GDPR for Wineries

old school clock on wall

GDPR stands for General Data Protection Regulation. It is the new data protection law in the EU, it comes into force in May 2018, it has serious penalties, and it applies to data collected about EU citizens from anywhere in the world.

This means that pretty much every winery site anywhere needs to care about this.

The aim of the GDPR is to give citizens of the EU control over their personal data and change the approach of organizations across the world towards data privacy. There are two main aspects of the GDPR: “personal data” and “processing of personal data.”

  • personal data pertains to “any information relating to an identified or identifiable natural person”, such as name, email, address, or even an IP address,
  • processing of personal data refers to “any operation or set of operations which is performed on personal data”, such as storing an IP address on your web server logs.

In plain-speak, GDPR states that if a website collects, stores or uses any data related to an EU citizen, it must:

  • Tell the user who is collecting it, why they are collecting it, for how long the data will be retained, and who receives it.
  • Receive clear consent before collecting any data
  • Let users access their data, and take it with them
  • Let users delete their data permanently
  • Let users know if data breaches occur

Here are some common ways in which your winery site might be collecting user data:

  • cookies
  • user registrations
  • purchasing history
  • comments
  • contact form entries
  • analytics and traffic logs
  • security tools

If this topic seems daunting, that’s because it is. And most of the information online is geared toward large companies with big budgets. But what about small businesses who want to comply and don’t know where to start?


I am not a lawyer. This is not legal advice. There is no way that a single article can address all things GDPR.

But let me help you understand some key takeaways based on years of cleaning up winery sites.

First, how can I convince you that GDPR rocks?! Anyone who has listened to any of my podcasts knows that I liken your relationship with your customers to a friendship, and compliance with GDPR is the equivalent of transparent, honest communication with your friends. Clear commitments, trustworthiness, and respect. No dark patterns, or subversive defaults and fine print. When in doubt, speak plainly, be truthful, and don’t ignore their concerns.

Here’s your list:

  1. Get those green locks! If your site does not yet have an SSL certificate, you MUST address this now. Websites that use HTTPS send data over an encrypted connection, an absolute necessity for compliance.
  2. Update your Privacy Policy. Make it easy for someone to contact you with questions. Then, on the same page but in the next section, include the legalese. Most sites have mumbo-jumbo policies; we recommend two versions: begin with a clear, concise plain speak explanation that answers the following questions:
    1. What information is being collected?
    2. Who is collecting it?
    3. How is it collected?
    4. Why is it being collected?
    5. How will it be used?
    6. Who will it be shared with?
    7. What will be the effect of this on the individuals concerned?
    8. Is the intended use likely to cause individuals to object or complain?
  3. If you are using add-ons/plugins/integrations that collect data, you need to address these in your Privacy policy, too. You may be surprised to learn that this can include embeds, such as YouTube videos, as well as the more common newsletter and referral program sign-ups. And don’t even get me started on your social media widgets…(make them go away!) I would also say, now is a good time to take a look at your integrations. How long ago were they updated by the developer? If you are using integrations that are not maintained by the developer, you need to look for replacements.
  4. Include or improve your cookie consent. Right now, most cookie notifications are set up to assume opt-in (“if you proceed, you accept…”); alter your cookie notification to require clear consent before a cookie can be placed in the user’s browser. See image blow as an example.
  5. Forms default option. It’s been common practice on checkout and contact forms, etc, to set default states of checkboxes, etc, to OUR preferred customer choice. GDPR means that we need users to actively select their preferences. We should no longer pre-tick YES to choices such as “create account” or “sign up for newsletter”.
  6. Emails. I have a love-hate relationship with Mailchimp, but they are on the ball with GDPR (so much that, despite my dislike, we are moving all of our clients to Mailchimp). Mailchimp has GDPR-friendly sign-ups. And, don’t forget, ALWAYS have an unsubscribe button on your emails.
  7. Breach notification. GDPR states that you have 72 hours to notify users if there has been a data breach. These users may include not only registered users but possibly even commenters and contact form submissions, making breach notification an intimidating task for a small site. “Good defense is the best offense.” Now is the time to look at what kind of security you have protecting your site.
5forests A black-and-white photograph of a woman with medium-length hair wearing a striped beanie. She appears cheerful, embodying the customer-first marketing philosophy with her mouth open in a wide smile, and is

Polly Hammond

Polly Hammond is a dynamic speaker, podcaster, and consultant, and founder of 5forests. She helps businesses build and implement robust strategies that drive measurable growth.