I don’t know about you guys, but I’m getting pretty sick of being notified about updated privacy practices for every website I visit. As annoying as it may be, it’s not just a coincidence that this is happening. It’s actually an early sign of an extremely important piece of legislation that’s going into play in the EU: The General Data Protection Regulation or GDPR for short. And if you think this important piece of legislation will only affect sites and businesses in the EU, you’re very wrong.
The GDPR and You
So here’s how it works. The legislation states that sites must be compliant if they purposefully market to or target EU citizens. However, in the case of the GDPR, liability falls nearly entirely on the website or company and not the user visiting a site for which they weren’t targeted. Because of this, most experts believe taking some steps to prevent your site from being in violation of the new law s a vital first step. So, this is definitely something to be concerned with, but what’s actually under scrutiny here?
Here are the main points that you’ll need to know:
- Visitors must actively opt-in to have their data collected. This includes cookies that track their behavior over multiple sessions, email address, credit card information and other personalized user data.
- “Opting In” means users have to actively agree to have this data collected. Implied consent, such as “by using this website you agree to our terms,” is NOT compliant
- Check boxes that give consent to collect data for any purpose, such as an email subscription, CANNOT be pre-checked. Users must explicitly opt-in.
- Users must be able to see the personal data that has been collected. AND they must be able to request their data be deleted at any time for any reason.
- User data, cookie tracking, email addresses, and anything else that provide specific data about an individual user is protected. This means, in order to collect the data, you must allow users to opt-in to that collection.
- IP Address are considered personal data and are therefore protected.
And What’s Not
- Aggregated, non-personalized, site behavior data is not protected. Google analytics is already accommodating this step with their IP Anonymization tool, so if you’re collecting data via analytics and have that setting turned on, you are safe.
- Also, EU citizens traveling to the US are not protected under the GDPR.
What You Can Do
This seems like a lot, and you might be saying to yourself, “does it even matter to me?” And even if you’re asking yourself that question, the answer is yes. You’re exposed if you aren’t prepared. There are some steps you can consider that should be relatively easy steps to make sure you’re prepared for the deeming regulations:
- Revise your privacy practices to account for the GDPR legislation. There are hosts of lawyers available, and your hosting provider may already be considering this option as well
- Ensure that all forms on your site require explicit consent to collecting data
- Turn on Google Analytics’ IP Anonymization
- Prepare documentation for retrieving a user’s personal data
- Prepare documentation for deleting a user’s personal data
- If you’re collecting email addresses for a subscription, consider duplicating that opt-in by adding an unchecked box that users must select before submitting.
Ok, now here’s the most terrifying part: The GDPR goes in effect on May 25th, 2018. If you’re site isn’t ready by that date, don’t push the panic button, but you should definitely push the “doing something about it” button. This legislation is largely policed by lawyers and users who are going to try to test the effectiveness of the law. Non-compliant sites in the EU will likely be the first ones targeted, and many still wonder what the repercussions or the reach of this untested legislation will be. However, the best and safest course of action would be to start planning now. Waiting is risking that the inevitable shoe fall will not be on you.