credit: Dayne Topkin unsplash

Tips for making your US-based website more GDPR compliant

GDPR Priorities for US-based Companies.

1. If you collect any personal information at all on your website(usually names and contact info such as an email address), decide whether you truly need to collect this information and only collect what you need.
2. Know and understand that Personal Data, or what we Americans refer to as Personally Identifiable Information (PII), can include a user’s IP address as well as any 3rd party cookies that can be used for tracking purposes such as Google Analytics. (See the bottom of this article for some more detail about IP addresses in particular)
3. For the data that you do collect, design a friendly notice to users informing them about what you collect and for what purpose. This notice should specifically NOT be buried in the “small print” of a privacy policy, instead make the language easy enough for a 7th grader to understand (check the language you are using on the Flesch–Kincaid readability scale) and consider adding a banner to your site with this language indicating what you collect and why with a link to more details a privacy page.
4. If you only collect names and emails for email marketing, consider doing this with a large 3rd party service that already offers GDPR compliant tools such as Mailchimp. A large service provider like this will already have forms for consent that meet GDPR compliance and they will have policies and procedures in place to handle any requests from users for their data.
5. If you are not using 3rd party tools that are already GDPR compliant and instead your website is collecting and storing personal data then you must get “consent” from your users. This is what an email “opt-in” form does, however, to be GDPR compliant you can no longer leave that “opt-in” box automatically checked. Also, in addition to clearly stating in plain english what you are collecting and why, if you are storing it on your systems, you now also need to tell them how long you are storing it, how you keep it safe, how they can request a copy of it, how they can have it removed, and how you’ll notify them if it is ever compromised.

An important note about IP ADDRESSES. We mentioned above that under GDPR a user’s IP address is considered personal data. Virtually every web server comes with a logging capability and by default they log every visit to a website to a log file. This log file typically includes a timestamp, the page requested, the type of browser and the user’s IP address. This is often used for security and fraud-prevention. For example, if your site is ever hacked, you may want to analyze these log files for forensic purposes, or you may get a request from a law enforcement agency to analyze your log files.

Since this is personal information, technically, to be compliant with GDPR you need to let users know that you are collecting and storing their IP address for security and fraud prevention. In the special case of log files, since you collect them for a business critical purpose (e.g. for security and to prevent fraud), there are provisions in GDPR that allow you to collect this data without specific consent, however, other rules still apply.

You need to clearly state in your privacy policy that you are storing their IP address for security and fraud prevention. You also need to ensure that you are doing everything you can to keep that information safe and secure and tell your users how you are protecting their data.

This means you should ensure that server logs are encrypted. That access to the logs is restricted to a few. And lastly, that the logs are removed after a certain time frame. All of this should be clearly stated on your website.