hoping to clear the confusion this time. Your advice is very helpful.
I now know that I can still be affected by the GDPR even if I am outside european union. I also feel making changes to my privacy policy will be a lot easier and better than deciding to block people from europe from visiting my site. I find the changes needed to be done and the steps you shared very easy to comprehend.
Thank you so much for the valuable information Maire.
Hi Marie,
It’s an excellent post. I am glad that I have found that post. I got some useful information. Thank you so much for the valuable information.
Regards,
Sourav Roy
I have also felt confused when it came 2 understanding general data protection regulation but I am glad I am not alone. I will read the articles you suggested and hoping to clear the confusion this time. Your advice is very helpful.
I now know that I can still be affected by the GDPR even if I am outside european union. I also feel making changes to my privacy policy will be a lot easier and better than deciding to block people from europe from visiting my site. I find the changes needed to be done and the steps you shared very easy to comprehend.
I have also felt confused when it came 2 understanding general data protection regulation but I am glad I am not alone. I have read the articles you suggested and hoping to clear the confusion at this time. Your advice is very helpful.
I now know that I can still be affected by the GDPR even if I am outside european union. I also feel making changes to my privacy policy will be a lot easier and better than deciding to block people from europe from visiting my site. I find the changes needed to be done and the steps you shared very easy to comprehend.