How To Ensure Your Small Business Website is GDPR Compliant
Big changes are afoot for online privacy and data collection in the European Union, and the impact of the new rules will be felt by brands and businesses around the world.
Starting May 25, the EU’s General Data Protection Regulation (GDPR) comes into effect. The law is designed to give EU citizens greater control of the personal data that is collected and stored by apps and websites. Besides spelling out how that information may be gathered and processed, the law also expands the definition of what constitutes personal data.
Violators will face stiff fines that could exceed 20 million Euros. The law is extranational, meaning businesses can be found liable even if they’re not based in an EU member state, or doing direct business there.
Personal information
Broadly speaking, you will need to be compliant with GDPR if your app or website collects personal information – anything that can be used to identify an individual user. Such information includes names, postal and email addresses, IP addresses, location data, cookies (the files many sites use to tailor unique user experiences), a mobile phone’s advertising identifier, or unique medical information.
Consent
Obtaining proper consent is a central plank of GDPR compliance. It will be unlawful to link consent with access to an app, website, or online service, meaning you can’t deny EU citizens your content if they don’t agree to share their data.
Those who give consent must do so explicitly and with a positive act, such as by clicking a box or entering information into a form. The language used when requesting consent must be plain and clear, and an option for users to withdraw is required.
Certain exceptions to these rules apply. If the information is necessary for the normal functioning of your site or app, or if collecting it is in the customer’s legitimate interest, the data may be collected without consent. The same is true if the information is collected anonymously, or in accordance with legal requirements.
Perhaps the simplest way to obtain consent from website visitors is by using what’s known as a cookie bar. This graphic bar should briefly explain why your site uses cookies, offer a link to more detailed information, and request a user’s permission to have their cookies recorded.
When dealing with customers on mailing lists, it will likely be necessary to send a message to everyone in your database and request their consent for continued data collection and storage. EU citizens who do not respond to that email must be deemed to have denied their consent and removed from your list.
Social media giant Facebook, which recently dealt with damaging privacy revelations of its own, has indicated it is extending some GDPR regulations to cover its global user base. That means all businesses who advertise on Facebook must change their practices concerning user data, whether or not they market to EU citizens. Basically, businesses who are using custom audiences or pixel tracking to target their ads must obtain express consent before retargeting their audience via Facebook.
This policy applies not just to new contacts and customers, but to anyone already in your database who has not already provided their consent. Again, the most straightforward approach is likely to contact everyone on your current email list and request consent, then remove anyone who does not reply. You’ll also be obliged to tell new contacts that you’re collecting data and what you do with it, give them the option to withdraw, and erase their data if they do.
Businesses who make use of Google’s suite of online tools, such as Analytics, Adwords, and related advertising programs, also need to prepare themselves for the effects of GDPR. Google recently launched a dedicated site with answers and information for website owners seeking to comply with the incoming legislation. The company also updated its EU User Consent Policy, making publishers responsible for the collection of valid consent for personalized ads and cookies whenever legally required.
Also new from Google are changes to Data Retention controls, allowing Google Analytics users to better control their storage of collected information. A tool that will help users manage the deletion of individual site visitor data is also in the works.
If the only reason you collect information through Google Analytics is to track your website’s performance, you do not need to obtain user consent to do so. However, if you intend to use the data for profiling, targeted advertising, or other commercial purposes, you must obtain consent beforehand.
Before May 25, audit your website data to make sure you know whether Personally Identifiable Information (PII) is being collected and shared with Google Analytics. Now is also a good time to update your privacy policy to clearly and comprehensively explain how and why user data is being collected and processed, and identify any third-party services will have access to that information.