Run a simple website or blog? Here’s everything you need to understand and get started with GDPR and ePrivacy compliance.
Understanding the Legal Requirements and how to Comply
How to Determine Your Law of Reference? › | How to Make Your Blog or Simple Website Compliant › | GDPR Guide ›
What you’ll need (and when you’ll need it)
Why? Under most countries’ laws it’s mandatory that you disclose details related to privacy and your data processing activities. Failure to do so can result in massive fines, legally invalidate your newsletter list, leave you open to litigation and negatively affect your the credibility of your website.
When do you need it? Whenever processing personal user data in any way (e.g. Via social connect buttons, contact forms, analytics services — note that even ip addresses can be considered personal data).
Practical
- How to generate a privacy policy ›
- How to integrate the privacy policy with your site (General Guide) ›
CMS-specific integration
Informative
- Basic elements of a privacy policy ›
- Do You Need More Than One Language in Your Privacy Policy ›
- Which Countries Is Your Privacy Policy Good For? ›
Common services that explicitly require privacy policies
Mailchimp | Google Analytics | Google AdSense | Google Ads Remarketing | Amazon Affiliate Program | Facebook Lead AdsWhy? Many websites use cookies for everything from analytics statistics to text and banner ads.
When do you need it? If you use cookies and you have EU-based users, you’re required by both law and by law-abiding third-parties such as Google, Amazon, Apple, Facebook etc. to comply with legal requirements; this generally means having valid cookie policy and cookie management solution in place.
Practical
- Getting started with the Privacy Controls and Cookie Solution ›
- Customize the Look & Behavior of the Cookie Banner ›
- How to create a cookie policy ›
- Introduction to the Prior Blocking of Cookie Scripts ›
CMS Plugins
These plugins allow you to set up quickly on the most popular platforms and automate much of the prior blocking process
WordPress Plugin Guide | Magento Guide | Joomla! Guide | PrestaShop Guide | PHP class Guide.
Drupal users, you can access the class via direct download or Packagist, and find full instructions in the PHP class guide linked above.
Informative
- Introduction to the ePrivacy (Cookie Law) ›
- Cookies and GDPR ›
- What’s the IAB Transparency and Consent Framework (TCF)? ›
Important
If you monetize content on your site via ads (including Google’s ad services), we heavily suggest that you meet industry requirements by enabling the IAB Transparency & Consent Framework feature in the Privacy Controls and Cookie Solution. Failure to do so can potentially result in reduced ad reach and revenue.
How to enable the IAB TCF in the Privacy Controls and Cookie Solution › | How to collect consent for Google Ad personalization ›
Why? The GDPR requires that you keep and maintain valid records of consent if processing user data based on consent. Without these records, the consent you collect is considered invalid.
When do you need it? When processing the personal data of EU-based users on the legal basis of Consent. Common Scenarios of this include collecting personal data via forms for newsletters, email lists, subscriptions etc. This does not typically apply to consent for cookies as cookies are still largely governed by the ePrivacy Regulation (Cookie Law).
Important
Note: GDPR requirements also apply to you even if you’re not based in the EU but have EU-based users or you only have non-EU users but are based in the EU. Read more here.
Practical
- Maintaining valid records of Consent – iubenda Consent Database ›
- Consent Database Implementation – JS Method Guide ›
- Consent Database Implementation – HTTP API Method Guide ›
Informative
Why? The GDPR requires that you keep and maintain valid records of processing if processing the personal data of EU-based persons. Without these records, your processing activities would be in violation of the law.
When do you need it? If you fall under the scope of the GDPR and your processing activities are not occasional, could result in a risk to the rights or freedoms of others, involves sensitive data or if you have more than 250 employees — in short, it’s almost always required.
Practical
- Guide to the Register of Data Processing Activities Solution ›
- Register of Data Processing Activities Video tour and tutorial ›
Informative
Why? Terms and Conditions (also called ToS – Terms of Service, Terms of Use or EULA – End User License Agreement) set the way in which your product, service or content may be used, in a legally binding way. They are crucial for protecting your content from a copyright perspective as well as for protecting you from potential liabilities.They typically contain copyright clauses, disclaimers and terms of sale, allow you to set governing law, list mandatory consumer protection clauses, and more.
When do you need it? You’ll likely need to set Terms & Conditions if you:
- have different user levels (eg. registered vs non-registered);
- want to set the rules for user behavior (including comments) and state grounds for termination of accounts;
- allow your users to upload content;
- participate in affiliate programs;
- provide advice which can potentially cause harm if misused;
- would like to have some legally enforceable control over, and set rules about, how your product, service or content may be used.
Particular emphasis should be given to copyright and the limitation of liability clauses (and disclaimers), for example when giving advice or promoting affiliate products.
Practical
- How to generate terms and conditions
- How to integrate iubenda’s terms and conditions on your site and app
Informative
Special Considerations
Planning to send emails or newsletters? Read this:
- Emails & Newsletter Guide (Complete compliance guide) ›
- Sending Newsletters and Direct Email Marketing (DEM) ›
Running ads on your site or making endorsements? Read this: