Is Your Website GDPR-Compliant?

On May 25, the strict new data privacy law in the European Union that limits what information can be collected about people online, known as the General Data Protection Regulation (GDPR), took effect.

Europe’s new privacy measures allow people to limit the information they leave behind when browsing social media, reading the news or shopping online. Businesses must now detail how someone’s data is being used.

The new rules have appeared to focus on Silicon Valley tech giants like Facebook and Google, but they affect all businesses that offer free content online but make money by collecting and sharing user data to sell targeted advertising. It is a common practice for websites to use tracking software to gather information about visitors to better target ads. Advertising companies have warned that the GDPR will harm their businesses because it restricts how information is packaged and shared to sell advertising.

When the GDPR took effect last Friday, several news organizations in the United States blocked access to their websites from Europe, choosing to black out readers rather than comply with the new data privacy law. The most notable blackouts were by news organizations The Chicago Tribune and Los Angeles Times, The New York Daily News, The Orlando Sentinel and The Baltimore Sun. The decision illustrated that some companies would prefer to lose European customers than risk being hit with the stiff penalties allowed under the new law: Fines can reach 4 percent of global revenue.

The websites of many other American news organizations, including The New York Times, USA Today and The Washington Post were accessible from Europe. Some acknowledged the new privacy rules with large disclaimers and other information to explain what information was being gathered when a reader visits the site. “Welcome to USA Today Network’s European Union Experience,” the news organization posted at the top of its website, explaining that the company would not collect personally identifiable information or other data commonly used to sell online advertising.

The shutdowns came as a surprise to readers of the publications because companies had two years to prepare for the new regulations. Andrea Jelinek, chairwoman of the new European Data Protection Board, which will coordinate enforcement of the new law, criticized the blackouts and said that companies had been given a long time to prepare. For weeks, businesses as varied as Uber, bike shops and restaurants have been sending notes to alert people to their updated privacy policies resulting from the law.

“It didn’t just fall from heaven,” Jelinek said in a statement. “Everyone has had plenty of time to prepare.”

Part of the reason for the new laws has been the massive data breaches that have occurred over the past few years. In the past 12 months alone Yahoo, LinkedIn and MySpace account details have been breached. The most notable privacy scandals have involved Facebook and Cambridge Analytica.

The GDPR covers both personal data and sensitive personal data. Personal data broadly means a piece of information that can be used to identify a person, such as a name, address or IP address. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation and more.

For direct selling companies, adherence to the GDPR is a necessary measure to ensure the privacy of consultant and consumer information. To ensure your company is GDPR compliant, review the guide the UK’s Information Commissioner’s Office has made available.