You’ve probably noticed a ton of annoying banners on the websites you visit lately. Most, stating something to the effect of “Like Most Websites On The Internet, This Website Utilizes Cookies To Enhance Your Experience.” A message typically followed by an acceptance button of some sort.

It’s also likely that you are getting a lot of email regarding privacy updates from the websites you visit. (Aren’t those a treat?)

If you’re like most people, you are sick to death of all of this already. If so, I have very bad news for you. It’s about to get worse. Much worse. On top of that, the European Union’s GDPR wants you to deface your own website(s) with the same kind of annoyances. Sadly, I am not joking. Not even a little bit.

Please read on.

What On Earth is GDPR, and What are Cookies?

You might have noticed conversations online about the new regulations issued by the European Union’s ICO called GDPR. The GDPR is a massive set of laws governed by the E.U.’s Information Commissioner’s Office, overseas. It’s also known as the “Cookie Law”, though these regulations reach much deeper than website cookies.

Elizabeth Denham heads up the ICO and is behind a lot of what you’re seeing today. She was appointed UK Information Commissioner in July 2016. Commissionar Denham has stated that she is frustrated by the amount of “Scaremongering” going on about GDPR, its affect on businesses, and people. She claims this is an “Evolution”, not a “Revolution”.



A Bit About “Cookies”

What The GDPR Is Intended To Do

The stated goal is to protect the personal data of E.U. citizen’s in an increasingly digital world. If you’re outside of the E.U., there are only responsibilities. You are afforded no rights due to the implementation of the GDPR. If anything, you’re losing rights.

What Can The E.U. Do About Those Who Do Not Comply?

Businesses who do not comply face hefty fines. Those fines can reach 20 million Euros ($23,535,500), or 4% of annual global revenue. Which ever is greater. Thankfully, while such fines are possible, that has not been the way they’ve been handed out to date. The ICO has stated that fines are used as a last resort after a website or organization refuses to comply after multiple warnings.

Does The GDPR Apply To The United States?

In many cases, yes. Though there are almost certainly going to be numerous legal issues that will have to be sorted out by the court system as this goes into effect, at this point it does appear to apply to the U.S. and its businesses. There is already some precedent to back this up.

That said, the main stated goal is to regulate and hold accountable businesses that knowingly, and actively, conduct business in the EU. It’s up to them to decide whether that applies to your website/business/organization, or not.

What If My “Website” Is On Blogger, Shopify, Wix, Weebly, or Another Provider Site?

You will still fall under EU GDPR regulations and will still have obligations to comply. In some cases, you may have even more obligations than someone with a regular website, since many third party companies fall under the guise of ‘actively, and knowingly selling to E.U. citizens.’

You should absolutely consult with documentation on those various websites to try and come to grips with the extent of your exposure to GDPR regulations.


How-To Video for GDPR Compliance

Points To Remember While Navigating Through This

The first thing to understand about GDPR compliance is that it’s not a destination. It’s a journey. Even in the unlikely event you achieve complete compliance, you will probably fall back out of compliance soon afterward. It’s a bit like trying to steer your car down the highway in a straight line. You are going to have to make course adjustments to stay on track.

The second thing to understand about GDPR compliance is that there are over 65 million websites currently online with various levels of sophistication and data harvesting abilities. The odds of you becoming a target of the ICO is akin to hitting it big in the lottery.

The third thing to understand about GDPR compliance is that the ICO has a far greater interest in enforcing compliance within the EU, and with massive companies like Google, Facebook, Twitter, Microsoft, etc.. It would be next to impossible to go after every website that doesn’t fully comply with GDPR. Especially when the odds of being fully compliant are almost non-existent. It is important to keep any concerns you have about these regulations in perspective.

The fourth thing to understand about GDPR compliance is that it’s fluid. It is going to change over time. What we are dealing with today is apt to be very different 10 years from now. This is particularly true as other countries like the United States create their own regulations. With recent revelations about what many large companies have done, US regulatory changes are pretty much a given.

The fifth thing to understand about GDPR compliance is that any benefit you get from these regulations are going to be coincidental. You are not protected by anything the EU has done here. Only EU citizens are. Nice, huh?


Steps To Take Towards GDPR Compliance

IMPORTANT DISCLAIMER: I am not an attorney, nor do I ever want to be one. I am a web designer. What you see below are only suggestions. The GDPR regulations are part of a massive legal document that goes on for approximately one hundred pages, containing thousands of words, each with potential legal implications that I am not well suited to advise you on from a legal perspective.

That said, I have spent many, many hours over the last couple of months reading up on GDPR and trying to understand it all, along with its implications. The problem with much of what I’ve read is that it tends to conflict, and always come with the same disclaimer you see above. “I am not a lawyer”. Then, they go on to act as though they have all of the answers. Frankly, I don’t believe even the ICO has all of the answers. There are many problems with the GDPR, and some of what they are demanding isn’t even available yet from a technology standpoint. This has left millions of businesses in the lurch. Anyone who tells you that all of this is simple is either flat out lying, or simply doesn’t know what they are talking about.

This is a cash cow to many, so understand that and be very skeptical of what you read and hear.

GET STARTED NOW – The Law Takes Effect May 25th.

  1. Read and try to better understand what these regulations are and how they might apply to you.
  2. Prepare.
  3. Consider hiring a specialized service by a reputable company the handles GDPR concerns to bring your website into compliance. This is probably your best choice, but again… I am not an attorney.
  4. If in doubt, contact an attorney qualified to deal with this. One who is familiar with the GDPR.
  5. Create a privacy policy for your website*.
  6. Install a cookie warning banner on your website*.
  7. Make certain you have proper consent to send people marketing emails.
  8. Make certain you are using good security practices on your website, as well as with locally stored data with any connection to EU citizens.
  9. You may want to consider lessening liability by blocking all EU countries from accessing your website.
  10. Keep in mind that these regulations address only dealings with EU citizens. This is not international law, though it does have an international reach to it in some ways.

* Covered by step #3


There are plenty of other resources available online, but please keep in mind that they will not always agree with each other. Also keep in mind that much of what you’re going to see is purely opinion and not the ‘legal’ kind.

Answering Questions You May Have

Can the EU really fine someone who is in America?
Apparently so. If you find that hard to swallow, join the club. So do I. Remember… the odds of them doing so (fining you), are quite small. This is especially true if you live outside of the EU and don’t market directly to them.



Are there any benefits or concerns about using WordPress with these new regulations coming into place?
WordPress just issued an update to address some of the GDPR concerns. The latest release includes a way for user data to be exported and handed over upon request. This is part of the GDPR. Of course exporting and handing over data also has potential ramifications, but I won’t address those here. There are other changes as well. I will likely be posting about these in an upcoming article. Again, this is all changing quickly as companies adjust to the new rules. Like 95% or more of the internet, WordPress does utilize cookies. That is one potential concern that can theoretically be alleviated with an annoying cookie banner and a privacy policy.



Can MidState Design make my website GDPR compliant?
Unfortunately, no. I can assist to some extent, but there are things such as creating a custom, website specific privacy policy that are just not doable for a number of reasons. If you don’t want to deal with this yourself I would recommend hiring a company that is offering GDPR services. Once such company is WPFixIt. While I cannot vouch for their level of GDPR expertise, I can attest to them being pretty highly regarded among the WordPress community. At least that’s been my experience.



Can you install something to block all EU citizens from my website?

Yes, I can do this. I cannot, however,  state with certainty that this will be a good solution, nor one that will be 100% effective. This approach is essentially applying a bandage to a gaping wound. In the end the best thing you can do is work towards compliance, as the US is probably going to implement something similar to GDPR in the future anyway. That said, completely blocking the EU may provide you with more time to get everything into place.

It will also send a message.


Can you install a cookie consent banner on my website?
Yes, I can do this for you, but it is only one part of this set of regulations. Simply having a cookie banner will help but it will not cover you completely. This law is too complex to simply install something and forget about it. At least right now it is.



Should I consider getting a lawyer?
That is most likely extreme overkill, but only you can make that decision for yourself.



Should I Just Take My Website(s), Amazon Pages, Blogger Accounts, Facebook Business Pages, ETC. Offline Completely?
Absolutely not. Not only would that be a huge overreaction, it would cause you to lose a lot of work and potential revenue after you’ve already invested time and money into those projects. You wouldn’t take your new car to the junkyard because some traffic laws were passed, would you? That’s basically what you’d be doing if you let this GDPR stuff make you pull your sites offline. You *would* cause a lot of people to chuckle, however. Don’t be that person. 😉



Should I be scared? Because I am!

Yes. Though I totally understand why you would feel like this, take a deep breath and try not to worry too much. While all of this sounds pretty scary and far reaching it’s important to look at it all realistically.  There is no way 65 million websites are going to get fined, or go offline. The ICO Commissioner has already stated that is not the intent of GDPR.

Though I am of the opinion that the EU has already way overreached here, I do believe they will adjust accordingly. I would expect that to happen in fairly short order. Then again, I didn’t think they’d have the gall to move forward with this in the first place. That said, take my instincts with a grain of salt.

More than anything the ICO is attempting to stop huge companies from gathering so much information on people without their consent. The recent Facebook/Cambridge Analytica scandal is a great example of what they are hoping to prevent in the future. If you do little to no data harvesting, you aren’t the target. That’s not to say you’re immune from this law, but you are only small fry to them.



Will you be posting more about this as time goes on?
Yes, I hope to. To the extent I have time and feel comfortable with my level of knowledge on the subject.



Why did you wait so long to post about this?

Because this is a very fluid situation that has been changing rapidly. I’ve been working on variations of this post for a couple of months now. Also, I wanted to get a firm grasp on what all of it means, as well as watch and see if the EU backed off.

They haven’t.

I also wanted to see if there was some way I could take the steps to bring all clients into compliance. Sadly, that is just not feasible as there is far too much involved.

Many companies are still releasing updates to address these regulations as I type this. WordPress, for instance, just put out a GDPR related update a few days ago, as did Woocommerce. Various other companies are still updating their privacy policies as well.

Very few organizations of any kind are going to be ‘compliant’ by May 25th. That includes those in the EU. Not even their own governments and  agencies. (I’m not kidding). In fact, the very people who are supposed to enforce this said they weren’t ready as recently as May 8, 2018. Perhaps even worse is knowing that most member states haven’t even produced their own implementation acts.