Are you confused about GDPR (General Data Protection Regulation)? If so, you are not alone. When I first wrote about GDPR in my newsletter, it seemed like a tiny issue that probably shouldn’t matter to most businesses outside of Europe, but it appears that this is not true.
I have read countless articles on GDPR and its impact on SEO and although all of these are really well written, I’m still really confused. Here are some good articles that I would suggest reading:
What is GDPR and how does it affect me - By Jenny Halasz on Search Engine Journal
Don’t let Google trash your analytics data - By Jeremy Rivera from Raven Tools
How to prepare your Google Analytics account for GDPR - On the Jeffalytics site
Does GDPR affect SEO? - By Jake Bohall from Hive Digital
If you run a digital marketing company then you are likely getting emails from clients, asking what they should do about this email:
And if you are like most agencies, you likely do not know exactly how to respond to this.
My advice to my clients, as an SEO, on GDPR
First, I want to thoroughly disclaim that I’m not a lawyer, I’m not an expert on GDPR, and there is a good chance that some of this information is not perfectly accurate. How is that for a statement to inspire trust in this article? However, I have put together some thoughts after many hours of reading and discussing this issue. My main point in writing this is to be able to point my clients to something that can point them in the right direction.
The following are questions that have arisen about GDPR and SEO along with my thoughts:
If I am outside of the European Union do I have to care about GDPR at all?
The answer to this is “probably yes”. There are two reasons why you have to care about this issue:
1) If your website receives visits from Europe, then you fall under this regulation. You may wonder how a regulatory body in another country can affect you, but it sounds like you truly can be fined for not complying. It does sound like it will be difficult for this to be enforced outside of the EU, but it is best to comply just to be sure.
2) It is possible that you will lose Google Analytics data if you don’t make changes right now to your GA settings. I’ll write more on this below.
What do I do about GDPR if my business is based in the EU, or very obviously has customers there?
If this applies to you, then I would highly suggest consulting with your lawyer. My main point in writing this article is to answer the questions that are being asked by companies outside of the EU who don’t know what to do.
What constitutes “doing business with the EU”?
If you’re a local small business who doesn’t interact at all with the EU, I think that you are probably fine to mostly ignore this regulation. I still would recommend making some changes to your privacy policy, as I’ve written about below and also making the recommended changes in this article to your Google Analytics settings.
But what about a business like mine? I have customers all around the world. I have a newsletter that has European subscribers. Even though I’m based in Canada, I really should make the changes recommended at the end of this article.
Could I just block people from Europe from visiting my site?
That certainly is an option, but it seems extreme to me.
https://twitter.com/sugarrae/status/993627048299155456
Perhaps I will change my stance on this as more information becomes available, but for now I would not recommend blocking EU visitors to your site.
GDPR and Google Analytics
This is where things get even more confusing. I’d like to thank Jeremy Rivera and Joe Hall for this great Twitter discussion in which they gave their thoughts on my GDPR questions:
The main point that I took away from our discussion is the following:
Even if you have no business at all in the EU, you are at risk for losing Google Analytics data if you don’t take action now.
To get ready for GDPR, Google Analytics added the ability to choose how long we keep personalized data. If you do not make changes now, you are at risk for losing some data.
What data will be lost?
Google says the following:
Here is how I interpret this:
If you just want to be able to look at traffic trends, that data is not likely to be lost.
But, if you have any custom stuff added to GA, then there is a good chance you’ll lose that if you do not change some settings in GA. “Custom stuff” could mean a segment (such as if you’ve bucketed data into things like, users under the age of 18, or users whose actions resulted in a certain amount of revenue, or any other type of custom report. I was originally unsure whether this data included goal completions. According to Jenny Halasz, the standard type of goal completion will not be affected. But, if you have goals that are connected to user info, such as age, demographics, etc. then those goals will likely be removed.
Even if you don’t currently have custom reports or segments currently set up, there is a possibility that you might want to do so in the future. As such, if you are not heavily involved in dealing with EU customers, I am advising that you do make changes to your GA settings.
Changes you should consider making today
First, Go into Google Analytics → Admin → Account settings and Click on “Review Amendment”, and accept and save the agreement.
Go back to admin and click on “tracking info”, then “data retention”:
You’ll see that, by default, your account is set to delete some information after 26 months:
Change this to “do not automatically expire” and then hit save:
Note: If you are actively involved in business in the EU, then this is where you need to consult with your lawyer. I do think that you may have to keep this at 26 months. It is possible that the length of time you are allowed to keep data may differ from country to country.
What changes should you make with your privacy policy in order to comply with GDPR?
This is where things get confusing again! This is a section that really does require legal advice. There is good information, along with a template in this article that you can use to help you rewrite your privacy policy.
Here is what I am advising my clients:
First, if at all possible, consult with your lawyer to get help with writing this policy.
Include information on the following:
Who is collecting the data?
What data is being collected?
What is the legal basis for processing the data?
Will the data be shared with any third parties?
How will the information be used?
How long will the data be stored for?
What rights does the data subject have?
How can the data subject raise a complaint?
Make sure that your privacy policy is easily found on your website. A link from your footer should suffice.
What should you do if you do email marketing?
Most of the common email providers have made changes to make it easy to comply with GDPR. If you are sending emails to customers in the EU, then you really should make sure that you comply. I use Convertkit for my emails. They have a document that explains what they have done to become GDPR compliant. It includes things like making it possible for users to close their account or request deletion of data. They are also soon to be adding a custom signup form which you can use for EU customers so that they can specifically opt in to your emails in a GDPR compliant way.
I am advising my clients with newsletters to check in with their email provider to see if they should make changes. I think though, that if you’re using one of the recognizable providers, they should have things covered for you.
tl;dr
Here is a summary of my recommendations at this point:
If you are in the EU or have a customer base in the EU, you really do need to consult with your lawyer. The rest of this list does not apply to you.
If you either have no EU clients or possibly have some visit your website or get your emails then you really should make changes.
You should consider changing your data retention settings in Google Analytics so that you do not lose data. Even if you are not using custom segments, you never know what you may want to do in the future. I’m going to set my GA settings to “do not automatically expire.” To cover myself here, I’m going to say that you should consult with a lawyer to determine whether you should do this too.
You should have a privacy policy that is linked to from your footer and thoroughly explains how you deal with personal information.
If you have a newsletter or send emails to a subscriber list, you should make sure that your email provider is GDPR compliant.