By now, I’m sure you’ve heard of the European Union’s new law, the GDPR. (And if you haven’t, that’s ok! I’ll tell ya what you need to know.* You can also read the whole thing right here on the official site.) So what is GDPR exactly?! GDPR stands for General Data Protection Regulation, and it was written and passed to… (shock of all shocks) protect data! It was not created to make your life difficult or to confuse you or to line the pockets of contract lawyers. It was created because we all have a whole bunch of data floating out there on the internet and people are going, “Hey could we, like, get some reassurance that companies are going to actually keep this data safe from the Hamburglar and other bad guys?” and law makers in the EU are like, “Yeah! Let’s hold companies accountable and make sure they keep our info safe.”
So even though there are some steps you may need to take to comply with the GDPR, and that’s more work for you and you’re already busy, I think we can all agree that keeping personal info safe is a good thing. I know I’m taking comfort in the fact that the big companies that store my data are tightening up and getting compliant with this.
*Before we go any further, I need to make it clear that I am not a lawyer! I know my site is hot pink and sometimes I sound like Elle Woods. But unless someone’s handing out law degrees for watching Legally Blonde 37 times, then I don’t have one. So this is not in any way intended to be legal advice. I’m just sharing what I’ve learned and what I’m doing so that you can stop worrying and start checking things off your to do list. Saying “Biz BFF told me to” is not a legal defense if you get in trouble, and I do not accept any responsibility for your business complying with the GDPR or any other rules for that matter. You should always consult a real lawyer about lawyery things, like making sure your specific business complies with the GDPR and other laws.
I hear you asking… “Does this even apply to me?”
If you’re not in the EU, do you even need to work on this? Probably. Because this applies to all data, including data collected when someone visits your website, you at least need to have your privacy policy and cookie policy on your site. (Since you can’t really control who visits your site.) But if you’re a local service provider who lives outside of the EU and all of your customers and newsletter subscribers live locally, that’s probably as far as you have to go to be compliant. It’s still a good idea to be aware of these steps, should similar regulations come to your country! (And definitely read the “things you should already be doing” section at the bottom!) If you own an online business, you could have customers and subscribers from all over the world. So even if YOU aren’t in the EU, your people may be! So read on, friends.
Why I’m not panicking (and why you shouldn’t either.)
The people of the interwebs just love to freak out when anything changes. And with the sudden influx of confirmation emails and privacy policy updates flooding my inbox, I definitely started to feel the collective anxiety about the impending GDPR compliance deadline. (It goes into effect on May 25th!) But then I took a deep breath, read as much as I could, and realized that small business owners can get through this without panicking.
Now when I say “don’t panic” that does not mean “ignore this!” We still have a few things to do and you should take them seriously. But you can take something seriously and take action without panicking. I believe in you.
You probably aren’t storing that much data.
One intention of the GDPR is to protect personal data from data breaches. As a small business owner, you probably aren’t storing a whole bunch of personal data yourself. For example. I use PayPal and Stripe to process credit card payments. I don’t store any credit card information at all. All payments are processed safely and securely through those companies and I never see a single credit card number. Which means that no one can hack my site and steal credit card numbers–because there aren’t any here to steal! I don’t have to do anything extra to keep that data safe because PayPal and Stripe are already keeping them safe.
Whatever tools you’re using to process payments and collect emails addresses are doing everything they need to do to comply with the GDPR and keep everyone’s data safe and secure. The law is intended to hold this big companies accountable to keeping data safe.
The tools you use are making it as easy as possible to comply.
All the main email newsletter providers (like Mailchimp and Convertkit) are putting super simple templates and check-forms together to help their users comply with the GDPR. Many website platforms and themes are even creating easy privacy policy templates that you can use to update your privacy policy to be compliant. So check with the tools you use (they’re probably sending you tons of emails right now anyway) and see how they’re helping you make it easy to comply.
Panicking usually doesn’t help anything.
Change can be scary. I get that. But hopping on the internet to join the collective panic doesn’t get anything done. So just do what you need to do, then move on with your life and your business!
Simple steps I’m taking to comply with the GDPR
So again–not legal advice! These are the steps I’m taking. And if you take them, you’ll be 4 steps closer to complying with the GDPR than you were a few minutes ago. But I can’t say if this is everything you need to do to comply because I don’t know your unique business and I am not your lawyer.
Step 1: Update your privacy policy and your cookie policy. (Or write one for the first time.)
A privacy policy tells people how your site processes data and what you do with any data you collect. So if you collect email addresses, what will you do with those? How will you use them? Do you share them with anyone? How do you keep info safe? Stuff like that. You can have a lawyer write one for you or you can find a template online. You know I love recommending favorite resources, so as soon as I find a template that I love and can recommend, I’ll update this. But for now you’re gonna have to google “GDPR compliant privacy policy template” and use your best judgment!
Step 2: Install a cookie notification popup.
If you have google analytics installed to analyze website traffic or if you use your Facebook pixel for Facebook ads, then your site is using cookies to collect data! (Even without these installed many platforms use cookies. So if you have a SquareSpace site, you’re using cookies. Many wordpress plugins use cookies. Your website probably uses cookies whether you know it or not.) So you just need to be transparent and let people know that by having a cookie policy and a little popup. It’s no big deal. I’m sure at first it’s going to feel like “Ugh, no one’s going to stay on my site if they think I’m using cookies to spy on them, I don’t even know what cookies do! I actually need to eat a cookie with all this cookie talk.” But as every site gets compliant and notifies people of cookies and data collection, everyone will get used to it and the internet will go back to debating whether Laurel and Yanny showed up wearing the same white and gold dress. (Laurel swears her dress was actually blue and black.
SquareSpace has an easy one to enable, and Wix has a widget. For wordpress, you’ll have to choose a plugin. I’m using Cookie Notice by dFactory. If I find one I like even better, I’ll update this, but this one works for now!
Step 3: Update your opt in forms.
Part of the GDPR requires that you get super clear consent from members of the EU that you can email them. So that means if you use a lead magnet to get email sign ups (for example, you have a free download you give away in exchange for an email signup) then you need to be clear about what kind of emails you’re going to send people after they opt in. You could add a line under your opt in form that says “Entering your email means you’re also signing up for my awesome weekly newsletter list and to hear about any promotions I run.” Some newsletter providers are even creating EU-specific checkbox forms to make EXTRA sure people are giving consent to receiving emails.
Now there’s some debate as to whether you can require consent as a condition to get the freebie (which is kind of the whole point of the lead magnet right?) Some folks are saying you can’t, and you need to have a way to deliver the freebie even if people don’t want to sign up for your list. Others are saying it’s fine to require the email as long as it’s obvious that they’re going to be added to your mailing list and there’s a clear unsubscribe button in every email. Since I’m still not a lawyer, I’m not going to take a side on this one! What ConvertKit* has enabled is a setting that prompts people to check a couple boxes to give consent to send marketing emails after they’ve entered their email to get the freebie. And it’s possible to select that only be shown to people in the EU (based on their IP address) if you don’t want to show it to everyone!
Step 4: Decide if you need to re-confirm consent with your current email subscribers.
You’ve probably been getting a ton of “Do you want to continue receiving emails from me?” emails lately! If you can’t really prove that people gave consent to get marketing emails from you, then you might want to do this too. If people already give clear consent to get your emails (Like your newsletter signup says “Sign up for promotions” and you have double opt-ins enabled for people to confirm they want to sign up) you’re probably fine and don’t need to send another email asking people to re-confirm. (But remember, I’m not a lawyer! If it feels safer to just send the email, send it!)
If you’re thinking “I don’t want to lose all my email subscribers just because they didn’t re-confirm!!!” think of it this way: If they’re not opening your emails and clicking the link… are they opening your other emails and clicking your other links? Are they really the people you want on your list? If they never read your emails anyway, they’re just taking up space and driving your conversion rates down. Now’s a great time to do a little spring cleaning! Since of course not everyone opens every email, it wouldn’t hurt to send it out a second time to the people who didn’t open the first one, though, to give them another chance.
To comply with the GDPR you only need this consent from people in the European Union. If your email provider doesn’t have a way to segment people by country or region, you’ll just have to send the email to everyone. ConvertKit* makes it really easy to just send it to your EU subscribers.
First, create a new broadcast. Then when you select who to send it to, you can choose “within a country or region” and choose “European Union” This was fun for me to see that over 10% of my subscribers are in the EU!
Next, write a nice little email explaining that you’re doing everything you need to to comply with the GDPR and you’d like to double check that your subscribers want to keep hearing from you. Convertkit* has a fancy unique link for each person… all you have to do is enter {{ gdpr_consent_url }} and they’ll do the heavy lifting. This is what it looks like when a subscriber clicks that link:
When your subscribers check those boxes, they get tagged with a GDPR tag so that if the GDPR police ever knock on your door, you can say “See. They gave me consent!”
Other things you should already be doing:
You need to make it easy and obvious for people to unsubscribe from your list. You already needed to be doing this! The CAN-SPAM Act was passed 15 years ago and every email newsletter provider has an unsubscribe feature built in to the footer of your emails.
You need to use a real email newsletter provider. Do not send out bulk emails using the bcc function in gmail! This doesn’t give people a way to unsubscribe, it doesn’t adhere to the CAN-SPAM Act (anyone else think of canned Spam when you hear that?) and it won’t comply with GDPR. Plus… you don’t get all the great features of a real newsletter provider, like tracking opens and link clicks. So if you’ve been doing that, stop right now. Mailchimp is free and has a lot of features. ConvertKit* is not free, but it does some really great things and I highly recommend it. You can sign up for a free 30-day trial right here* And I teach courses on how to use both, so it doesn’t have to be hard!
Don’t add people to your email list without their permission. People need to choose to opt in to your list. Emailing you with a question, filling out a contact form on your website, or meeting you at a networking event is not the same as opting in to your list. Just because it seems like they’re interested in what you have to offer, doesn’t mean they’ve given you permission to send them emails.
Now what about customers? Can you automatically add customers to your email newsletter list? It’s a bit of a gray area! Because I sell courses, I have to have my students on my email list to send them their access instructions and any course updates. So I’ll be asking whether they want to also receive other emails (like promotions, tips, and tutorials) or if they just want course update emails. Then I can use the tagging feature in ConvertKit to separate out the people who don’t want to receive emails but need to stay on the list for course updates. Many ecommerce platforms like Shopify and BigCommerce have a checkbox at checkout to give people a chance to opt in to your newsletter list if they want to or not if they don’t want to, so just turn on that checkbox! (Note that if you have customers in the EU, that box can’t be automatically checked. The customer needs to do the checking!) There is an argument that you can make that if someone bought something from you, they logically want to receive updates about similar products or services, so that’s why you’re adding them to the list. I’ll let you be the judge of whether that applies to you. Usually asking yourself, “Would I want to receive this email?” is a good place to start.
Disclose when links are affiliate links. If you use affiliate programs to promote other people’s services and products. You need a little disclosure statement that tells people you’re compensated when they purchase through your link. You already needed this, but some people don’t do it. So now’s a good time to go ahead and do that! Like this:
*I am an affiliate for ConvertKit, the email newsletter program that I use and love. Which means if you sign up via my link, it costs you nothing extra, but they give me a small kickback as a thank you for spreading the word. It basically buys me a cup of coffee so I can keep writing helpful blog posts like this one!
Need more step-by-step help?
I hope these steps show you that this is not as overwhelming as it seems at first. There’s really nothing to be scared of, just a few things to be aware of and a few actions to take! If you need a safe place to work through any confusing parts, bounce ideas off people, and get step-by-step help setting up your email newsletter opt in forms or sending out those re-confirmation emails, please join me in the Biz BFF Hive! We’re here to help and support you!
Leave a Reply