The information below does not constitute legal advice. If you have concerns about the compliance of your site with the GDPR, please seek your own legal counsel.

What is the GDPR?

The General Data Protection Regulation, or GDPR, is a law on data protection and privacy for all individuals within the European Union. It is set to go into effect on May 25, 2018.

The GDPR regulates how individuals and organizations may collect, use, and retain personal data. This affects both Format and websites which run on Format’s platform.


How does the GDPR affect my Format website?

  • The scope of the GDPR on “personal information” is broad: it encapsulates not only traditionally accepted forms of data such as birth dates and mailing addresses, but also digital variants such as IP addresses.
  • Your website could be visited by EU citizens so any collection of personal information is within the scope of the GDPR even if you are not an EU-based citizen or organization.
  • The GDPR outlines rights for individuals which you are required to comply with.

What is Format doing to ensure compliance?

  • In order to make sure we comply with the new regulations, we are updating our Terms of Service and Privacy Policy.
  • We have begun auditing our data collection processes, and are rolling out methods to comply with data subject right requests (e.g. "right to be forgotten").
  • Providing training and information to Format customers with compliance for their own sites.
  • To submit a rights request including those pertaining to the right to be forgotten or data portability, please email privacy@format.com.

Data collection on your Format website

Format websites do not collect any personal information unless you use:
  • Format’s Contact Forms, Proofing, or Store
    • These features collect personal information such as name, email, and possibly address. Under GDPR, you are responsible to uphold the data subject rights of that personal information.
  • Google Analytics
    • Unless you have a clear business function for collecting personally identifiable information through Google Analytics, we recommend you disable it.
    • If you have a clear business reason to use Analytics, in order to be in line with Google’s Terms of Service you must include a privacy policy.
    • To be GDPR compliant, you can not track users until they explicitly agree to your privacy policy.
  • Embeds:
    • Third-party services (e.g. Google Maps, Youtube, Soundcloud) embed content into your site, with Format acting as an intermediary for the data. These services may have their own terms of service, privacy policies, and other practices which differ from Format. It is important to carefully review the policies of all services connected to your Format site.
  • If your Format website does none of the above it is GDPR compliant to the best of our knowledge, as it collects no personal information

Best practices for your Format website

  • Review your own data collection and tools – if you don't need to collect data for your business, we recommend you do not collect that data or use that data source.
  • You will need to create a Privacy Policy page and link to it from your site menu. We have provided some resources on creating a privacy policy here. Your own personal privacy policy should reference ours found here.