I’m not going to try to explain the GDPR. I don’t even completely understand it.
I don’t store data at this website, other than the server logs. The big issue is personal data collection. The third-party services I’ve used, Google Analytics and Google AdSense, can collect personal data. I don’t have control over their data retention policies.
According to Google, since my website is pure AMP and I use amp-ads instead of desktop ads, I only need to do one thing. In the AdSense UI, I have to select “non-personalized ads” on the new “EU user consent” tab. The relevant text:
If your AMP ad tags do not use Real Time Config (RTC), you may simply enable non-personalized ad serving in the DoubleClick for Publishers or AdSense UIs, and no further changes to your AMP pages are needed.
As far as I can tell, I’m in full compliance already. The only thing that could possibly trip me up is AdSense. I have to trust that Google is telling me the truth. The part that irritates me the most is that I rarely make money from EU member countries.
Since I’m running a static website without any local forms, I shouldn’t have any issues in the future. Perhaps my decision to go completely static has helped me avoid what a lot of dynamic websites have had to go through and are still going through.