What You Need to Know About the GDPR
Privacy protection is a hot topic. You’ve undoubtedly been receiving emails about privacy policies from various companies, and now the new General Data Protection Regulation (GDPR) has taken effect in Europe. The GDPR is a new set of rules to protect privacy on the web for European Union visitors. This is not the most exciting thing you will read today, but you should be familiar with the basics. In essence this is what GDPR means:
If you collect, store or use any data about an EU citizen, you must do the following
- Tell them who you are, why you collect data about them, how you use it and who else receives it;
- Get their clear consent for each way in which you use their data (opt in);
- Let them rescind their consent (opt out);
- Allow them to access their data and transfer it if they wish;
- Upon request, delete their data if it is no longer legally required; and
- Notify them of a data security breach
Does GDPR affect you? Yes and no. Because it is an EU regulation, it does not apply to American site users. But that’s not to stop a European user from suing an American company. While that may seem farfetched, what is far more likely is that a similar ruling may well be on the horizon here in the U.S. We suggest you play it safe. If you collect and use any kind of data from your visitors, assume the GDPR applies, even if the information is actually processed by a third party like Google or MailChimp. It’s broad reaching, affecting all of the following situations.
- You conduct ecommerce.
- You have any kind of sign-up form, from a contact form to newsletter sign-up.
- User data is collected by Google Analytics
- Your site has social media links (FaceBook, Twitter, etc.)
- You have a comments system of any kind
This subject is numbingly exhaustive. The goal of this article is to provide a brief overview of some of the major issues you will need to address, looking at
- Determining what you need to do
- Privacy policies
- Opting in
- Opting out
- The right to be forgotten
- The GDPR and cookies
So what do you need to do? In short:
- Create forms that allow users to opt in, opt out, or request that their data be deleted
- Ensure any cookies on your site are GDPR compliant.
- Who you are and who is the data administrator
- What information you are collecting (names, email addresses etc..) and what you do with it when it is processed.
- Why you need to collect the data;
- How you store the data and keep it safe and protected; and
- With whom you share the information.
Under GDPR, you need to tell everyone visiting your site about the data you collect, and you must obtain their consent to do so. (The only exception is anonymous site usage data collected by Google, for instance, as noted in the side bar.) Typical examples are newsletter sign-up and agreeing to terms and conditions.
- Users must actively accept the opt-ins. This is called explicit consent and means they check a box or take similar action to indicate their agreement. Boxes cannot be pre-checked.
- You must obtain separate permissions for each proposed usage of data. For instance, you can no longer embed newsletter sign-up in site registration.
- You have to keep a record of the agreement.
Google Analytics and Third-Party Pitfalls
The good news is that you don’t need user consent if your data is being used for Google Analytics’ basic reporting. That’s because the information is anonymous and purely statistical. However, you do have to obtain consent If you go beyond that in collecting identifiable personal data.
Want to know more about GDPR and Google? Check out Google Analytics usage guidelines
Opting out and the right to be forgotten
Under GDPR, your site visitors have the right to withdraw their consent at any time. They also have the right to access their data records and make changes at any time. And you must provide the data within 30 days.
This seems straightforward enough, but in practice it can be a little bit tricky, especially for e-commerce sites, which collect multiple types of personal data. EU countries can modify the regulation to some extent, but it is not relevant to U.S. companies.
Users can also ask that you remove any and all information you have stored about them. This is called a request to be forgotten. This means everything, right down to blog posts and comments and “removed’ is the keyword. It is not enough to simply deactivate or hide a profile; the data must be deleted entirely. In addition, the regulations apply to data passed to third parties, and it your responsibility to forward the request to them.
To accommodate GDPR opt out requirements, you simply need to provide a way for site visitors to contact you.
The Cookie Connection
Ah, cookies, those files that are used to optimize the user experience….and collect data on how viewers use your site. Yes, you must have your site visitors opt in.
We have already mentioned Google Analytics, but there are many other ways cookies may be munching on your users’ personal data, including social media buttons, Google Adwords, chat and comment systems.
The easiest way to obtain consent regarding cookies is via a cookie banner that appears when users first arrive on your site. You’ve seen them, but up most such banners are passive. Now you will need to add some form of active agreement mechanism. Here’s an example.
Those are basic things you need to know about GDPR. What it comes down to is this:
- Collect the minimum amount of personal data needed.
- Be open about what data you collect, why you need it, and how you are using it.
- Get confirmation that you may collect and use your visitor’s data.
There is, of course, more to GDPR—a lot more—and BKJ Productions can explain it to you if you have concerns. More important, we can help you prepare for the day when similar policies are introduced in the U.S. We welcome your questions and we invite you to call on us for assistance in making your website “privacy proof.”