GDPR: The Bottom Line for Small Businesses in the U.S.

Originally published by Dave Turney in May of 2018 and published on

*  *  *

The European Union (EU) has managed to come up with a digital data privacy law with some teeth for website owners all the way over here in the U.S.A.

Whatever you think of the rules doesn’t really matter at this point. The bottom line is that it definitely 100% for sure impacts you and your website.

By “impacts you”, I mean you need to start now and make several important changes to your website and digital marketing tool settings to ensure you are not an easy target for GDPR non-compliance legal action.

Scroll down for my Essential GDPR Checklist for Small Businesses and Personal Websites.

The GDPR Bottom Line for Small Business

  1. GDPR is much more serious and enforceable than the earlier “cookie laws” which you probably (wisely) dismissed.
  2. GDPR covers *any website or data service anywhere* if it is visited by anybody from Europe (so, yes, your site).
  3. GDPR covers “Data Processors” (big tech like Google, Facebook, etc) as well as “Data Controllers” (website owners like you and me).
  4. GDPR distinguishes between “Personal Data” (beliefs, location, health, demographic profiles) and “Non-sensitive Data” (anonymous web interactions).
  5. GDPR is a well-intentioned law in concept but offers very few precise recommendations for technical compliance.  Much is unclear and subject to opinion.

GDPR Regulations in a Nutshell

Trouble sleeping at night? Just Google “GDPR Regulations” and you can spend the next 8-16 hours reading detailed, in-depth discussions online about what exactly any of this means.  You’ll either become an expert GDPR legal consultant or solve your insomnia.  Either way you win.

For now, I’ve settled on simply summarizing the key takeaways:

  1. Global Scope
    Any entity that collects, stores, or processes the personal data of any EU “Data Subject” (ie, a natural person).
  2. Stiff Penalties
    2-4% of your annual global turnover or €20 Million–whichever is greater(!).
  3. You Must Obtain Consent
    You must obtain clear consent before collecting any personal data. This means no more lengthy overly technical legal mumbo jumbo. You must make it clear and prominent how you are tracking visitors and why you believe their data is necessary for your business.
  4. Breach Notification
    You must be able to notify impacted customers of data breaches within 72 hours.
  5. Right to Access
    Data Subjects (people) will be able to request from you information about how their personal data is being stored and processed and get copies of that information.
  6. Right to Data Portability
    Data Subjects will have the right to transfer that information to another entity / competitor
  7. Right to be Forgotten
    Data Erasure means subjects can expect to have their personal data removed from your systems upon request.
  8. Privacy by Design
    This means you must limit the information you collect to only that which is necessary for running your business.


Because we’re discussing things here which could very well end you up in legal hot water, I need to remind you that I am an experienced Digital Marketing Consultant but not a lawyer.   I can certainly help you and your legal counsel consider possible risks and technical preparations for GDPR compliance, but please seek the advice of a qualified legal professional for help interpreting these regulations and applying them to your situation.

Essential GDPR Checklist for Small Businesses and Personal Websites

1) Audit Your Marketing Tools & Data

Essential Checkpoints

  • Perform a complete audit of all the hidden trackers, cookies, pixels, widgets, and forms you use on your website, especially those from “third parties” (eg, Weebly, Facebook, Mailchimp, Google Analytics, AdWords, etc). Make sure you understand how all of these are used and how they impact your business and your users.
  • Review what kind of marketing data you are capturing and storing (look in your Google Analytics, Mailchimp, CRM, Contacts lists, WordPress, etc). Make sure you can justify continuing to capture and store it.  Be conservative here.
  • Decide which marketing and tracking tools and data sets are necessary for running your business. Remove unneeded tools and change existing settings to capture only what is needed.

Do it yourself: Use a browser plugin like Edit This Cookie to easily view & manage your browser cookies or just look in your browser settings. Wow! I use a lot of cookies on my site!  Another good tool for checking out third party tracking is Ghostery, which will give you lots of control over how other sites, including this one, track you.

2) Review / Approve Google Analytics & Tag Manager Settings

Essential Checkpoints

Do it yourself: There are lots of guides out there about how to set up your Google Analytics and Tag Manager for GDPR compliance, including this one which I co-authored for enterprise customers.  I find this GA Compliance Checklist to be a little bit too conservative but very practical.

3) Update Your Website’s Privacy Statement

Essential Checkpoints

  • Update your privacy page, spelling out in simple, clear terms how you collect and track users who interact with your services.
  • Document which cookies and trackers you are using and why.
  • Link out to the privacy statements of third-party tools you use (eg Google Analytics, Mailchimp).

Make sure your privacy statement answers these questions:

  1. What information is being collected?8
  2. Who is collecting it?
  3. How is it collected?
  4. Why is it being collected?
  5. How will it be used?
  6. Who will it be shared with?
  7. What will be the effect of this on the individuals concerned?
  8. Is the intended use likely to cause individuals to object or complain?

4) Obtain and Manage Consent

Essential Considerations

  • Risky: Do nothing or simply add a static tracking statement.
  • Middle: Offer pop-up allowing users to opt out of tracking.
  • Conservative: Require explicit opt-in before for tracking users.
  • Hybrid: Geolocate users and offer custom tracking options.

Do it yourself: Many popular website CMS like WordPress offer plugins or pop up banner displays that can simply present users with clear messaging about your tracking.  Small websites without any European traffic might be able to get away with this, but a proper cookie-based solution served through a tag manager is really the only way to go here.  

There are several good, essentially free tools out there for managing your consent popup.  They all take a little bit of technical implementation, but very manageable.

5) Prepare to Accommodate Data Subject Rights Requests

Eventual ConsiderationsStart going through these scenarios thinking about how quickly you would be able to respond to these legal requests from one of your site visitors.

  • Begin planning to accommodate “Right to Access”
  • Begin planning to accommodate “Data Portability”
  • Begin planning to accommodate “Right to be Forgotten”

For more on these new rights, see GDPR Key Changes and FAQ pages.

How Can We Help?

Love it or hate it, GDPR gives us a good excuse to do what you probably should have been doing all along–keeping your data collection accurate, comprehensive, and useful.  This is what I do for all kinds of businesses big and small.

Let’s get you ready for GDPR and get you set up with professional-grade marketing measurement and insights.  It’s more affordable than you think

Use the form at the top of this page and let me know if you’d like a free site cookie tracking audit or an introductory consultation about what GDPR compliance means for you.

How Can We Help?

Need something fixed right away? Have a question about our services?

"*" indicates required fields

Select one or more.
Can we send you our quarterly update?
This field is for validation purposes and should be left unchanged.