It’s not uncommon for advertising, SEO tools and analytics to track your movements around the web.

And they don’t always ask for your explicit consent.

These tracking functions act like little spies, latching on to every customer who purchases or signs up for something.

They follow those customers wherever they go, spying on their next move.

 

 

As well as saving their personal data for later use, because… who knows? Might turn out useful.

The EU’s GDPR is the paladin of justice that fights those spies to protect customers’ privacy.

The regulation comes to the rescue of users’ rights, while simultaneously placing a complex compliance burden on anyone who owns a website.

It also affects how you do SEO and content marketing, and how you use Google Analytics and Google Ads.

In a world that’s rediscovering privacy, the relationship between Google SEO and GDPR is more critical than ever.

GDPR and Google SEO: How to Protect Privacy Without Impacting Your Goals

As an EU citizen myself and a website owner with international reach, GDPR has been disruptive to most of my website SEO and overall web presence.

That was until I found a middle ground that allowed me to continue running my websites (and business) while still protecting users’ privacy.

This article will guide you to understand GDPR and its impact on your website, the changes it’s brought to lead generation and to your usage of Google tools for SEO and marketing, as well as offer safe measures to help you protect your site.

GDPR and Its Worldwide Impact

GDPR is the European Union’s General Data Protection Regulation that came into effect on May 25, 2018.

The regulation aims to protect the rights of EU citizens over their data and it applies to all organizations, businesses and websites dealing with EU citizens, whether they’re geographically located in the EU or not.

GDPR is based on five core principles (Art. 5 GDPR):

1. Handling of personal data must be lawful, fair and transparent

2. You can only collect the necessary personal data for the specific purposes that you already informed users about (i.e. no archiving for future purposes that users have no control over)

3. If you’re archiving for scientific or statistical purposes, you must keep identifying data only for as long as it’s necessary to process that data

4. Data processing must ensure against unauthorized access, accidental loss or other damage

5. The data controller (YOU) must be accountable for all these things

What follows is that EU citizens can exercise a number of rights on their personal data and the way you use it:

• Right of access: A citizen/user has to be granted access to their data and the way it’s being processed at any time

• Right to rectification: When a citizen asks for their data to be rectified or completed if it’s incomplete, you must take care of their request

• Right to erasure (the “right to be forgotten”): A citizen can ask to have any data about them erased completely

• Right to restriction of processing: A citizen can request to have the processing of their data halted if they believe it’s inaccurate, pending verification or can’t be erased

• Right to data portability: A citizen can ask to have their data exported and provided to them in a structured and machine-readable format

• Right to object: A citizen can object to having their data processed, and unless you have legitimate reasons for not complying, you have to respect and honor their objection

The impact of these principles and rights on websites and businesses worldwide is considerable.

Compliance takes up a lot of time and effort. You have to continuously monitor data as well as EU citizens’ requests for data rectification or erasure (which you must respond to within one month).

What GDPR Means for You and Your Website

If you deal with EU citizens in any way, GDPR affects you.

You have to:

• Continuously monitor requests from citizens.

That will happen by email, so you need to set up an email account that you can access at least twice a month to check requests and respond if necessary.

• Be transparent with your users.

You must tell them about any actions you’re taking with their personal data, and you have to ensure that those actions are lawful and fair to the user.

• Ensure that your actions don’t put your users at risk.

You need to consider how your website handles personal data and make sure you’re not misusing the data.

• Get explicit consent for every use of your users’ data.

You have to tell users exactly how you’ll use their information. For example, if you’re collecting names and email addresses to send them tips and some promotional offers, users must give their explicit consent for both the tips and/or promotional offers, with two different checkboxes.

The data must be used only for these legitimate purposes, they have to be specified explicitly in the terms, and you can’t use their data for other purposes like, for example, archiving or selling to third-party lists.

• Ask users for new consent if you want to use their data for other purposes.

Unless you acquire that consent, you can’t use the data.

• Only collect the data you absolutely need to run the service.

GDPR goes by the principle of data minimization. In most cases, all you need is a first name and an email address—you don’t need to know the gender of the person, their annual income or how many children they have.

• Keep accurate and up-to-date data.

If there are errors and users let you know about it, you have to rectify or erase the data without delay.

• Be proactive in obscuring or deleting any data that identifies a user as a person.

If you need to collect this data (such as for a survey or research paper), you can only keep it for as long as it’s necessary for that service to run. When it’s over, you must erase everything. Until then, keep it safe.

• Be responsible for all the data you collect.

Under GDPR, if your hosting provider has a leak or a hacker gets into your database and steals data, you are held fully responsible for the data loss.

Failure to comply with GDPR may have you incur fines of up to 4% of your annual revenue.

 

 

4 Things That GDPR Changed for SEOs

1. Google Analytics

The popular Google Analytics suite is officially GDPR-compliant, but not in a way that meet the needs of the single webmaster or small-sized business.

As a data processor, Google puts most of the responsibility on the data controller (you) to safeguard itself from the huge fines that might come from failing to comply with GDPR.

It’s not surprising that Google wants to minimize their risks, but this may take too much of a toll on solo website owners or small-sized businesses that don’t have the resources to handle the consequences.

There are three things you need to be aware of when using Google Analytics since GDPR:

1. Google can shut down accounts that infringe on their privacy terms in a much stricter way than GDPR would require.

2. If you don’t set a data retention period, Google will automatically set a cut-off period and delete all data prior to that period.

3. When you set up the GDPR options in Google Analytics (Account Settings → Data Processing Amendment), you’re asked to input the names of an accountable person and a lawyer—something that solo webmasters and small-sized businesses might not or can’t afford to have.

Dylan Yates had to change the way he used Google Analytics at his SEO agency, SEO Yates. In particular, he had to make changes to his Data Retention settings.

“At my agency, we advised clients to turn off this default as there was no legitimate reason for deleting the data (GA data isn’t private).

GA users’ ability to run ad-hoc reports on data prior to 2016 would’ve been eliminated if they’d allowed the auto-expire function to remain on.”

 

 

All things considered, unless you have a large team and a lawyer, Google Analytics is really no longer a tool for solo website owners.

Since Google is trying to minimize their risk with GDPR, they’ll delete your account if they find PII (personally identifiable information such as usernames, emails and passwords in query strings). This will happen regardless of the permissions your users give you.

It’s a real kind of enforcement from Google, so it’s very risky to have a GA account today if you can’t take care of every small aspect of privacy.

Using Google Analytics comes with having to accept a lot of responsibility, so it might not be the right solution if you run a small business or team, or do everything yourself.

If you do still want to use Google Analytics, make sure to follow the steps that Himanshu Sharma at Optimize Smart and Joe Christopher at Blast have to offer.

2. Google Ads

Even though Google changed its ad policies in March 2018 to request that all publishers request user consent for the collection of cookies and profiling, Google Ads is still far from full compliance with GDPR.

In fact, a complaint was filed in September 2018 that Google’s real-time ad placement technology spreads personal (and sensitive) data across multiple ad providers without the knowledge of users, in direct violation of the EU privacy regulation.

That follows a $5.1 billion fine by the EU in July 2018 for antitrust practices.

While Google has a support page to help advertisers comply with GDPR, the safest way to use Google AdWords, AdSense and other ad-based Google services is to turn off ad personalization and serve ads to your audience in aggregate instead.

3. Affiliate Links, Conversion Trackers and Interactive Website Modules

While getting your content to rank works the same way, you may have to rethink the way you use a number of common engagement and conversion tools such as:

• Blog comments
• Affiliate links
• Conversion trackers
• Email and comment forms
• Self-hosted forums

These tools all collect personal data and generally store IP addresses, emails, full names and other sensitive PII (personally identifiable information) in your database without explicit user consent.

While I’m going to tackle some of these tools and their alternatives later in the article, here I want to make a few points.

If you run a self-hosted forum with your website, you have considerable responsibility with user data as the data controller and processor. The best alternative is to host the forum on a platform that takes care of the data processing (e.g. Forums.net), so you only have to look after user requests and ensure that their data is in good hands.

For affiliate links and conversion trackers, you want to collect only the minimal data necessary to get conversion insights on clicks. There are GDPR-compliant solutions out there like Post Affiliate Pro and Bitly.

4. Gated Content

Under GDPR, you can only collect minimal information to provide your service.

That means offering gated content (i.e. content that people can only download after leaving an email address for you to send them newsletters or promotional offers) becomes a gray area that’s most likely going to clash with the spirit of the regulation.

The guys over at ChartMogul retired this method of lead generation and opened the gate of their Resources page to all website visitors, without data collection.

This naturally doesn’t apply to subscriber-only content that you send through email to existing subscribers. If the deal is that the free e-book is only available for download if you join the newsletter or sign up for a free account, it doesn’t go against GDPR because it’s add-on, member-only material that doesn’t take away from the basic usage of the website.

Unlike what Facebook did in May 2018 when it tried to close the gate to users who didn’t want to provide personal data.

How to Secure Your Website for GDPR, Google and Incautious Users

Some of the following tips might make you feel like I’m suggesting a jump back in the past.

I know how it feels. I’ve been pondering over these aspects myself for a long time before deciding on the right course of action to get my site compliant with GDPR.

However, unless you can rely on a legal team or a lawyer, and have the resources to ensure compliance within your marketing or customer relationship department, you may want to consider these alternative ways to reduce privacy risks and provide a stricter compliance with GDPR.

1. Replace Google Analytics with a GDPR-Compliant Analytics Suite

The options are out there.

You have Matomo, Clicky, Statcounter or Slimstat—all of these web analytics solutions are GDPR-compliant.

Switching to any of these from Google Analytics allows you to better comply with the new privacy regulation and safeguard yourself from data processing abuse that you have no control over, but could wind up being legally involved with.

Some popular platforms that use Google Analytics have also embraced drastic policies to keep safe from GDPR fines, even when you anonymize all the options.

That can work against your goals if you’re denied the possibility to handle things differently.

Robert Brandl from WebsiteToolTester had to start using Clicky for all his websites hosted on Weebly, since the platform chose a too strict approach to data protection.

“We are using the Weebly website builder for some of our sites. Unfortunately, Weebly decided to interpret GDPR in the most drastic way, only allowing the Google Analytics tracking code to load when you accept cookies.

That obviously led (and is still leading) to completely incorrect data, as only about 5-10% of visitors accept cookies.

We’ve now started using a different tracking service that Weebly doesn’t block (Clicky).”

2. Disable Comments and Give Users Your Social Media Channels for Discussion

I’ve done that on my own blogs—I no longer allow comments.

Instead, I leave links to my social media channels on my website for people to get involved with my content.

Or I devote specific social posts for discussion of single articles, and I share links to those posts at the end of my content piece. Or I welcome comments through direct email.

 

 

This is a safe approach to user engagement that doesn’t involve storing users’ email and IP addresses, and it doesn’t require you to take time away from other activities to monitor data editing and removal requests.

If you don’t want to disable comments entirely, you can opt for a hosted solution like Disqus where users can exercise their rights on their own using the tool’s privacy features.

3. Only Use Forms When Necessary

If all you need users to be able to do is contact you via email or phone, consider displaying your contact details in clear text on your website instead of using fully-featured contact forms.

Generally, form scripts and software store email data in your database. And even when they don’t, some parameters used for sending messages aren’t secure (e.g. mail() PHP function).

If you really need to use forms, opt for GDPR-compliant software like WPForms which allows you to turn on privacy features, consent options and disable cookies, IP address, user agent and storing in the WordPress database.

4. Choose GDPR-Compliant Software for List Building

Carefully research list building solutions before you sign up for any.

A GDPR-compliant list software should have the following characteristics:

• Provides you with opt-in consent checkboxes (not pre-checked) for all segments of your list (e.g. Monthly Tips, Promotional Offers, etc.)

• Allows you to easily handle subscriber data so you can effectively respond to EU citizens exercising their rights

• Has a strong security architecture to protect subscriber data

• Allows you to communicate a privacy policy to your prospective subscribers

Solutions that are GDPR-compliant include Mailjet and Mailchimp (the software I use to run two small newsletters for my blogs).

5. Replace Gated Content with Open Content

Previously I said you can definitely have gated content when you want to have subscriber-only or member-only content.

That makes sense. It’s the way any subscription-based goodie works!

But if your goal for requesting email addresses is to build a list of prospects, you could adopt an approach similar to that of ChartMogul:

1. Make all your downloadable resources free to access

2. Edit the resource files to add multiple CTAs to encourage readers to become leads

In other words, do what copywriters have done for decades with their sales letters and white papers.

6. Regularly Delete Server Logs

Server logs are part of the architecture of a website. They’re going nowhere and there’s no way to disable them.

If you have a collaborative host, you might have them already encrypted—but that’s pretty rare to happen.

The thing is though, you need server logs to monitor unauthorized accesses and to get some basic aggregate statistics for your website (e.g. AWStats in cPanel).

Since I run multiple websites and downloading server logs manually would be stressful and time-consuming, I set up a cron job for my websites that would erase the contents of the temporary folder (where server logs are stored) every 90 days.

This is how to do it:

• Log in to cPanel and open the File Manager

• Locate the temporary file folder (/home/USERNAME/tmp)

• Open “Cron Jobs” under Advanced settings

• Configure the cron job like this:

 

 

The line to input in the Command field is the following:

 

find /home/luanaspi/tmp/ -type f -mtime +90 -exec rm {} +

 

This line tells the cron to locate temporary files every 90 days and to execute a removal function—the /tmp folder will be emptied.

Lost Your Google Rankings to GDPR? 5 Ways to Get Your Site Back on Track ASAP

If you’re at least a medium-sized business that can afford lawyers and advanced privacy control tools as well as a privacy control team, the overall impact of GDPR on your website would likely have been minimal.

But not so if you’re a solo website owner, solo business owner or a small company with a limited budget.

I had to take all my websites offline for two months to make them GDPR-compliant. That meant my business website lost its Google sitelinks, as well as plenty of rankings and traffic.

 

 

If you’re in a similar position and have lost rankings due to GDPR, follow these five make-up steps:

1. Use Search Console to push a reindexing of all pages that aren’t indexed anymore

2. Create new content (blog posts, guest posts, social media posts) that links back to the old content to reignite traffic

3. Syndicate your content

4. Take part in communities and Facebook groups where you can share niche content

5. Go link building!

I’ll get into some more detail with these tips.

1. Page Reindexing in Search Console

This is easy:

• Log in to Google Search Console and go to Index → Coverage

• Click the “Excluded” page tab over the graph

• Pick a status—for example, “Crawled – Not indexed”—and click it

• In the list of URLs that appear, click on the URL you want to reindex. A dialog box will open on the right. Select “Inspect URL”

• Read through the scan reports. For any that have the status “URL is not on Google,” hit the “Request Indexing” button

 

 

2. New Content to Revive Old Content

Sometimes old content is hard to get in the loop again, especially if it’s a little outdated and has been deindexed.

What you can do is:

• Update your old content to make it current
• Create new content that links back to the old pieces

The internal links will help create some new traffic to your old pieces.

You can also write guest posts and social media posts with backlinks to that old content to find a new audience.

The newly created activity will encourage reindexing of that older content in Google and improve its rankings, especially if users click it in search results.

3. Content Syndication

Syndicate your content that lost traffic due to deindexing after being offline for some time—a big plus if the syndicating platforms also give dofollow backlinks.

This is a list of content syndication platforms you might want to try:

• Business 2 Community
• BizSugar
• Medium
• Tumblr
• SlideShare
• CustomerThink
• Taboola
• Zemanta
• Outbrain

4. Community Engagement

Are you a member of a web community or do you run one yourself?

Share your old content with your community. Get people engaged.

The newly generated traffic will revive your metrics and improve rankings.

This also applies to social media. Tweets, for example, get indexed in Google, especially if they have some engagement on them:

 

 

5. Link Building

Build new links to your existing content that was deindexed and lost its position in the SERPs.

New backlinks will help revive traffic and boost rankings with PageRank signals.

Try to get these backlinks from reputable websites that get a lot of monthly traffic.

You can look at the following criteria to evaluate high traffic websites:

• Number of social shares
• Blog comments
• Alexa Traffic Rank
• Trust Flow and Citation Flow
• Domain and Page Authority

Hint: Use the “Competitor Links” tab in Monitor Backlinks to find juicy competitor backlinks with high Trust Flow that you can replicate.

 

 

Click 0n the competitor you want to check out, and you’ll be taken to a list of all their current backlinks.

 

 

Sort the backlinks by Trust Flow, and scroll down until you find something interesting like the example below:

 

 

Get a free trial of Monitor Backlinks to start tracking your competitors’ backlinks and stealing them for yourself! (Plus, you’ll also get automated link monitoring, keyword rank tracking and more—completely risk-free.)

Final Thoughts on GDPR and Google for SEOs

GDPR may have been disruptive for many website owners and businesses running on a smaller budget, but it was all for a good cause.

What matters is that you keep a proactive attitude and do everything in your power to restore your website traffic and conversion goals as soon as you’ve made the switch to full compliance.

Although the fines are salty, it’s unlikely that regulators are going after solo website owners and small businesses—at least for now.

Make use of the many GDPR-compliant tools out there and get your rankings and traffic back with community engagement and link building, all while protecting users’ privacy.

You’re going to win, and your users will too.