GDPR: What Small U.S. Craft Businesses Need to Know

The law is designed to allow EU citizens more control over how their personal information, including names, email addresses, credit card information, and IP addresses, is handled.

If your U.S.-based craft businesses has customers in the EU — people who have purchased a product from you, subscribed to your mailing list, commented on a blog post or even visited your site and had their information processed by Google Analytics — you will also need to comply.

This post on the Craft Industry Alliance blog is a good primer on what the law is all about.

I spoke to attorney Kiffanie Stahle of The Artist’s JD, who is currently running a waitlisted beta course on GDPR compliance (her next course should be open in early June), to get insight into how the law affects small businesses that are not based in the EU. Stahle suggests that taking GDPR compliance seriously creates a way for you to set yourself apart from others in the market. “It creates an ability for you to stand out, to delight and surprise your customers,” Stahle says.

I also chatted with Patricia Beets, who co-owns Chicago-based Dell Cove Spices, which has a Shopify and Etsy store, and WordPress-hosted recipe blog, about how she and her husband David are complying with the law. “I figured that what was going to happen in Europe was eventually going to happen in the United States,” Beets says.

Paige Hulse, another attorney for creatives, recently published a blog post on complying with the GDPR, as well as a PDF guide that can be downloaded by subscribing to her mailing list (with a link to her privacy policy, of course).

Please note that this article does not constitute legal advice and is designed to be an overview of some of the basic steps that U.S. creative business owners need to take to comply with the regulations, with links to resources.

Creating a privacy policy

Businesses should have a privacy policy on their websites making it clear what data they are collecting, how they’re using it, and how long they’re keeping the data, Stahle says. The policy, particularly as it obtains to data collection and use, should be in plain language and easy to understand.

Stahle is working on a privacy policy with language related to the GDPR that business owners can use as a template.

Collecting ‘cookie’ consent

As part of GDPR, you need to get consent from visitors to your website to collect “cookies,” the name for files that contain user data and allow websites to provide customized experiences. Hulse notes in her blog post that if you’re collecting cookie information from website users, you must let them know what cookies are and why you’re collecting them, and also get their consent to use them.

“It may be wise to put an opt-out option in place on your site or allow the User to choose what type of cookies they will use,” Hulse writes.

Getting consent from newsletter subscribers

How businesses use email addresses are a big part of GDPR compliance. If you have a mailing list, you may have already received messages from your email marketing service provider about the new law. Mailchimp, for example, has a blog post for its customers related to GDPR.

Business owners must make sure, going forward, that subscribers explicitly consent to sharing their data for marketing purposes. Using a double opt-in setting — requiring people to click a link in a confirmation email to subscribe to your newsletter — is also good to employ but may not apply to all types of email.

“When people purchase a course, I don’t make them double opt in for the course information,” Stahle says. She says business owners should do a re-consent campaign for just their EU customers, which should be labeled by their email marketing service, confirming that they want to continue to subscribe ideally before the law goes into effect on May 25. “The regulation says to make the reasonably best effort to identify people from the EU.”

A re-consent campaign can also be a good idea to make sure your list contains people who want to hear from you. “We’re using this law as an opportunity to touch base with someone and clean our lists,” Stahle says.

There also needs to be the ability for people to unsubscribe to your mailing list and to know what you are doing with their information. “If someone unsubscribes, you should send them an email to say you are unsubscribed,” Stahle says. “In that email it should say, ‘We have the ability to delete your data.’” Your email marketing service should have a way for a customer to request deletion of their data.

Protecting customer data

If you sell products, you have the right to keep customer data, including mailing addresses, for seven years, Stahle says.

Most customer credit card data is held by third-party sites, such as Shopify and PayPal. As a business owner who uses those services, you must make sure you have strong, unique passwords to these accounts to prevent data breaches.

Beets says the GDPR compliance deadline forced her and her husband to take a closer look at some of the plug-ins and third-party applications they use for their standalone website. They ended up deleting a few, including one for Shopify that creates more attractive invoices. “When we reached out to the developers, they didn’t have answers … about the kind of information they collect,” Beets says.

“We’d rather try to do the right thing,” Beets says. “Yes, the process is complicated, and yes it’s costing us some money in legal fees, but if you’re going to do business you have to follow the rules.”

For more on privacy policies, please see our recent article by lawyer Carol J. Sulcoski Terms of Service and Privacy Policies for Your Website.