**Disclaimer. This post is not legal advice. I am not a lawyer and recommend you seek your own legal advice.**

You may have noticed your inbox filling up with Privacy Policy updates in the last few weeks as businesses scramble to become GDPR compliant.

GDPR Facebook Ads

So what is the GDPR and why should you even care? The General Data Protection Regulation (GDPR) is a regulation in EU Law on data protection and privacy. Although you may not be based in the EU the GDPR laws can affect your business if your website is accessible to EU residents – even if you aren’t directly targeting them. After a 2 year transition period the law becomes enforceable on the 25th May 2018 and failure to comply can result in hefty fines of up to $20M or 4% of your yearly global revenue – OUCH!

So what does it all mean and how can you comply?

The GDPR law is designed to protect the privacy of EU residents by controlling how businesses collect and use their personal data.

What is personal data?

According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

So the GDPR relates to you if you take online orders, collect email addresses via your website or simply have the Facebook pixel installed (hopefully you do!)

The new rules come down to three main points consent, access and the ability to erase.

Consent & Transparency

You must have explicit consent to collect data from any European citizen. This means if you are collecting someone’s email address to send them a coupon code or for an order you must have their consent to do so and also provide full and transparent information about what you will use the email address for. For instance if you have been collecting emails for a 10% off voucher but then add that person into your mailing list which you email with your newsletter every week this will no longer be OK, unless you make it clear when they provide their email that they will be added to your mailing list and will receive the weekly newsletter. This is good practice already but now enforceable by law.

This also applies to any data you collect when someone makes a purchase. Just because they gave you their email to make a purchase does not mean you can add them to your mailing list, unless they specifically gave you permission to do so. Check with your email provider and website platform, many have been busy making changes to ensure they are GDPR compliant.

Perhaps the hardest part to comply with is if your website is using cookies – for instance if you have the Facebook pixel installed! Something that all eCommerce businesses should have. Below we will look at how to comply with a Facebook pixel in more detail.


The next main change and perhaps one of the hardest to comply with is that all EU residents are to have access to any data you have on file about them.  You must provide, upon request, an overview of the categories of data that are being processed as well as a copy of the actual data. You must also advise how you acquired the data, how you process the data and who you share the data with. If you run a drop shipping website for instance you are sharing the data with the company you pass the order on to. If you use an email marketing tool such as Mailchimp or ConvertKit you are also sharing the data with them.

Ability to Erase

As well as having access to the personal data you have stores, all European citizens must be able to have their personal data erased completely. You must be able to show how you are erasing the data.

So how do you even start to comply?

1 – Update your Privacy Policy

You need a rock solid privacy policy. Be sure to update yours before the 28th of May to clearly outline how you are collecting data, why you are collecting the data, what you will use it for, how long you will keep it and who you will share it with. Also include how they can contact you to have the data erased. Your language needs to be explicit so you cannot use phrases such as “we may use your data”.

2 – Dumb it down

Clearly outline when collecting someone’s data (such as personal details for an order or an email for an opt in) what you will use the data for. If you are going to use it for any other purposes let them know such as “we will also add you to our mailing list and send you a weekly newsletter full of great offers, you can unsubscribe at any time”. A pre-ticked checkbox opting in for your promotional material is not considered consent by the GDPR they must have to tick the box themselves. You also can’t have a box and say “tick if you don’t wish to receive promotional materials”.

3 – Check your plugins

If you are using any plugins or apps on your website you need to ensure they are all GDPR compliant as well as they may be collecting data from your website visitors. It is your responsibility as the site owner to check this so if they are not compliant, find a replacement that is.

4 – Have a data breach plan

If you have a data breach such as your website being hacked and data being accessed or data being passed onto a third party without the person’s prior knowledge you now have 72 hours to act. This includes finding the source of the breach, advising everyone affected, putting in place measures to stop it happening again and reporting the breach to the Data Commissioner. Be proactive and test your data breach plan as if the worst had happened.

5 – Audit your data

Check your data and make sure you don’t have any data that has been unlawfully acquired such as purchasing email lists. If you do it’s time to delete them.

6 – Update Abandoned Shopping Cart emails

If you are automatically sending emails to a customer when they abandon their shopping cart, this is not compliant with the GDPR unless they opt in to receive these emails in the shopping cart. Without prior consent you can no longer send these emails automatically (at least to people in the EU for now).

7 – Facebook Pixel

If you are using the Facebook pixel on your website, technically it is near impossible to comply to the GDPR. The law states that citizens must give consent BEFORE data is collected. The problem? The Facebook pixel fires on your website as soon as your website loads. You may have seen some pop ups that advise that a site is using a pixel (or collecting cookies) and it gives you the option to read the privacy policy or continue. While this is a good start to transparency and does let them know, if they don’t consent it’s too late. So how can you get around this?

The only way to be truly GDPR compliant with a Facebook pixel is to have a landing page fire before someone enters your website that does not have a pixel installed. This would need to be for any page they are accessing not just your home page – remember not everyone enters your site via your home page. The landing page would need to explain that your site collects cookies and uses them for Facebook advertising purposes (and whatever else you use them for such as Google Ads). It would then only re-direct to the page they linked to after they accepted they would be pixeled.

I think this may start to be the norm in EU countries but it seems like just an extra step slowing things down online, can you imagine this coming up every time you visit a new website? For me I won’t be going to this extent but do plan on giving people a way to “opt out” of being pixeled.

This hack doesn’t technically stop them from being pixeled – impossible without the clunky landing page, however it will stop me from sending Facebook ads to them. I will have a bar at the top of my website explaining the site uses cookies and give them an option to opt out. If they select the option it will go to a page such as www.yourdomain.com/pixeloptout. I will then create a custom audience of people who visit the /pixeloptout and exclude the audience from all my Facebook advertising campaigns. Technically I’m still using their data for a Facebook audience so it still breaches the GDPR do it’s not a perfect solution, however for now given that I am not based in the EU and I don’t target any EU visitors this will be my temporary workaround until a better solution comes around.

UPDATE – There is now a WordPress plugin which shows a Cookie notice bar and only fires the pixel after they have accepted the use of cookies. Check out Cookie Notice for GDPR.

What if you’re not based in the EU?

Even if your business or your website are not based in the EU you still need to comply if even just 1 EU citizen accesses your website. So your options are to stop selling to the EU and block all EU website traffic to your website or to comply.

When making this decision keep in mind EU may have been the first but given the recent Cambridge Analytica / Facebook scandal and the worldwide attention it received I don’t think they will be the last. Many organisations are implementing worldwide changes to meet the GDPR in preparation for impending changes from other regions in the world. Let’s face it although it may be a pain to get your website ready for the GDPR at the end of the day wouldn’t it be nice to have more control over our data online?

Tools to help

Even though this has been pending for 2 years it seems that people have only started taking it seriously recently as the May 25 deadline looms. To help you comply many companies have put together plugins to help. I am sure there will be more to come but here are some I have found which may assist you:

Further reading

How is your business preparing for the GDPR? Let me know in the comments below.