Last week we had a webinar with SiteGround’s Senior Legal Advisor - Maya Stoyanova talking about GDPR, what it is and what you need to do about it. We share the video from the webinar here so you can watch it and find out if and how that new European regulation concerns you.
*Please excuse us for the poor quality of the image.
As promised, we are posting the replies to the questions we couldn't answer during the webinar here.
Important: Please note that GDPR is still very new and open to interpretations topic with a lot of vague areas so all answers to your questions should be considered only as an opinion and not as legal advice on the matter.
Ugo: Email data on SiteGround servers, GDPR compliance? SiteGround or customer responsibility?
The protection of all personal data, including email addresses stored on SiteGround servers, is a shared responsibility between the client owning that data and SiteGround. SiteGround is responsible for the integrity of the server hosting the data, but the client has to take care of passwords and other access to that data. The client is also responsible for storing the data and deleting old emails when needed. The Data Processing Agreement that we will provide shortly, aims to explain that responsibility.
Damiano (Posit S.C): Somebody knows about a Magento plugin for GDPR?
We haven’t yet managed to test all GDPR plugins for the different CMSs we host so unfortunately, we cannot make a recommendation for a specific plugin, but you may surely check the Magento marketplace for such.
Giovanna: Can I keep my Google Analytics cookies activated by default?
My understanding from reading so far is that a user must be given the option to opt-in, not out, and that there must be clarity as to how the personally identifiable data will be used (and consequently not misused), but does that mean that user information (e.g. how they’ve operated on the site - usually this has no personally identifiable data) is actually now an issue, and how do we deal with existing mailing lists?
Yes, users have to opt-in, not opt-out, especially for marketing-related activities. If you use your mailing list to send users promotional emails, newsletters or other content that is not directly related to the provisioning of the service you deliver, then you need to have their explicit consent to receive such emails. If you gathered your list without asking for such an explicit consent, it is recommended that you run a re-consent campaign (send an email to ask them and give them the option to say Yes or No) and get agreement from your users to use their emails for such purposes.
Amanda Thomson: Do we have to inform existing customers of how we hold their data (B2B)? Or is GDPR really designed to prevent SPAM emails to prospective customers?
Oscar: If I have a blog that only redirects traffic to other companies through affiliate links, how does GDPR affect me?
If you do not collect any personal data (and we have to make a lot of assumptions to be sure of that - no IP log, no comments section on the blog that collects email and name, no stats, etc.), our recommendation is to evaluate firmly your site for comment forms, contact forms, newsletters subscriptions to confirm this is true. And you need to verify that you do not serve targeted ads without user consent to such cookies.
Jaimie: Cookie notifications topic, mixing implied and explicit consent in the cookie notification statement for new visitors. Is it ok to mix implied and explicit consent such as "by using this site" for performance/security cookies and an "accept" button for anything else?
There are examples and opinions that refer to explicit categories and zero-cookies approach until consent is received. For sure official authorities have issued an opinion that tracking and labeling users as being interested into a given information require consent and that first-party cookies should be clearly distinguished from third-party ones.
Peter: SG is the BEST!!! - if I live in the U.S., does GDPR apply to me?
Thanks! 🙂 If you have traffic from the EU and you store any personal data about these EU visitors, then the answer is yes.
Jackie O Brien: As a company who only deals with business to business contacts where do we stand with GDPR?
Unfortunately, it’s more likely for you to be liable than not, even though you work with businesses and not individuals. For example, you may be collecting IPs, or stats cookies and pixels, or you may be collecting names and emails in your forms - all these cases urge you to be GDPR-compliant. Even if these emails are business emails, they still trace back to an individual so they have to be protected.
Benji: Since WordPress isn’t GDPR compliant yet, would I then explain this in a contract with a client and if they sign it, would this then cover myself?
No, you will not be covered. You need to make sure that the way you use WordPress and all installed plugins and templates for the needs of that client is GDPR-compliant. WordPress is a piece of software that you put on your website and server, but what personal data you collect through that WordPress and what data you share with third parties via the plugins you install, is the main thing you should evaluate when deciding if you need to be GDPR-compliant.
Sara: Can I continue to use Google Drive to store data?
Evelia Amos: Please clarify if a business needs explicit consent when we post on social media platforms sounds or images.
Not sure what kind of images and sounds you refer to. Normally, images may fall under GDPR and you may need explicit consent. However sharing images and sounds/music can be governed by Intellectual property and similar roles and under them you may not need consent but an authorization of the right for usage, distribution, and modification. If under GDPR, people have the right to withdraw that consent later and you have to oblige and remove the image if they do so.
Kira: I am a small sole business, don't store customers details, use PayPal, MailChimp, and Gumroad to process orders/payments, and newsletter subscriptions. I have a directory of healers, just photos with mailboxes, they do not work for me. What do I need to be GDPR compliant if anything? I'm so keen not to have visitors to my websites monitored, that I don't use Google analytics.
Marco: I read that the data server must be in the same country of my business activity or in the EU. Which one is true? Where are SiteGround servers located?
Having the servers in the same country where your business comes from is not part of the GDPR regulations. However, storing and processing data outside EEA falls under additional measures (transfers abroad). I would recommend you to check with your local authorities for more information on that matter. As to our data centers, we have servers in Chicago, Singapore, Amsterdam, and London and you may choose where your data to be hosted.
Akin Ladapo: But IP addresses can be temporary and from various servers if traffic is rerouted. So the IP address identifies a user?
In some European countries, IP addresses are treated as personal data on their own.
Missy: Collecting visitor information through a website contact form that does not save data to the database but only sends an email to the administrator, does the website owner need to obtain consent?
Yes, users have to provide you with an agreement to collect their personal data and need to be aware how you will use that data. Even though you do not store it, you still collect it somewhere (in an inbox or file or else) and could use it.
Guilherme: You said that we should use IP address to know that the user is from Europe, but what about tourists? For example, a Brazilian visiting or living in Europe - does he/she fit in the GPDR? And what about a European who lives in Brazil?
In general, the best way to be sure where a client is from is when they provide you with country and address for billing or other purposes (on your registration or order form). If you have that information, regardless what the IP says, you treat the user as an EU individual if their country is in the EU. But, if you do not have that information, then you work with the IP - if their IP is from the EU - you treat them as EU individuals. You do not need to know if they are Brazilians and just pass through the EU as tourists or vice versa. You work with the data you can record about them.
If you’re storing and/or processing personal data, you need to be GDPR compliant. Cookies fall under ePrivacy regulation. My advice would be to check for any forms on your site first and see how you manage the information transmitted through it.
Jaidev Kesavan: If the payment system on a website is handled by a 3rd party service provider such as Paypal or Razorpay (Indian service provider), is it the job of the payment service provider to protect data privacy or the website owner's, considering that the payment gateway service collects customer information and not the website owner?
Even though you don’t store the data on your site, you are the owner of it - clients authorize you to collect it and by the letter of the law you are “controller” of that data. It is your responsibility to inform the client that their data will be collected and for what purposes and by which partners of yours. You also have to make sure your processors are GDPR-compliant.
Bart: Is "anything that can identify an individual" an accurate definition because this would also include info like: preferences, web browser, language, and most troublesome mobile?
Yes, “anything” is accurate, but have in mind that some of that data serves as an identifier only if used together with other data. Just language or browser used, does not identify a person, but if you also have something else about the user, then you may be able to profile them and thus you may need to be GDPR-compliant.
PeachPerfectWeddings: Hi guys, apart from GDPR, is there a good overview list of such things (legal requirements etc.) that a small business, which is based in EU but serves clients from all over the world, has to ensure? As in not directly selling online but just website with our services.
Unfortunately, no. But in this webinar, we have covered the basics and this is a good start for any business.
Sandra Eversberg: I use Joomla, have installed Google Analytics and a Facebook Pixel and wonder if there is any plugin for Joomla which allows the user to opt-in/opt-out from those services with a click of a button. Do you know any of those?
Unfortunately, we cannot recommend a plugin for that purpose. The good news is that the EU wants to make it possible for users to be able to opt-out by changing their browser settings. It will take time before that gets applied though.
Melissa: I am under the impression that if our website is only US based & we don't do any business in the UK that this will not be an issue. Is that the case? I have a local (one state) directory.
If you do not get ANY traffic from the EU (any EU IPs) or users signing up with а country in the EU, then you have nothing to worry about. Yet, please make sure you are really not collecting any personal data from EU citizens before you take a final decision on how to proceed.
Anna Potter: Hello, I have an online booking system within my website, what do I need to do regarding information clients input into this diary to make an appointment? Thank you.
Trisha Torrey: I am located in the US, run a membership site, and 99.9% of my membership is located in the US and Canada. Do I need to set up for GDPR compliance? Maybe I should just restrict membership to the US and Canada only?
If you could sacrifice the 0.1% of the traffic, then the easiest solution is to restrict membership. Otherwise, you have to become GDPR-compliant.
Ellen Rothwax: what are the consequences if you do not comply? How will this be enforced?
The fines are really heavy. There are authorities in every country that will monitor and enforce sanctions. These authorities will make checks on companies for compliance or will take action when they are alerted by a complaint.
Kunal Khanna: What is the scope of this compliance? Does it apply to only personal email IDs (Like Gmail/Hotmail etc.) OR it also includes official email IDs?
The compliance aims to protect individuals and their personal data. However, an individual’s business email may also be considered as personal data as it allows you to identify who that person is and also send them promotional emails for example.
Spafford: Can you review the implications and complications of Facebook or Google Pixels on the website. For example, is it legal?
There is no law that forbids you to use Facebook and Google Pixels, but if you use them, the GDPR requires you to disclose that to your users so that they are informed that their data is collected and used and ask for consent.
Luigi: What about the Documentation requirement of GDPR? Is that necessary for running a website?
Check with local authorities if you need any additional paperwork, but the most crucial documentation required is all the contracts between you and your clients, and you and your partners that cover the use of personal data of your clients. These are items you prepare if you collect and store personal data and place on your website or keep on file in case you get investigated.
Lisa: Is the cookie law separate and still needed in addition to the GDPR?
Yes, it is still there and now you have to not only ask for consent but also give the user the option to opt-out from getting cookies and still be able to browse your site.
Manuel: What about when you just receive your customer's name, email, and phone through the contact form on your website. Does the customer have to be informed of the use of that info right before they send the message? Or is it enough with the terms accepted by the user when entering the website for the first time?
Depends on how you got their agreement in the first place, but in general, we recommend you to get explicit consent on the form before the send button.
Joanna: Is this legislation retroactive? If so, how can a website owner in the US figure out who on their list is in the EU?
Ulrika: What does the GDPR state about crowdfunding, newsletters and donating/sponsoring clients?
It doesn’t matter why people are giving you their data, it only matters that you collect such data. Clients donating you money through a crowdfunding campaign are still vulnerable and are protected by the GDPR. As to the newsletters that you will be sending them, you need to ask for their explicit and separate consent.
Njoki: We have donors from both Europe and America, will the GDPR affect all inclusive and how do I ensure that all in the database are covered? We have a database of over 20,000 people.
All EU donors need to be aware what data you collect about them and how you use it and if you use it to market services to them. You need to ask for explicit consent. Additionally, you need to make sure that the access to this database is secure and as few people as possible have access to it, and those people are aware of their liability if that data is abused.