What is GDPR and What Does It Mean for Your Business?

GDPR and Google Analytics
General Data Protection Regulation (GDPR) is a new European Union (EU) law that becomes enforceable on May 25, 2018. It has far-reaching, potentially game-changing ramifications for digital marketing. Even if you are not operating within the EU, it is essential to understand GDPR and what it means for your business and its marketing strategy.

What Is General Data Protection Regulation (GDPR)?

In a nutshell, GDPR is a privacy law established in 2016 that will start being enforced as of May 25, 2018. Therefore, organizations in the European Union that are not compliant with GDPR will soon face heavy fines.
The law requires consent to be obtained in order to use or monitor any data that can be tied back to an individual. In other words, the troves of personal data out there that can be connected to you can’t be used by a second or third party without your permission.
Although the law only pertains to the EU, ultimately every business (even those in the United States) will be affected by the new law, which is designed to better protect personal data of those within the EU.

Does GDPR Matter to Your Business?

Yes! GDPR not only affects organizations in the EU, but also any entity (inside or outside the EU) that offers goods and services or even monitors those in the EU. Still not convinced this affects your business? Keep reading.

Google Analytics and GDPR

Google sent out an email outlining that GDPR is coming a couple weeks ago. They are introducing data controls that allow you to determine how long you keep data on the servers for those who visit your website. The default is 26 months. Google is also releasing tools that will allow users to opt out and even delete their data for countries enforcing GDPR.
If you have Google Analytics on your website (which you should, by the way), then you likely need to make a few changes in order to be compliant with the new regulation. Anyone from the EU can search for, find, and access your website. Google Analytics tracks data on anyone who visits your site, which makes your company legally fall into the category of “monitoring” anyone in the EU that stumbles onto your website.
Although you can technically track users (for “historical purposes”) without adding a consent form, many websites use third-party apps and “free” plugins that collect data from website visitors. Therefore, you likely need to add tracking consent popups for those visiting your site from the EU.
If you’re doing online marketing, then you’re probably using third-party tracking. For example, are you retargeting people who visit your website by having your ads follow them around online? Even social sharing buttons and video embeds technically send information back to those third-party providers.
Additionally, Google is going to require anyone with Google Analytics accounts to accept the new amendment (see below for a screenshot).

However, this does not put legal responsibility on Google – so although Google provides the tools to delete data to remain compliant with GDPR, you have to use those tools to remain compliant for EU visitors and buyers.

What Constitutes “Personal Data”?

Personal data includes pretty much any information that can identify an individual, ranging from sensitive information like medical data to simply their name, email address, IP addresses, or even a photo.

Practically, What Do You Need to Do?

If you’re using Google Analytics and sending that information to third-party providers, then you need to have a cookie consent popup on your website when someone visits from the EU.
Note: These do not need to pop up if people are visiting your site from the United States.  
These cookie consent forms are typically just a box that pops up and says “we use cookies and will be tracking you” (in so many words) with an option for them to click “accept.”

Will GDPR Expand to the United States?

Due to the issues with Facebook and Cambridge Analytica, there are obviously huge privacy concerns. These new regulations are intense and will likely be heavily monitored and enforced.
Furthermore, depending on how these changes materialize in the EU, other countries are likely to follow suit. Therefore, we could be seeing a change in online privacy with American businesses potentially seeing similar regulations come to the U.S. in the near future.

Interested in Learning More?

To learn more about GDPR, including additional information about obtaining consent and the fines associated with failing to comply, visit EUGDPR.org.