Simply blocking visitors to your site, or just displaying cookie banners based on the IP address seems like a good fix to get out of dealing with GDPR compliance.
But it won’t work, and you’re still liable.
Discover the glaring fallacy in these tactics and what to do instead to make your U.S. based site GDPR compliant.
The Glaring Oversight
The GDPR regulations don’t apply to EU countries.
GDPR protects the data privacy of EU citizens.
That means a country-based IP trigger has no shot at working because:
- an EU citizen could be anywhere in the world when they visit your site
- an EU citizen could be using a VPN to mask their IP address
GDPR is NOT the Only Regulation
If you are a U.S. based site, and you mainly target a U.S. based audience, then you must follow the U.S. laws that are already on the books which regulate websites.
Those U.S. regulations include disclosures you are required to make on your site for:
- Privacy policy
- Cookie policy
- Affiliate commission from links clicked
- Ensuring that the data you collect is secure
Sounds a lot like the GDPR rules, doesn’t it?
But these are U.S. generated laws.
Federal Trade Commission Rules
The most important of those site regulations are issued from the FTC.
Among others are the Privacy and Security regulations.
That includes your requirement to safeguard the visitor info you collect.
Plus, you are required to notify visitors of any data breaches on your site if they have entrusted you with their personally identifiable info.
That includes all of the email addresses you have collected via:
- Your newsletter or other email list optin
- Emails held in your database from commenters on your blog posts
- Form field info that is held in your database (not all form plugins do this)
If you take payments on your site, or hold purchaser or member login info, that also falls under this regulation.
The FTC is the U.S. based agency tasked with enforcing the EU-U.S. Privacy Shield Framework too.
That is a cooperative effort to ensure that U.S. based sites are in compliance with EU privacy standards for the secure transport of personal data.
This is exactly why you had to convert your site HTTPS if you collected email addresses or login info.
The transport of that data from the visitor’s browser to your database had to be encrypted and secured.
In July 2018, Google’s deadline hits for all sites to be HTTPS, regardless of the data they collect or not.
Tougher global standards on all forms of privacy is one of the reasons why.
The FTC regulations apply to U.S. based sites targeting a U.S. based audience.
Extension of the EU Cookie Law
The GDPR did not invent cookie notification disclosure.
That came about from a much earlier EU Cookie law.
Again, it protects the privacy of EU citizens.
The law states that you must obtain consent for the use of tracking cookies on your site.
However, most U.S. based sites that primarily target a U.S. based audience have skirted the law by using simple cookie notification banners.
That method is not actually compliant with the law, though.
It’s not enough to simply inform visitors that cookies are in use.
All tracking must be halted until explicit consent is given.
And, the law states that you must provide a way for consent to be rejected, meaning that all cookie tracking must remain off for that visitor.
The GDPR extends the existing EU Cookie law.
In addition to providing a notification that cookies are in use, and a way to halt them until consent is given, the GDPR requires that you:
- record that consent
- Be able to produce a report on demand that you obtained consent or not
- Allow visitors to remove consent and all data you are tracking
That’s a HUGE difference!!!!!!!!!!!!!!!!!!!
And all of this will likely fall under the EU-U.S. Privacy Shield set of regulations at some point.
Interpretation of the EU Laws
So, what does all of this mean for U.S. based sites that primarily target a U.S. based audience?
It means that you can’t stick your head in the sand about GDPR.
It’s likely that many U.S. sites will continue to skirt the law with regard to cookie tracking consent methods for IP addresses.
But, you most definitely can’t rely on IP blocking/trigger methods as a way around any of the site regulations.
Treat Every Visitor the Same
The spirit of all the EU regulations and laws is for online marketers to be far more transparent in the way they deal with visitor info they collect.
Better transparency includes:
- Notification that personally identifiable info is being collected
- Proper disclosure of what info is being collected
- Full disclosure of how that data is processed/handled/shared
- Cessation of sharing info without consent – that includes email addresses with any other list you run besides the one that was agreed to, and sharing emails/IPs with 3rd parties for the purposes of ads
- Properly securing data you hold in your database and notifying visitors of any breaches – which means getting super serious about your site security (and don’t think for a minute that installing a security plugin is enough, or even the best way to go)
While it is true that most EU citizens live in EU countries, and catering to edge cases of any EU citizens living outside those countries may not be how you want to manage your site, you do still have to comply with the law of the land, and U.S. regulations.
GDPR is a good thing in that it requires all site owners to play fair and follow the golden rule when it comes to privacy.
The frenzy over it, and the Facebook meltdown has stirred the pot on privacy.
Site visitors everywhere are getting more savvy about giving their info to anyone.
Seeing that you take their privacy seriously is a leg up for you as a trusted source.
So, instead of trying to get out of GDPR compliance, seriously consider embracing it more.
Keep in mind that eventually, stiffer regulations will be issued in the U.S. too.
So, you’re not going to get out of making your site compliant in the end anyway.
Need Help?
Get a site audit and make your site safe and speedy too!
On average, I find 26 security and performance holes that no plugin or scanner can find.
See all of my GDPR posts to help you make this transition easy and calm.
See my Tips Tuesday posts to get your weekly site success news and tips. They help you stay ahead of the curve and make DIY site ownership easier.
Great article and eye opening. Thanks again MaAnna! I will be getting my site Loyalty Audit at the end of summer. Well worth the time and money spent to secure and run a responsible site by knowing the basics and protecting my readers!!
Thanks, Marilyn!! Yeah, security changes all the time. And Cloudflare has a bunch of new security settings we’ll want to update too. I’m very excited about them!! Will protect us against the 2 most common plugin vulnerabilities until the devs make patches.
I heard you changed those. I also started to set up AWS for updraft plus backup but got am stuck on the IAM thing. I want off Google Drive and want to encrypt. Was afraid of guessing on that too. It is always something!
Yep, can help with all of that.
And will be mentioning encrypted backups in Tips Tuesday, and maybe a post about it too.
Good to know!
Just in case you have Canadain clients, here’s what’s on the books in Canada: http://fightspam.gc.ca/eic/site/030.nsf/eng/home#
It looks like it’s just about spam, but there are some clauses about privacy.
Thanks so much LowellAnn!!!
I do have several Canadian clients, but they are so polite, they’d never scream and yell and go into a frenzy about their site standards ;-)
I’m sure there are many many interrupations and I am just getting up to speed.
From everything I have read, the GDPR applies only when personal data is collected from an individual person who is located in an EU country at the time the data is collected.
That would mean that while an EU citizen is in the US it would not apply. Conversely it also means that if a US citizens is visiting the EU, if their personal data is collected while they are in the EU, it is protected under the GDPR.
Can you please clarify.
Correction: I meant interpretations not interrupations. :)
That’s not the way I understand it. And to be sure that you are not going on hearsay, might want to just read the GDPR for yourself and ensure you are making the best decision for your site, based on your own instincts about it.