How to Build your Privacy Policy Page and Comply with GDPR for US Websites

How to Build your Privacy Policy Page and Comply with GDPR for US Websites

What needs to happen on your US website to comply with GDPR?

It looks like a lot of moving pieces, but if you take them one at a time it won’t be so overwhelming. Remember GDPR wants to see that you’re moving into compliance.

Also, I am not a Lawyer nor do I play one on TV. I’m not offering legal advice about GDPR.

Make a list

The very first thing to do is make a list of every way you collect personal data. Here’s the short list that almost every site uses. Your site may or may not use these and more.

By IP address

  • Email service providers like MailChimp
  • Google Analytics
  • Jetpack Stats
  • Facebook Pixels
  • Hosting provider

By email address

  • Comment forms
  • Gravatar – to add images to the comment area
  • Email service provider like MailChimp
  • Facebook Ads
  • Webinar registrations –  like Zoom and GoToWebinar
  • Payment gateways – like Stripe and Paypal
  • eCommerce stores – if you have WooCommerce

Client data

  • Google Drive & Dropbox
  • Your CRM – like Salesforce, Insightly, Capsule etc.
  • Financial software – like Quickbooks, Freshbooks or your eCommerce store
  • Your email software – this could be your hosting company or Gmail or Outlook

Once you have this list, look it over and make sure there is a reason to collect the data and that you use the data collected. If you’re not using it, don’t collect it.

Start making changes

Change Your Forms

Change your email subscription forms. All subscription forms that promote a free opt-in offer must clearly state at the beginning of the form, subscribe and get the free opt-in offer.

Change your contact forms and add a checkbox to let people give consent to data being collected and stored. Make the checkbox required.

Add a Cookie Notice

Add a notice that says your site uses cookies must be added to all WordPress websites. By default WordPress uses cookies. – This is California law that all sites that can be viewed in California need to have a Cookie notice.

Add a Privacy Policy Page

Must add a privacy policy page and link to it, at the very least, in the footer. WordPress 4.9.6 can add a default privacy policy page if you create the page in Settings >> Privacy. But this privacy page is incomplete and must be updated with additional info like:

Analytics

Add the analytic services you use ie. Google Analytics, WordPress (Jetpack)
This is a very helpful privacy policy helper for Jetpack users. https://jetpack.com/support/for-your-privacy-policy/  It tells you what kind of data is collected and how it’s used.

If you use GA here’s the wording you need to use. Analytics collected on this site are collected by Google Analytics. Google Analytics tracks where you came from by your IP address location which is anonymized. Google Analytics privacy policy: https://www.google.com/analytics/terms/us.html

If you use WordPress Stats here the wording you can use. Analytics collected on this site are collected by Jetpack Stats by Automatic. Jetpack Stats tracks where you came from by your IP address location which is anonymized. Automatic privacy policy: https://automattic.com/privacy/

Shared data

Add to the “Who you share your data with” area your 3rd party data processors like your email service provider, meeting scheduling service, payment processor or any other party you send data to must be added here. This is where the list you created comes in handy. A link to their privacy policy must be included.

Data protection

Add to the “How we protect your data” section how you protect data. If you’re one of our hosting clients you can add: Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible. Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology. We take appropriate and reasonable technical and organizational measures to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the Personal Information.

Data retention

Each website is unique. If you’re one of our hosting clients you can add to the “How long we retain your data” section: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

Data rights

What rights you have over your data
Here’s the default wording: If you have an account on this site or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Sending data

Where we send your data
You’ll need to list your 3 party providers here also.
Visitor comments may be checked through an automated spam detection service. When you sign up to be on our email list, for marketing purposes, your data is stored in MailChimp. MailChimp does not use the data. When you schedule a meeting your contact data is stored in Book Like a Boss. Book Like a Boss does not store your financial data. When you purchase from us through Book Like a Boss your payment is processed by Stripe. No financial information is stored on this site.

Data breach procedures

What data breach procedures we have in place
This is the default … and I’m actively looking for stronger wording.
If there would be a breach of data, we would correct the breach and personally email the recipients within 48 hours of identifying the beach.

Additional legal information

Legal information
This privacy policy relates solely to AmyHall.biz if not stated otherwise within this document.

Check out my privacy policy and your providers websites for additional wording and tips.
https://amyhall.biz/privacy-policy/

1 Comment

  1. Jerri Nachman on May 31, 2018 at 9:03 pm

    Thank you, Amy. Wonderful article and thank you for sharing it. Hello to you and your hubby.Hope all is well 🙂 Jerri

Leave a Comment