GDPR for Wineries

old school clock on wall

Today, let’s start with two caveats and a thank you. The thank you goes out to Charlotte who emailed me with a question that made me sit my butt down and write an article that I have been avoiding. The caveats:

  1. I try to avoid any hint of self-promotion in these newsletters. Any self-promotion in today’s topic is by necessity, not design.
  2. I am not a lawyer. This is not legal advice.


GDPR stands for General Data Protection Regulation. It is the new data protection law in the EU, it comes into force in May 2018, it has serious penalties, and it applies to data collected about EU citizens from anywhere in the world.

This means that pretty much every winery site anywhere needs to care about this.

The aim of the GDPR is to give citizens of the EU control over their personal data and change the approach of organizations across the world towards data privacy. There are two main aspects of the GDPR: “personal data” and “processing of personal data.”

  • personal data pertains to “any information relating to an identified or identifiable natural person”, such as name, email, address, or even an IP address,
  • processing of personal data refers to “any operation or set of operations which is performed on personal data”, such as storing an IP address on your web server logs.

In plain-speak, GDPR states that if a website collects, stores or uses any data related to an EU citizen, it must:

  • Tell the user who is collecting it, why they are collecting it, for how long the data will be retained, and who receives it.
  • Receive clear consent before collecting any data
  • Let users access their data, and take it with them
  • Let users delete their data permanently
  • Let users know if data breaches occur

Here are some common ways in which your winery site might be collecting user data:

  • cookies
  • user registrations
  • purchasing history
  • comments
  • contact form entries
  • analytics and traffic logs
  • security tools

If this topic seems daunting, that’s because it is. And most of the information online is geared toward large companies with big budgets. But what about small businesses who want to comply and don’t know where to start?


Before we can even touch GDPR, we need to talk about two very naughty habits common to small, in-house web teams:

  1. Secure hosting. People, Imma tell you, you get what you pay for. Cheap hosting isn’t always safe hosting. On Monday, email your site host and ask whether they are GDPR compliant or have measures in place to become compliant by the end of May.
  2. Site maintenance. I can’t tell you how often we go into winery ecommerce sites and discover that the platform/integrations are not updated, and often haven’t been updated for months (or years!). Forget GDPR, this is a major security risk to your site and your data. Schedule a couple hours every month to keeping your site up to date.


GDPR has kept our team up to our eyeballs in new client work for the past four months. I AM NOT A LAWYER, and there is no way that a 5-minute Sunday newsletter can address all things GDPR. But let me help you understand some key takeaways based on months of cleaning up winery sites.

First, how can I convince you that GDPR rocks?! Anyone who has read this newsletter for long knows that I liken your relationship with your customers to a friendship, and compliance with GDPR is the equivalent of transparent, honest communication with your friends. Clear commitments, trustworthiness, and respect. No dark patterns, or subversive defaults and fine print. When in doubt, speak plainly, be truthful, and don’t ignore their concerns.

Here’s your list:

  1. Get those green locks! If your site does not yet have an SSL certificate, you MUST address this now. Websites that use HTTPS send data over an encrypted connection, an absolute necessity for compliance.
  2. Update your Privacy Policy. Make it easy for someone to contact you with questions. Then, on the same page but in the next section, include the legalese. Most sites have mumbo-jumbo policies; we recommend two versions: begin with a clear, concise plain speak explanation that answers the following questions:
    1. What information is being collected?
    2. Who is collecting it?
    3. How is it collected?
    4. Why is it being collected?
    5. How will it be used?
    6. Who will it be shared with?
    7. What will be the effect of this on the individuals concerned?
    8. Is the intended use likely to cause individuals to object or complain?
  3. If you are using add-ons/plugins/integrations that collect data, you need to address these in your Privacy policy, too. You may be surprised to learn that this can include embeds, such as YouTube videos, as well as the more common newsletter and referral program sign-ups. And don’t even get me started on your social media widgets…(make them go away!) I would also say, now is a good time to take a look at your integrations. How long ago were they updated by the developer? If you are using integrations that are not maintained by the developer, you need to look for replacements.
  4. Include or improve your cookie consent. Right now, most cookie notifications are set up to assume opt-in (“if you proceed, you accept…”); alter your cookie notification to require clear consent before a cookie can be placed in the user’s browser. See image blow as an example.
  5. Forms default option. It’s been common practice on checkout and contact forms, etc, to set default states of checkboxes, etc, to OUR preferred customer choice. GDPR means that we need users to actively select their preferences. We should no longer pre-tick YES to choices such as “create account” or “sign up for newsletter”.
  6. Emails. I have a love-hate relationship with Mailchimp, but they are on the ball with GDPR (so much that, despite my dislike, we are moving all of our clients to Mailchimp). Mailchimp has GDPR-friendly sign-ups. And, don’t forget, ALWAYS have an unsubscribe button on your emails.
  7. Breach notification. GDPR states that you have 72 hours to notify users if there has been a data breach. These users may include not only registered users but possibly even commenters and contact form submissions, making breach notification an intimidating task for a small site. “Good defense is the best offense.” Now is the time to look at what kind of security you have protecting your site.
cookie consent form showing an explicit opt-in
(photo credit: Janelle De Weerd)

Still seeking solutions

Two requirements are still in active development, with only one month to go. It is now possible for a user to both access and delete their data in WordPress, but I haven’t been able to find these features in other DIY or wine-specific ecommerce solutions. If you know more, please tweet me.

I’m way beyond 5 minutes and feel like I’ve only touched on this topic. If you want more information, or need to talk with me about your GDPR concerns, reach out. I skype with wine folks on Fridays, and you are welcome to book a time if I’ve left you with more questions than answers.

[Photo by Eder Pozo Pérez on Unsplash]

Portrait of Polly Hammond

Polly Hammond

Polly Hammond is the Founder and CEO of 5forests, which means every buck stops with her. As the public face of 5forests, she splits her time between Barcelona, Auckland, and California, consulting, writing, and speaking about the trends that impact today’s lifestyle businesses.