GDPR is the General Data Protection Regulation, which is coming from the EU and other countries.
How does GDPR affect U.S. Businesses?
It does if you have people from the E.U. on your email list, if you sell to people in the E.U., if you collect any type of visitor data from anyone in the E.U.
The courts ruled that individuals are the owners of their data, not the corporations (or websites) that collect the data. Therefore, it must be deleted on a regular basis so that customers don’t have to constantly contact websites they may have visited and ask them to delete their data. Source: Search Engine Journal
Where Google Analytics comes in...
Google, being a global entity, collects demographic data from websites through Google Analytics.
Now Google realizes that holding onto that data in perpetuity, especially for European sites and customers, puts them at tremendous risk of violating the GDPR.
This is where the average site owner and Google Analytics customer comes into play, and it explains why you received that email.
Google has decided to have all personal user data expire 26 months after the date it was collected. This includes that demographic and affinity data, but does not include things like sessions and goal completions. Source: Search Engine Journal
What happens if you don't comply with GDPR?
If you don’t comply, there is a price to pay.
The fines can go as high as four percent of annual global revenue or €20 million (over $24 million), whichever is greater. Individuals who suffer damages can also take legal action by suing the data controller, processor or both as well as anyone in the supply chain. Source: Small Business Trends
What should you do?
You should not take this lightly.
If you have, or plan to have, any European visitors, you need to consult with your attorney. You should also take steps to ensure that this data is not recorded elsewhere other than Analytics.
And finally, you should prepare for this to become the law of the land here in the U.S., too. It will take a while, but user data control is going to get more restrictive, and you should make sure that none of your critical business decisions rely on that data.
But you need to act quickly. May 25, is the date at which Google will start expiring/removing data that is older than 26 months. Source: Search Engine Journal
Recently, I read a blogger's post informing her followers that, because she didn't know which of the people on her email list were in the E.U., she was wiping out her entire list and no longer doing an e-newsletter.
While that is one way to deal with the issue, there are other things you can do.
- If you have an e-commerce site that sells to the E.U., and you're with one of the many e-commerce platforms like Etsy, Shopify, etc., if they haven't sent you anything on GDPR, go to their help system and see if they've posted how they are handling the data.
- If you have your own e-commerce site or a membership site where you hold people's data for an unlimited time, you need to contact your E.U. customers and make sure you have their permission to keep their data.
- If you have a newsletter or email list used just for marketing -- they're not your customers yet -- try to identify the E.U. people, send them an email asking them if it's OK to keep them on your list or that you're going to delete them unless they want to stay on it.
- Contact your email provider -- MailChimp, Constant Contact, etc. -- and see what they recommend.
- Rewrite your privacy/disclaimer statement on your website. Consult a lawyer.
- For the future: Add a "country" field to your contact form or your sign-up form and set up a triple opt-in for the E.U. countries being very clear on how long you will keep their data.
This is serious.
If you are a small business operating in the U.S. which stores and collects data about citizens in the European Union, you have until May [25,] 2018 to put the necessary data security measures in place to ensure you are GDPR compliant and not open to a non-compliance fine. Source: Small Business Trends
While it is an EU law, it is applicable to any organization with personal data of EU citizens and residents. So if you are a business with customers in the EU, the GDPR will be applicable to you when you are handling personal data of your EU customers. Source: Buffer
If you're at all not sure how to handle your particular situation, take the advice from the Search Engine Journal and contact an attorney.