In my journey to becoming GDPR-compliant, I’ve done a lot of research on what needs to be done for my online business. And while I’ve found a lot of information about GDPR in general… and what things businesses should be implementing in order to become compliant… I haven’t found a lot of information with step-by-step instructions on exactly how to get this all setup. (I’m assuming some of this is due to all the different website platforms, website plugins/code, and email marketing platforms different businesses are using.) So I decided to document my process in the hopes of helping other online entrepreneurs. In this article, I am walking you through not only the different things I considered in my GDPR-compliant quest… but also the decisions I made for my business and the instructions for how to actually get this stuff done!
But first…
Disclaimer: I am not a lawyer or data protection expert – and this blog post does not include legal advice. If you have questions or concerns about GDPR or if you need legal advice about how to comply with the GDPR, please consult with an attorney.
Disclosure: This post contains affiliate links for products or services that I personally use and highly recommend. If you click on the link and make a purchase, I may receive a commission (at no additional cost to you). I’ll probably buy a coffee with it – which I promise to drink while creating more helpful content like this. One more thing: I only recommend products or services I believe will be good for my readers and clients. (I don’t recommend junk; that’s not how I roll.)
OK! Now that that’s out of the way… let’s get on with this, shall we?
As I already mentioned, this is just a walk-through of what I did (and what I’m currently working on doing!) for my own business – and for some of my clients too. You can use this information to help you think about what you might want to consider doing on your website. And if you decide to do something similar to what I’ve done, you can use my instructions for how to actually make these changes on your website or email marketing platform. My goal is to help save you some time and frustration with this process. I hope you find this helpful!
RESEARCH, LEARN AND MAKE DECISIONS
The first thing I did was to research and learn as much as I could about GDPR. I tried to find reputable sources and lawyers who were knowledgeable about GDRP. There’s a TON of incorrect and conflicting information about GDPR; so you’ll need to choose your resources wisely. I have some GDPR resources that I recommend here. Then you’ll need to decide what you need to do to be GDPR-compliant. What works for one business may not be appropriate for another business. You’ll need to make decisions on how you are going to comply with GDPR for your business. It’s not as simple as telling your web designer to “make my website GDPR-compliant”. Get educated – and then be the Boss Lady I know you are… and make your decisions. If you have questions or concerns about GDPR or if you need legal advice about how to comply with the GDPR, please consult with an attorney.
WEBSITE AUDIT
After I felt like I had a good understanding of the GDPR requirements, I did a thorough walk-through of my website. I looked at every web page, every opt-in form, my blog, my plugins, and more. As I did my website audit, I jotted down any instance where I was capturing any data from website visitors. (OK… I didn’t really “jot” it down… I create a spreadsheet that tracked everything so I could make sure I had all the data organized in a way that would be easy for me to use now – and in the future when I added new opt-ins and forms. #NerdAlert)
The purpose of this audit is to understand where data comes into your business and where it goes. For example, if someone takes my “Should you DIY your Website or Work with a Web Designer?” online quiz and wants me to email them with some additional information about their quiz result, their answers and results are not only tracked in my quiz software, but also in my email marketing account. Here are some additional examples from my website’s audit – and from other examples from my clients. (As I include instructions in this blog post for each of these items, I will include a link so you can easily jump to that section.)
- Contact forms
- Lead forms, intake forms and questionnaires
- Newsletter and freebie opt-in forms (aka “lead magnets”) that give people something for free (a download, a webinar, a video training, a challenge, etc.) in exchange for their email address
- The comment form on your blog posts
- The checkout form in your online store
- A registration page for an online course
- Google Analytics, Facebook Pixels and cookies (yep, they store data about your website visitors too!)
UPDATED PRIVACY POLICY (AND TERMS OF USE AND DISCLAIMER)
I already had a privacy policy in place on my website; but I knew I needed to get it updated to be GDPR-compliant. I purchased my new Privacy Policy from Bobby Klinck. He is an intellectual property attorney and an online entrepreneur. The Privacy Policy was part of his Website Legal Forms Package, which was recently updated for GDPR. The pack also includes a Terms of Use and a Disclaimer, both of which I needed. (Score!)
Another source is The Contract Shop’s GDPR Compliant Terms & Conditions + Privacy Policy for Your Website.
After I had my new Privacy Policy (and Terms of Use and Disclaimer) ready-to-go, I created a new web page for each of them and simply copied/pasted the info into the new web pages.
Then I included a link to each of these 3 pages in the footer of my website – and in the footer of all of my website landing pages:
Finally, I included a reference to – and when possible, a link to – my Privacy Policy, in all forms on my website: contact forms, lead forms, freebie opt-in forms, blog comments, etc. But more on that in the next section:
WEBSITE FORMS
Now here’s where we enter a gray area. Some resources I’ve found are recommending you have a checkbox on every form, forcing people to consent to your Privacy Policy and/or to you handling their personal data. But other resources are saying that you only need to mention and/or link to your Privacy Policy, with no consent checkbox needed. There are even lawyers out there giving conflicting advice on this.
Below I have detailed what I decided to do for now. It may seem like there’s no rhyme or reason to these decisions… but a lot of it had to do with the built-in capabilities of the plugins and other third-party tools I’m using and whether they currently have the functionality in place to use a checkbox and/or link to my Privacy Policy. I have a feeling that most of the tools/services I’m using will give me more options soon; so these “decisions” may very well change in the near future.
Here’s where that Website Audit really comes in handy! I went through every form listed in my spreadsheet and checked them off after I added the Privacy Policy reference, Privacy Policy link and/or checkbox.
Now let’s take a look at each of these a little closer. I will show you what tools I’m using and I’ll guide you in the right direction for how I implemented the check boxes and/or Privacy Policy links.
Contact Forms:
I am using the Contact Form 7 Plugin for some of my website’s forms. I found 2 easy ways to add the consent checkboxes:
- Use the WP GDPR Compliance plugin.
This plugin adds a consent checkbox for your forms; but as of May 23 it does NOT include the ability to add a link to your Privacy Policy.
– or – - Add the acceptance checkbox field to your Contact forms.
This allows you to include a required checkbox, which you can word however you want. You can also add some text to include a link to your Privacy Policy.
Lead Forms:
The signup forms that I’m using for my different web design services and packages are handled through 17hats forms that I have embedded on my web pages. So I simply added a required checkbox to my forms (within my 17hats lead forms setup).
Note: As of May 23, I’m unable to add a link to my Privacy Policy as part of the 17hats checkbox. So on my web page, above the code for my embedded form, I added a note with links to my Privacy Policy and Terms of Use.
Newsletter/Freebie Opt-In Forms:
ConvertKit Forms: Most of my opt-in forms (for my newsletter, freebies, etc.) are embedded forms from my email marketing service, ConvertKit. Because ConvertKit doesn’t currently (as of May 23) have the functionality to add a Privacy Policy consent checkbox to their embedded forms, I have instead just added an extra line of text on my web pages, below the embedded forms, mentioning and linking to my Privacy Policy.
Bloom Plugin: Some of my opt-in forms are using the Bloom plugin. As of May 23, that plugin doesn’t allow for adding consent checkboxes. So I just added a note in the form footer, mentioning and linking to my Privacy Policy.
Online Quiz: One last type of opt-in form I’m using is on my online quiz. This opt-in form is handled through Interact Quiz. They have added a new feature in the quiz setup area where you can add a checkbox for people to click on, saying they agree to your Privacy Policy. To enable this feature, I simply edited my opt-in form in my Interact account, and checked “Enable GDPR Compliant Consent Checkbox”.
Blog Comment Forms:
There are some new features that have been released in the past few days in order to help website owners with modifying their WordPress blog comments forms as they deal with privacy policies, data consent, and cookies. Here are 3 different features you may want to add to your website blog comments:
- A cookie consent checkbox
- A data storage/handling consent checkbox with a link to your privacy policy
- A privacy policy notice for the popular anti-spam plugin, Akismet
Personally, I decided to display the cookie consent checkbox (which is optional for my website visitors to check) and the data storage/handling checkbox (which is required that they check).
- The cookie consent checkbox is a new built-in feature of WordPress (but may require you to change your JetPack settings in order for it to display).
- I used the WP GDPR Compliance plugin to add the consent checkbox, along with a link to my privacy policy.
- The Akismet plugin has a new setting that allows you to display their privacy notice.
You can get my step-by-step instructions for all 3 of these features using the following links:
>> HOW TO GET THIS STUFF DONE:
Checkout Page:
I am using the Easy Digital Downloads WordPress plugin to handle the sale of my digital products. Starting with version 2.9.2 (released on May 24, 2018), they have added new features for GDPR. This allows me to add a Privacy Policy consent checkbox to my checkout page. I also added a link to view my Privacy Policy. Here’s how this looks on my checkout page:
To add a Privacy Policy consent checkbox to my checkout page, I checked the “Agree to Privacy Policy” checkbox in my settings for that plugin. I also have it setup to include a link that will display my Privacy Policy right on the checkout page. You can find these settings in your WordPress admin area by going to: Downloads > Settings and then clicking on the Privacy tab.
I still am working on getting additional pieces in place. And I also am anticipating GDPR-related updates from some of the services and plugins that I’m currently using. So this will definitely be a work in progress for awhile. But I hope this helps you with your own process of getting GDPR-compliant for your business.
Don’t forget it… Pin it! 
Thanks for providing this useful information.
Great work