If you follow any type of news or business outlets, you’ve likely heard rumblings of the General Data Protection Regulation, or GDPR. This landmark piece of legislation regarding data privacy rights of anyone in the European Union was passed back in April of 2016, but officially took effect on May 25, 2018.
The primary purpose of the GDPR is to give those in the EU more control over their personal data and how it’s used. One thing that makes it so uniquely different than prior laws is the scope: the GDPR applies to anyone processing the personal data of those in the EU. So even though your business may not be in the EU, the law can still apply to you if those in the EU can interact with you.
If you’re a U.S.-based business actively engaged in business in the EU and haven’t taken compliance measures yet, we highly encourage you to seek guidance from your legal team as to how this affects you and how to best prepare. However, any U.S. business that operates a website is most likely impacted to some extent, so it’s important to take precautions.
Here are a few things you should know and a few steps every website owner should take in preparation for the GDPR. (Please note that we’re not lawyers, and our advice or tips are not a substitute for professional, legal counsel on this matter. To ensure compliance, please work with a GDPR compliance specialist.)
Know Your Role
Certain criteria in the GDPR and your responsibilities vary depending on if you’re a “controller” or “processor”. Learn more about the definitions of controller and processor as it applies to the GDPR to help determine what’s needed, and ensure that any third party partners you’re working with are ready to help you meet requirements.
The GDPR is meant to help protect personal data. This obviously applies to things like names, addresses, phone numbers email addresses, credit card information, etc., but it can also apply to online identifiers such as IP addresses and cookie strings. If you have any forms or fields on your site that collect data, or if you utilize any cookie-based functionality on your site (including things like Google Analytics), you may need to make changes to your site. (No financial transaction or purchase must occur in order for this to affect you.)
The GDPR also outlines the importance of consent when providing information. Specifically, it requires consent to be “freely given, specific, informed, and unambiguous”. What does this mean for marketers? It means that forms should not have pre-checked boxes (people must intentionally opt-in). It also means each specific opt-in for various communication formats should be separate and not grouped under a single opt-in. It also means any terms and conditions must be simple and easy to understand (no complicated legalese). The GDPR also says that people in the EU should be able to revoke that consent at any time (and to do so must be simple). Evaluate how you collect consent any time you collect data on your website, how you track this, and ensure people can opt out or remove themselves easily.
Cookies are also mentioned specifically in the GDPR, as they may be used to identify individual devices and therefore potentially an individual. If you’re using cookies on your site, you will likely need to add some type of cookie opt-in process. Google has created a website devoted to this issue. There are a variety of tools or apps that can be used to inform visitors about cookies and allow them to accept or decline their use.
Other Google Changes
In order to be in compliance, Google is making a few additional changes you should be aware of:
- Update to Consent Policy – Google adopted a new EU User Consent Policy which went into effect May 25, 2018. This new policy states that if you’re using Google Products (such as Analytics), you must be tracking user consent and providing info on opting out.
- New Data Retention Controls – Google Analytics now includes a control setting in the admin panel that allows you to determine how long user data is stored on their servers, ranging from 14 months to never expiring. This setting appears to default to 26 months and automatically resetting the time length whenever a user has new activity with your site. (This deletion of data does not affect your aggregate data, only user-specific.)
- New User Deletion Tool – Google also introduced a user deletion tool which will let you remove all info from an individual user. More details are to come soon.
Countries included in the EU: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK
The GDPR is a big shift in the way marketers and businesses handle information. Be ready for these changes by informing yourself on the GDPR requirements, consulting with experts and legal advisers, and taking a hard look at your website practices.