8 min readNodedr Team

GDPR Basics for a Website Collecting Visitor Data

CompliancePrivacy

GDPR Basics for a Website Collecting Visitor Data

The General Data Protection Regulation (GDPR) applies to any website that collects personal data from people in the European Union, regardless of where the website is hosted or where the company is based. If you have a contact form, an email signup, a login system, or analytics that track visitors, you're collecting personal data. If any of your visitors are in the EU, GDPR likely applies to you.

Many small business owners outside the EU ignore GDPR, assuming it doesn't affect them. This is risky. Enforcement action and fines don't depend on company size or intent. A small U.S. business fined for GDPR violations is not hypothetical—it has happened multiple times.

What Counts as Personal Data

Personal data is any information that identifies an individual or makes identification possible. This includes:

Name, email address, phone number, physical address, IP address, and cookies that track an individual across sites. It also includes less obvious categories like video recordings of people's faces, purchase history linked to a person, employment history, health information, and even pseudonymized data if the person can be identified through other means.

An IP address alone might seem anonymized, but combined with other data (like a timestamp and browsing behavior), it can identify a person. GDPR treats this as personal data.

Analytics services like Google Analytics collect IP addresses and cookie identifiers. If your site uses these, you're collecting personal data.

Contact forms, email signups, and login systems obviously collect personal data. So do comment forms and any system where people enter information.

The Core Principles

GDPR is built on several requirements:

Lawful basis: You need a legal reason to process personal data. The most common bases are explicit consent (the person agrees), contractual necessity (you need the data to provide a service they requested), or legitimate interest (you have a valid business reason that outweighs privacy concerns). Legitimate interest requires careful thought—it's not a catch-all.

Transparency: You must tell people what data you collect, why, and how long you keep it. This is typically done through a privacy policy.

Data minimization: Collect only the data you actually need. Don't ask for a phone number if you only need an email.

Purpose limitation: Use data only for the purpose you disclosed. If someone signs up for a newsletter, don't sell their address to third parties without explicit consent.

Accuracy: Keep data accurate and up to date. Remove or correct data that's wrong.

Storage limitation: Don't keep data indefinitely. Define how long you'll store it and delete it when that period ends.

Security: Protect data with reasonable security measures to prevent unauthorized access.

Accountability: Be able to demonstrate compliance. Keep records of consents, policies, and decisions.

If you're relying on consent as your legal basis, consent must be explicit and freely given. A pre-checked box doesn't count. The person must actively choose to opt in.

Your privacy policy and consent request must be clear and specific. A vague statement like "We use your data for business purposes" is not sufficient. You need to say what you'll do with the data.

A single consent covers only the purposes listed. If you later want to use data for a different purpose, you need new consent.

Consent must be as easy to withdraw as it was to give. An unsubscribe link must work reliably and immediately.

Privacy Policy Requirements

Your privacy policy must be clear, easily accessible, and written in understandable language. It must cover:

What personal data you collect and why. Be specific—"We collect your email address to send you order confirmations" is better than "We collect personal data."

How long you keep the data. For an email list, you might say "We keep your email address while you're subscribed, and for 30 days after you unsubscribe."

Who has access to the data. Do you share it with payment processors, email services, analytics providers? List them.

What rights the person has. In the EU, people can request access to their data, correction of inaccurate data, deletion (the "right to be forgotten"), and a copy of their data in a portable format.

Where the data goes if you're outside the EU. EU data protection law restricts transferring personal data outside the EU. If you use U.S. services, you need to disclose this and have a legal mechanism for the transfer.

Practical Application for Common Scenarios

Contact form: You need explicit consent, a clear privacy policy disclosing what you'll do with the submitted information, and a system to delete old messages or give people a way to request deletion.

Email newsletter: Collect email through an explicit opt-in form, not a pre-checked box. Your privacy policy must explain when you'll delete inactive email addresses. Provide an unsubscribe link that works immediately. If you use a service like Mailchimp, ensure it has GDPR-compliant features.

Analytics: Google Analytics, Hotjar, and similar services collect IP addresses and identifiers. You need to disclose this in your privacy policy and get explicit consent before the tracking code loads. Many analytics tools have consent modes that delay tracking until consent is given.

User accounts and logins: Explain what data you collect (email, password hash, profile information) and how long you keep it. If users can delete their account, ensure the data actually gets deleted or securely anonymized.

Comments and forums: If people post under real names, you're collecting personal data. Your terms must explain who can see the data and how long you keep it.

Rights Data Subjects Have

Anyone whose data you collect has the right to:

Request access to their data (what you have, how you're using it). You must provide this within 30 days, in an understandable format.

Correct inaccurate data.

Request deletion (the "right to be forgotten"). You must comply unless you have a legal reason to keep the data.

Restrict processing. The person can ask you to stop using their data for certain purposes.

Portability. They can request their data in a structured, machine-readable format to take to another service.

Object. They can ask you to stop processing their data, with some exceptions.

To handle these requests, you need a system for receiving and responding to them. This might be as simple as an email address with a documented process.

Data Protection Officer and Documentation

Large organizations need a Data Protection Officer (DPO). Small businesses generally don't, but GDPR requires you to keep documentation of your data processing practices. This includes:

A data processing inventory: what data you collect, why, who accesses it, how long you keep it.

Records of consent decisions.

Documentation of your lawful basis for processing.

Information about how you secure the data.

Cross-Border Data Transfer

If you use services based outside the EU or transfer data outside the EU, GDPR restricts this. Historically, this was handled through "Safe Harbor" and then "Privacy Shield" agreements between the EU and U.S. These were invalidated by EU courts.

Currently, transfers to the U.S. often rely on Standard Contractual Clauses (SCCs), which are written commitments from the service provider to protect data according to GDPR standards.

If you use Mailchimp, Google Analytics, Stripe, or most other U.S.-based services, they should provide documentation of how they legally transfer data. Check their privacy policies and terms.

Practical Checklist

  • Create a clear privacy policy that explains what data you collect and why
  • Implement explicit consent for non-essential data collection
  • Ensure contact forms and email signups use opt-in, not opt-out
  • Review all third-party services (analytics, email, payments) and their data practices
  • Document your data processing practices
  • Set up a system for people to request access, correction, or deletion of their data
  • Enable users to unsubscribe or delete their accounts easily
  • Review and update data retention schedules

FAQ

Do I have to comply with GDPR if I'm not in the EU? If you have visitors or customers in the EU and you collect their personal data, yes. GDPR applies based on who the data is about, not where your business is located.

Is my small site really at risk? Enforcement tends to target larger organizations, but fines and actions do happen to small businesses. More importantly, GDPR compliance is good practice regardless of enforcement risk. It protects your visitors and builds trust.

Does GDPR apply to analytics? Yes. Google Analytics collects IP addresses and identifiers. EU visitors must consent before this tracking occurs. Google Analytics has a consent mode feature that defers tracking until consent is given.

What happens if I don't comply? Fines can reach up to 4% of annual revenue or 20 million euros, whichever is higher, for serious violations. More commonly, GDPR complaints lead to enforcement actions requiring you to fix non-compliance or stop processing certain data.

Can I use a pre-built privacy policy? A template is a good starting point, but customize it to your specific data practices. A generic policy that doesn't match what your site actually does isn't compliant.

Summary

GDPR compliance for a small business comes down to transparency, getting explicit consent, protecting data, and respecting user rights. You don't need to be perfect, but you do need to demonstrate good-faith effort. A clear privacy policy, explicit consent for data collection, reasonable security, and a process for handling data requests cover the essentials. The cost of compliance is typically much lower than the cost of fines or reputational damage.

Share:

Planning a new website?

Let's talk about how a fast, SEO-ready Next.js site can help your business grow.

Start Your Project