// This article will continue to be updated. Please note it is not giving any legal advice, just some ideas on how to improve your website’s data protection and privacy
We have been following GDPR to see what it means for small business websites.
GDPR will affect the way you collect and retain information from your customers. There are a few amendments you can make to your website to help, as you may not be aware what your site is doing or how it’s collecting information.
Create a privacy notice which explains how your website collects information (contact forms, shop checkout, newsletter sign ups, google analytics) and how you store that data, for how long, and what you do with it (give to third parties for example). Also, how can users find out what data you have about them, how can they amend and or remove it? This can be as simple as asking for them to email or call with their request.
It would also be good to explain in your policy what rights the user has.
Your privacy notice / policy should be available to access on all pages. As far as we can see having a link in the footer is sufficent, as long as it’s not hidden.
Ecommerce sites use more cookies which are used to track what items are in a user’s cart. Often these cookies are saved for 24 hours, so a user could come back several hours later and still have their items in the basket.
“Accept Cookies” pop up
No pre-ticked boxes or opt outs
A user shouldn’t have to untick a box or opt out of something (unless they previously chose to opt in). There are some sneaky check boxes which say “Tick here if you want us to not send you newsletters”. That is no longer acceptable.
Terms and Conditions
If your site has a terms and conditions page, make sure what it says is up to date and complies the GDPR. For example, your current terms may state that you give data to third parties.
Make sure to reword and use GDPR terminology, letting users know you only do those things if they have agreed to it.
Woocommerce / ecommerce sites
If your site uses Woocommerce (ecommerce plugin for WordPress), you should not keep order data indefinitely. We believe you should delete it after around 60 days, unless the user has created an account with your site, in which case make sure it’s easy for them to delete their account if they choose to, and that all of their personal information is deleted too. If you want to keep a record of your sales, you could keep the order information but update the user’s details to only include the town, rather than their full address.
Contact Form 7 / contact forms
If you have a ‘request a call’, ‘get a quote’, or ‘enquiry’ form on your website, chances are you haven’t deleted the emails from the sender. If you fill out a form online, are you allowing that company to retain your details forever? You should have a check box so that users ‘opt in’ to allow you to store their details and explain why you are storing it. Otherwise, once you have replied to the user you shouldn’t keep their information on file.
There is an extension for Contact Form 7 which stores all of the submissions in a database on your site, accessible from the WordPress dashboard. We would advise checking your database as it may have old submissions from years ago which you can delete. We think you shouldn’t store data for more than 60 days unless you have an opt it box, such as “please save my details so I can recieve special offers and email newsletter in the future”, or whatever it is you intend to do with it.
Know what your site stores and why
If someone asks, make sure you can answer.
Why has your site stored my details?
- We track visits with Google Analytics once consent has been given to improve the usability of our site. Here is how you can revoke consent …
- You chose to opt in to our newsletter when you contacted us with our enquiry form (checkbox). We store your name, address, phone number and email.
- You created an account when you used our ecommerce website.
If a user hasn’t logged in to their account for over 1 year, we would recommend deleting their account, or deleting most of their data (such as billing address).
Any site that sends data should be encrypted, so if your site is ecommerce or has a contact form where a user can send their name, phone, email address etc, it needs to be encrypted. We recommend at least a DV SSL certificate. What are SSL Certificates.
We can help sort these things on your site. For Privacy Notice, Cookies Policy and Terms and Conditions, it may be worth seeking legal advice to ensure they comply with GDPR.