StudioHOF and GDPR Compliance

GDPR is a European Union Law, that impacts each and every website on the internet.  Let’s forget “legal overreach” for a moment, and simply accept that

  • we all get too much spam email
  • scandals like Facebook and Cambridge Analytica
  • constant news about data breaches

are simply bad things.


StudioHOF is not a legal firm, and we have not consulted legal counsel on the issue of the GDPR.  We have to the best of our ability followed best practices for compliance with the GDPR, however, if you have any concerns, please contact your attorney.
All of the client sites that we host are now compliant, to the best of our knowledge with the GDPR rules.


The General Data Protection Regulation is the EU’s first steps to beginning to set this right.   While I believe that the EU creating legislation that impacts sites hosted outside of their jurisdiction is an overreach, I wholeheartedly believe in what they are trying to accomplish.   I also believe that with all the scandal in data breaches here in the US, US legislation is not far behind.  Not a single client asked StudioHOF to help them prepare for the GDPR, but we took the initiative anyway for all of our clients, because the intent of the law simply makes sense, and because every website owner is at risk of huge fines for non-compliance (as in 20 Million Euros!).


How can my US or Canada based site be impacted by the EU GDPR?

If you think you aren’t impacted, consider these scenarios.

  • A husband in Germany decides to file for divorce from his estranged wife, living in Tampa.   The husband goes online to find a divorce attorney in Tampa.   That attorney may be subject to the GDPR laws.
  • An investor in Denmark has a few condos on the beach in Indian Rocks Beach, between long-term rentals, they want to get the marble floors refinished.  They search the internet for a Floor Cleaning Expert and contract the work.   That Floor Cleaning Expert is subject to the GDPR laws.
  • A creditor in France is owed money by someone in South Dakota.  They search the internet for a debt collection agency that handles international collections.  They land on your debt collection agency website.  Whether or not you engage that person as a client – you are now subject to the GDPR.
  • If anyone from Europe touches your site, they will leave tracks in audit logs, in analytics information collected by Google, and by requesting information.  The simple act of visiting your site, makes you subject the GDPR.  in short, if your site can be reached by people in the EU, you are impacted by this law.

Steps made to be GDPR Compliant

Here are the specifics of what we have done to ensure that you are GDPR compliant.

Permission To Contact

A requirement of the GDPR is that one must specifically give you permission to contact them digitally.  It is not enough that they filled out a form with name and contact information (which in my mind certainly shows they are OK with being contacted!).  They must also acknowledge that it is OK to contact them.  I get it.  The other day, there was a white paper offered on Search Optimization that I wanted.  To get it, I had to give my email and phone number, which I did.   Not 3 minutes later, I got a high-pressure phone call and got bombarded with email marketing that I never asked for.   All I wanted was the free white paper.   So, I understand the need.   All contact forms on every client site have been updated with a required checkbox that says you (our client) can use the information provided to contact the person that left the information.  This is a requirement of the GDPR, and it makes sense.



Encryption.  Your site should be encrypted.  It’s really simple, and it amazes me how many sites are not encrypted.   We implemented encryption as the standard for all sites that we host last year.  It is also a requirement of the GDPR.  In addition to being a GDPR requirement, it’s also a ranking factor for Google.  Google has outright told us, an encrypted site still gets ranked higher than an unencrypted site, all other things being equal.  Finally, some browsers, on encountering an unencrypted site will display security warnings telling you the site is not safe!  How’s that for a user experience?   We weren’t asked, but all sites became encrypted as of late last year that are hosted by StudioHOF.

Cookies Acceptance.

Cookies are little bits of information that are written to the website visitors hard drive to enhance their visit to your site.  They do many things.  For instance, if you have a popup on your site, and someone closes the popup, we use a cookie on their computer to tell the website to not continue to show the popup.  If the site sees the cookie on the users computer, no more popup.  Cookies, , can also be used for tracking what someone does when they are on your site – meaning that if you use Analytics  (all of our sites are attached to Google Analytics) you can literally report on how someone goes through your site, and use that information to understand what your visitors find useful, and what they ignore.  This helps you, and StudioHOF, to create a better experience for the user.  The GDPR now requires that if you use cookies – you need to tell any visitor from the EU that ther are cookies, and they have to have the option of not being OK with it.  So, we now have logic that says if the person coming to the site is from the EU  (we use their IP address for that) then we will display a popup that tells the visitor about the cookies we are writing to their computer, and they have to click OK to continue.  We ONLY do this for EU visitors because, seriously, who wants to have to click OK on a popup all the time?   People from the EU will always have to when visiting your site if it is managed by StudioHOF, because that’s the law.


Terms and Conditions Acceptance

Terms and Conditions of use on a website were always “you kinda should have them”, but few people actually read them.  The new requirements for the Terms and Conditions are pretty clear from the EU’s new law, and they make sense.  All clients of StudioHOF now have updated Terms and Conditions for the EU, and if your visitor is from the EU, they have to Accept those terms and conditions.  It is not enough that you have Website Terms and Conditions on your site, they have to be physically accepted by an EU visitor.


Privacy Policy Acceptance

Exactly the same process as Terms and Conditions is required for the  Privacy Policy if the visitor is from the EU.  Having a Privacy Policy is a Google Ranking Factor already, but a minor one.   The new Privacy Policy calls for greater disclosure and transparency, and again, if you are from the EU, it has to be specifically accepted, it is not enough to simply have a Privacy Policy on your website.  All StudioHOF now have EU compliant Privacy Policies on their website.


Data Access Requests.

Visitors from the EU have the right to know what information you have about them digitally.   I am sure you can imagine that the data is buried in a bunch of technology, and this is NOT something that the typical small or midsized business wants to deal with. We’ve provided a simple form, again with automated emails, as required by the EU, that will send the Data Access Request directly to us, we’ll satisfy the request, and also forward to you, so that you can respond in case they have data about themselves in any system you have, that isn’t on your website.


Right To Be Forgotten

There’s a new term called “Right to be forgotten”.  That means that visitors to your site, or people that have registered for anything on your site, from contact forms on down, have the right to wipe that data from your system.  We cannot do a wipe from outside of our infrastructure.  So if someone requests to be forgotten – we have a form for that, an automated email that goes to the site administrator. We can wipe them from the site, but we’ll let you know that you need to wipe them from your contact software (like Constant Contact or MailChimp).  We have the emails come to us, not you so that we can do the wipe on your behalf, and we’ll notify you so that you can check your software systems outside of the web.


Data Rectification.

If we respond to a Data Access Request, and the user responds with a correction that is required, we’ve automated that entire process.  The user can request a change to their data on your site, that request will come to StudioHOF, and we’ll execute the change within the website, and of course, will forward that to you, so that you can adjust your own systems.



Should a visitor want to be unsubscribed, as opposed to forgotten  (no longer receives updates, but is still in your system to contact one on one), they would use the Unsubscribe request.


Data Breach Notification.

Sears, Kmart, BestBuy, Delta, Saks, Lord & Taylor, Under Armour, Panera Bread, Forever 21, Sonic, Whole Foods, Gamestop, Arbys and more, all had data breaches in 2017/2018.  If they are vulnerable to a data breach, you can be sure that your site is also vulnerable.  This is not the place for us to discuss our own security, although you can ask at any time.   This is the place to say, if there’s been a data breach, you are obligated to tell the users of your site.  We’ve automated that process on your site in a dashboard to make it simple and fast.  Bad enough to deal with a data breach, do you want to also deal with the mechanics of telling all the users of your site that you’ve had a data breach?  It’s now the law, at least in the EU, and for any EU citizen that visits your site.  We’ve made it easy to comply.


Data Breach Notification

Refuse EU Traffic

This is the GDPR nuclear option. If you chose to say, “this is just too much, I don’t want any traffic from Europe”  – we can shut off traffic for all of the EU, or for specific countries with the click of a button for you.


We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.

Pin It on Pinterest

Share This