By now you have likely received email from Google Analytics or other companies with the subject line: [Action Required] something something General Data Protection Regularion (GDPR). Deadline May 25.
You probably remember similar emails related to CASL, Canada's Anti-Spam Law that went into effect on July 1, 2014.
Compliance with GDPR applies to you if you have website visitors, email subscribers, or advertising target audiences who reside in the EU.
If you only do business in Canada and the US (or countries outside the European Economic Area), then your GDPR non-compliance risk is low. Nevertheless, you still need to review your settings for website, email, social media, and other third-party marketing tools.
Under GDPR, tools like Google Analytics, MailChimp, DoubleClick, and Facebook Ad Platform are data processors. They handle data about your website visitors, email subscribers, and advertising audiences. They have a responsibility to be GDPR compliant, but so do you. As a website owner or advertiser, you are the data controller. You determine what data is collected, which means you are responsible for GDPR compliance when it comes to how the personal data of EU residents is requested, collected, retained, used, and managed.
Under GDPR, personal data is any information that can be used to identify someone, directly or indirectly. This includes, but is not limited to, IP address, cookies, location data, name, and email address.
So what action should you take if you’re a non-European publisher? This is the €20m question (or 4% of annual global turnover, whichever is greater).
What To Do?
- Review what data you collect across your various online and offline properties. Know what third-party tools you use and if they are GDPR compliant.
- Work with your legal experts to update privacy policies and consent forms.
- Update tool settings or other areas where personal data is obtained, stored, or used.
- Ensure your website uses SSL and any plugins or third-party tools are GDPR-compliant. SSL certificates are used to secure data transfers, credit card transactions, logins, and other personal information.
- Have processes in place to properly manage and protect personal data. That means if someone requests their data use, you can provide a computer-readable file of all their data and how it was used. You must also have a process to delete user data after a reasonable timeframe has pass, or to delete user data if requested by the individual.
Review What Data You Collect
Under GDPR, personal data is any information that can be used to identify someone, directly or indirectly. That means the information you collect about website visitors, email subscribers, and social media followers is considered personal data. For example, website tracking tools and online forms, email tools, marketing automation, affiliate links, and social media analytics can include personal data like IP address, cookies, location data, name and email address.
Here is a list of common activities where personal data is collected:
- Website cookies (There's some debate about this one. In my view, cookies can be merged with other personally identifiable information, I'm including it.)
- Contact forms
- Comment forms
- Email subscription forms
- Email service providers that track opens and clicks
- Facebook pixel, Google AdWords, and other remarketing and advertising tools
- Affiliate links in blog posts
- Transactions
- Gated content, like free ebooks, whitepapers, or webinars, where a visitor must submit an email or other personal data to view the content
- Any CRM or other database
Privacy Policies and Consent Forms
If you're an SME with fewer than 250 employees and you do a limited amount of collection and processing of personal, low-risk, data then GDPR still applies but you don't have to meet the strictest obligations like identifying a data protection officer.
The UK Information Commissioner's Office (ICO) offers a great checklist for compliance. Click on each of the “More Information” buttons to see tips on what you need to do in each area to be compliant.
https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/controllers-checklist/
When it comes to privacy policies and consent forms, GDPR says that consent must be:
- Freely given: it must be entirely voluntary, and should not be bundled with other goods or services.
- Specific: it must be tied to clearly explained use cases.
- Informed: it can only be given if the data subject is provided enough information about the personal data that will be collected and used.
- Unambiguous: it must be demonstrated by an affirmative act by the merchant (that is, not simply by continuing to use the services).
When EU residents visit your website, GDPR requires that they consent to having their information collected, whether that's explicit information they provide through forms or implicit information they provide via cookies that track their site use.
Your privacy policy should specify the ways data is collected, used, shared, and protected. It should include how long data is retained and state the names of all third-party service providers that share the information. Additionally, it must be clear what steps individuals can take to limit, request, or delete their data.
The full text of GDPR is available online and this is the direct link to what information must be given to individuals whose data is collected inside and outside the EU:
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr/what-information-must-be-given-individuals-whose-data-collected_en
Also, individuals must actively consent to the collection of their personal data. For example if your website uses cookies, an email marketing tool like MailChimp that tracks opens and clicks, and you have the Facebook pixel installed, you need to be explicit and obtain consent for each use. There are some user experience challenges but they are not insurmountable.
A number of EU agencies and associations have developed checklists and guidelines for their members. One of the most useful articles of who's doing it right when it comes to obtaining marketing consent is this econsultancy article offering 10 examples of GDPR best practices, many of which are from non-EU-based companies.
Third-Party Tools and GDPR Compliance
Remember that as a company/organization, you are considered a data controller under GDPR. Since you control what information is collected, stored, and used, it means you need to consider how to ensure your website, email newsletters, online advertising, and other marketing activities are GDPR compliant.
Data processors (third parties) like Google Analytics, Facebook Ad Platform, and MailChimp all have terms and settings that you should review.
Google Analytics, for example, may be collecting user-level and event-level data associated with cookies, user-identifiers (e.g., User-ID) and advertising identifiers (e.g., DoubleClick cookies, Android's Advertising ID, Apple's Identifier for Advertisers).
When you log into Google Analytics, look for a blue top banner with a link to accept the new terms. Next under Admin > Tracking Info you may want to review the Data Retention setting. The default is 26 months. Don't worry about this setting as it doesn't limit data in your standard reports. This setting is needed if you use certain advanced features like custom segments.
Details from Google on the data retention setting is here:
https://support.google.com/analytics/answer/7667196
Additionally, look at the user-level and event-level data in page and transaction reports to ensure you're not accidentally passing any personally identifiable information to Google Analytics. In some cases IP address may be pulled into the Page URI. Also be mindful of user IDs and transaction IDs in transaction data.
Angela Petteys has some tips on IP anonymization using Google Tag Manager:
https://moz.com/blog/gdpr-and-online-marketing
MailChimp and other data processors have updated their terms, privacy policies, and consent forms. MailChimp's privacy policy is a good example, and contains links to cookie consent and other terms of service: https://mailchimp.com/legal/privacy/?_ga=2.142101938.1601534922.1527014521-1158481100.1527014521
I would review third-party tools terms and make any necessary changes. For example, under GDPR email subscription forms need a checkbox for the visitor to consent to every use of their personal data. If your newsletter tool uses tracking pixels to see when subscribers open or click a message then you need a visible disclaimer before people subscribe. The same is true for any other forms on your site that requests personal information. Examples include contact forms, comment forms, surveys, webinar registrations, and gated content that's often used in marketing automation to collect leads. Indeed with the latter, you should consider whether you can still legally collect that info from EU residents.
Legal basis: You cannot process personal data just because you want to, or may need it in the future. You must have a legal basis for doing so, such as when it's necessay in the performance of a contract or transaction, or an individual has consented to completing a survey or subscribing to an email newsletter. In these case the name, email and other personal information is necessary to complete the action. Providing a whitepaper or free ebook, however, could be delivered through means other than email or if email is the preferred mode then post-delivery you do not necessarily have a legal basis for retaining that contact information. I'm not a legal expert and not providing legal advice here, but these are some of the questions to consider.
eCommerce, Affiliate Programs, and Securing Data
The GDPR says that companies must provide a reasonable level of protection, based on risk, for personal data. One step is to have an SSL certificate for your website. SSL encrypts sensitive data like credit card info and other personal data so that it's not intercepted.
If you use eCommerce platforms like Shopify then they have some additional guides available: https://help.shopify.com/manual/your-account/GDPR/GDPR-merchants
If you use WordPress, there are a number of GDPR wp plugins to assist with GDPR compliance. Search for GDPR plugins, or take a look at this all-in-one option:
https://wordpress.org/plugins/gdpr/
Processes for Data Management and Governance
Individuals have a right to ask if you have their data and you need to respond whether or not you do, why you have it, what categories of personal data you have, how it's accessed or shared, and how long you plan on keeping it. They also have the right to request fixes to their data, they can ask for a copy of their data, and they can ask that their data be deleted (the right to be forgotten).
This GDPR in Plain English post from Varonis is a great read: https://blog.varonis.com/gdpr-requirements-list-in-plain-english/
And here's that ICO self-assessment checklist again:
https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/controllers-checklist/
In Summary
Don't panic.
- Know what personal data you hold, where it comes from, and who you share it with.
- Be sure you have a legal basis for processing personal information.
- Communicate this information thoroughly in privacy policies and consent forms.
- Ensure data is securely managed by your organization and review terms from your data processors. Common tools would include Google Analytics, Facebook Ad Platform, MailChimp, AdWords, DoubleClick, Shopify, WordPress. Also consider where you store personal information if your company is using tools like Dropbox, Google Sheets.
- Have a plan for responding to requests from EU residents in regards to their data.
Again, this isn't legal advice. If I've got it wrong, please chime in with corrections in the comments. Or if you have other valuable resources, please share.