We’ve all seen those ugly and intrusive GDPR banners that pop up at the bottom of websites. It seems like they’re everywhere. It’s normal to wonder if you need a GDPR notice on your website, too. You don’t want to be breaking any laws, right? You don’t want to be accused of stealing someone’s private information, right? You’re just a decent person trying to run a business in this world. Whose idea was this anyway? Those are the thoughts that came to mind when I started seeing the GDPR notice banner pop up on websites a few years ago.
I decided to just ignore it. That worked for a while until I started getting requests from my website management clients to add this banner to their websites. At my company, we provide website management support to more than 50 companies from all types of industries throughout the United States and North America.
The banner is called a GDPR notice and it is meant to inform website visitors about how data is collected on that particular website and how it might be used. The data collected could be as simple as the browsing history associated with the website visitor’s I.P. address. Or, it could be more sophisticated system of data collection. For example, a website visitor may voluntarily provide their name and email address. Their name and email could be shared, sold, or simply used by the business for email marketing purposes.
Do you need a GDPR banner on your website?
I took a closer look at the GDPR requirements so that I could have more intelligent conversations with our business clients. I’ve learned that I don’t need a GDPR banner on my own website even though my website accepts the name and email from people who fill out our contact form. And, if you’re a U.S. small business doing business outside of the European Union, then you probably don’t need this notice either. But, instead of advising you on legal stuff, I’m just going to share the specifics of what I’ve found while doing research for my own business.
Here is what GDPR.eu has to say about this European law:
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
That seems a little broad, doesn’t it?
Let’s take a closer look.
So, even though I don’t have employees in the European Union and I don’t do business in the European Union, a European resident could stumble across my business website and and fill out my contact form. Therefore, I have inadvertently collected the personal information of a European resident through my website. At first glance and according to so many blog writers, I am now responsible for taking additional steps to protect that European website visitor’s information.
Well, no. Not really.
Exemptions to GDPR requirements
According to article 30, paragraph 5 of the GDPR, rules for compliance, “… shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions…”
Let’s see… I have fewer than 250 employees and I’m not collecting information about criminal convictions… so far so good. No ugly banner required for me. Wait, what’s this about article 9(1)? Answer: you’re not exempt from compliance if you’re collecting information in one of the GDPR special categories described in article 9 even if you have fewer than 250 employees. But, even that section of the GDPR has its own separate exemptions.
I’m in the clear! And, it turns out that just one of my clients is actually required to comply with the GDPR regulations.
What about California privacy laws?
According to the State of California Department of Justice, The California Consumer Privacy Act (CCPA) is intended to give consumers more control over the personal information that businesses collect about them. But, this law only applies to large businesses engaged in significant data mining. According to the California Department of Justice, “The CCPA applies to for-profit businesses that do business in California and meet any of the following:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.”
I’m still in the clear! Whew.
A minimal GDPR privacy notice banner
What if you see the writing on the wall and you want to get out ahead of this whole privacy thing? Perhaps you’re not technically required to post a GDPR notice on your website but you want to improve your image as a good cyber-citizen. By all means, add a privacy notice to your website. I found a visually minimal yet robust GDPR privacy plugin created by Moove in the United Kingdom. Check it out » https://www.mooveagency.com/wordpress-plugins/gdpr-cookie-compliance/
Need help with learning WordPress and don’t want to take an online course? Learn about our 1-on-1 WordPress Training.
Ready to work directly with a dedicated website manager who listens and responds? Get the details about our Website Maintenance Services.