The page it self might be compliant (not recording IPs/session cookies/etc) but the law still applies on any data collected on EU citizens that might be visiting abroad.
> Valter Longo is a tenured professor that's been nominated for a Nobel Prize based on his work in nutrition and fasting. I'd hardly call him an alchemist.
Sorry but nominations for Nobel prizes are kept secret for 50 years. I highly doubt he was nominated the same year he was born.
Why do you believe the data collection is not GDPR compliant?
I think that the site is very clear on how my data will be handled and what my email will be used for (sending me 3 emails).
To quote from your pasted link:
'The new regulation requires that brands collect affirmative consent that is “freely given, specific, informed and unambiguous” to be compliant.'
I submit the data freely to receive the information stated on the page.
For consent this is true, but there are other legal ways for you to collect the data.
One is legitimate interest, this one is more abstract but requires a bit more work from you.
I think a lot of the future court cases will be around trying what one can use legitimate interest for.
First of IANAL, I'm a European citizen within IT that has to deal with GDPR in my professional role.
I believe there is a lot of hysteria and FUD around GDPR.
Anyway, this is how I would handle your problems.
1. In the same article[1] that you reference, the following paragraph might apply to your business:
>27.2 The obligation laid down in paragraph 1 of this Article shall not apply to:
>processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1)
I would ignore it for now. If any supervising authorities would contact you regarding compliance issues, talk to an expert.
2. This is if you use Consent as the legal basis for collecting the data. I have seen a few business use 6.1.f [2] (legitimate interests) as their legal basis, which has other issues like the weight test of interests not being tested in court, yet. The Article 29 Data Protection Working Party have released opinions on how 'legitimate interests' should be used [3]. However, there are other laws about marketing that could apply on a country per country basis.
If you select the consent route, a double opt in with possibility to opt out at anytime that should be sufficient as long as you document the text for the opt-in's and record it together with the date&time of the opt-in.
Oh, and you don't make the consent conditional on getting your goods/services. I can recommend the Article 29 WP guidelines on consent[4] for extended reading.
It sounds like your current process is enough or requires very little tweaking, I would keep it as is.
3. I have not run a consent campaign. I have run information campaigns about our users rights with links to required documentation and they have been appreciated.
I would not run a consent campaign as I believe your consent should be good enough based on the process mentioned above.
That's why a GeoIP block is not a real fix.