The countdown has already begun! The General Data Protection Regulation GDPR (GDPR) i.e. the European Union’s new privacy law will be effective from 25th May 2018! Just about a week to go!
A big thing it is! The penalty for non-compliance will lead to a fine of up to €20 million or 4% of your organization’s total global revenue of the preceding financial year, (whichever is higher).
I am sure you might have a lot of questions running through your mind:
What is GDPR?
Should I comply?
How to comply? Etc.
In this post, I’ll cover all the details of GDPR that may apply to you and some easy ways to get GDPR compliant.
DISCLAIMER: This is just an informative post about GDPR. Please note that this is not a legal article. GDPR application differs for different individuals and organizations as per the data they process and handle. You are advised to seek a legal counsel that specializes in GDPR and e-privacy regulation to ensure that your website and organization complies with the regulations stated therein.
What is GDPR?
The General Data Protection Regulation is a regulation that aims at protecting user’s private data like the name, email ID, location, IP address, GPS location, cookie identifiers, etc. This is specially made with respect to the data of EU citizens.
According to this law, no organization, irrespective of the location it is based in, is supposed to collect user data or process it without the user’s consent. Also, GDPR is beyond just user consent you can do self-assessment by using the assessment guide. Take a look at the Data Protection Self Assessment published here.
Let’s take a real-world example to understand GDPR
Zak lives in Germany and is accessing a website that is based in the US. He comes across an opt-in form on the website. What are the rights granted to him through GDPR?
The right to be informed: Zak has the right to know what information will be stored, where it will be stored and how will it be used in the future. The website owner needs to make sure that he has a well-written and easy to understand privacy policy in place. (Section 2 Articles 13 & 14)
The right to access: Zak can contact the website owner anytime to know where the data is being processed. He can also ask for a copy of the same. It is the website owner’s duty to provide the information Zak has asked for free depending on the conditions mentioned in the article. (Section 2 Article 15)
The right to rectification: Zak has the right to rectify the data he submitted earlier. He can either choose to modify the existing data or complete the incomplete information stored earlier. Although a website owner needs to allow this in most of the cases, he too has a right to reject such a request with respect to Article (5)(1)(d). (Section 3 Article 16)
The right to erasure: In case of circumstances like the data not needed for the purpose, it had been collected for, Zak takes away his consent of sharing data. Zak can ask you to delete his data at your end. This is also known as the right to be forgotten. Which means that Zak can contact website owners, verbally or in written and request their personal data to be deleted. (Section 3 Article 17)
The right to restrict processing: Zak has the right to request a website owner to stop processing his data. Although the controller (website owner) can keep the data, he cannot process it at all. Here too, the website owner can reject a request depending on the reason the user has stated. (Section 3 Article 18)
The right to data portability: This right states that Zak can access and reuse his personal data that he has submitted to a website. The purpose of this right is to allow individuals to access related applications and softwares through a single platform. This should be done in a way that is portable and safe. (Section 3 Article 20)
The right to object: Zak can object to his data being used for direct marketing or for a purpose that does not cater to his needs and interest. He may also object to his data being used for scientific or historical surveys, except for the ones carried out for reasons of public interest. (Section 4 Article 21)
As seen in all the rights above, Zak is a EU citizen and he gets all these rights. But, what if your organization is not based in an EU country, and you would like to serve users like Zak? You HAVE TO be GDPR compliant and follow all the regulations mentioned therein.
Why Comply with GDPR?
GDPR is the new legal framework for data protection that will be enacted in UK and entire Europe. May 25th, 2018 onwards all the organizations serving EU citizens physically or deal with their personal data should abide by the GDPR (General Data Protection Regulation). The organizations failing to do so will have to face a huge fine of €20 million ($27,147,800.00 USD) or 4% of the worldwide annual gross revenue, depending on the violation.
Therefore, to avoid being fined and respect the privacy law, it is advisable for all organizations irrespective of their location to comply with GDPR in case they are serving EU citizens.
When should you comply with GDPR?
GDPR is a serious regulation that all the businesses serving EU citizens need to follow. Failing which, they can be fined depending on the offense.
Most importantly, website owners who cater to the following on their website, need to make sure that their websites are GDPR compliant.
- Websites building an Email list
- Websites collecting user data for profiling, membership plans, etc.
- Websites using Google Analytics or any website analytics tool to track website visitors data such as location, IP address, etc.
In short, if your website collects any data that identifies a user, his location, IP address, cookies, etc., you are bound to comply with GDPR.
Things you need to do to Comply with GDPR
Although GDPR may sound like a simple data protection law applicable to websites serving EU citizens, there are a lot of factors one needs to look into. Let us take a look at some important things you need to look into right away.
COOKIE CONSENT
No organization is allowed to store or process any personal information without the user’s consent. Online identifiers like devices, applications, tools and protocols, IP address, cookie identifiers etc. could be used to identify a natural person and his whereabouts. Therefore, the law states that it is illegal to track user identifying cookies without the user’s consent.
Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. (Recital 30)
How to Implement Cookie Consent with Convert Pro?
Cookies in Convert Pro are used to offer better user experience i.e. track whether the form has already been submitted or closed so that the call-to-action is not shown again. You can manage cookies for a particular call-to-action using the respective settings in Convert Pro.
Further, if you want to turn off Convert Pro cookies completely and use them only with user consent, Convert Pro has filters to do so. There are a number of plugins that can be used. One of them is Cookiebot. This plugin helps you turn off cookies when the user denies the concent. You can determine whether the user has denied permission to save cookies through the CookieBot plugin and completely turn off Convert Pro cookies.
EMAIL CONSENT
According to the right to be informed, your users should know where and how you are going to use the data they submit through an opt-in form on your website. You need to obtain a user’s consent before storing and processing his data further. A consent can be obtained through a consent checkbox displayed on the form and a double opt-in feature too. Note: You are not allowed to display a pre-ticked consent checkbox on the opt-in form. The consent should include all the processes a particular set of data will be used for.
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. (Article 4 (11) and Recital 25)
Let us take a look at a few sub-points that I wish to highlight when we talk about Email Consent.
Obtain an Active Consent
According to the law above, you need to obtain user consent and you can do so by including a consent checkbox in the opt-in form. (Note: This should not be pre-ticked. It will be counted as a silent consent and is not acceptable by GDPR.)
You can also obtain consent through a double opt-in feature provided by most of the email marketing service providers. Such emails ask users for a confirmation of their consent to save data and process it.
Separate Consent and Other Terms and Conditions
You need to be specific and precise as to what data you will be storing and the processes it will be used for. According to Recital 32, if there are multiple reasons for you to collect the data, you need to obtain consent for all of them.
Note: All this should be mentioned separately apart from the privacy policy and terms and conditions mentioned on your website. You should highlight them and let the users know what they are giving their consent for.
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. (Article 7 (2)).
Record Proof of Consent
Just obtaining consent is not enough. You need to keep the proof of what consent was given and when did you obtain it. This data should be saved and accessible when asked for.
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to process his or her personal data. (Article 7 (1))
Allow Users to Withdraw Consent
You should allow users to withdraw their consent at any time. This means that they can opt out of a process or processes anytime they think it is no longer useful for them. According to the right to erasure and the right to restrict processing, a user can either request his data to be deleted or ignored in a certain process.
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. (Article 7 (3))
Do not Restrict Lead Magnets
You cannot restrict your services to users based on their consent. This means that users should be able to access your free services and offers without giving in their consent to process their data further. If you are offering a lead magnet, make sure your users can download it even if they do not wish to give in their email ID.
Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance. ( Recital 43)
TAKE CONSENT THROUGH YOUR WEBSITE CONTACT FORM
Most of the websites have a contact form. This is the best medium through which a website visitor can get in touch with the owner. But, these forms too collect some personal information such as the visitor’s name, contact details, etc. This is why you will have to take user consent in case you wish to store user data and use it for a particular purpose.
Convert Pro too lets you create attractive contact forms that can be displayed with a popup or inline on a page. You can add a consent checkbox to your contact form too! In case you are using a third-party plugin to display a contact form, you will need to make sure that it is GDPR compliant.
Creating GDPR Compliant Contact Forms
Convert Pro allows you to create beautiful contact forms!
You can design a contact form by simply dragging and dropping the required form elements on the call-to-action. You can take a look at a some of our contact form demos that we’ve created using Convert Pro. These are also available in the templates within the plugin. You can simply add a consent box and a link to your terms and conditions as explained in the doc here.
ENSURE OLDER CONSENT
You will need to check your previous methods of data collection and the consent received. If you’ve received consent as per the regulations set by GDPR, you need not worry. But, if not, it is better to get another consent from the existing users and the ones who will join your mailing list now on.
Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. (Recital 171)
Run an email campaign informing users about the processes their data is being/will be used in. They can choose to confirm their consent or unsubscribe from the list. This will give you a stronger list of determined users who have given you their consent.
MANAGING GOOGLE ANALYTICS TRACKING
Google Analytics is a widely used tool to track website visitors and study their behavior. You might think that you aren’t collecting any personal information for Google Analytics. But, wait, GDPR states that any personal identifying information such as email ID, username, devices, IP address, cookie identifiers, etc. that can be combined to identify the person and his whereabouts is counted as personal information.
Google on its own Privacy Compliance website has mentioned that they’ll be working hard to prepare and comply with EU’s General Data Protection Regulation. But, you cannot rely on Google alone. You also need to take preventive measures at your end to make sure that your website is 100% GDPR compliant. Let us take a quick look at how you can deal with GDPR while using Google Analytics.
Audit your Data
You need to make sure that all the data you track using Google Analytics does not contain personally identifiable information. Even though we are majorly referring to GDPR now, transmitting personally identifiable information is against the Google Analytics Terms of Service. Therefore, even if you are 100% confident, it is better to ensure that you aren’t transmitted any form of personal data to your Analytics account.
- Check your page URLs, titles and other data dimensions to see whether you are passing PII through them.
- Check whether you are collecting personal data through forms that pass information to Google Analytics too.
- Do not just use Google Analytics filters to avoid collecting such data. You will need to alter the code so that no such data is transmitted out from your website.
Turn on IP Anonymization
According to GDPR, IP addresses are also considered as a personal identifying information. Although Google Analytics does not display IP addresses in reports, it uses them to track the user’s geolocation. To comply with GDPR, it is recommended to turn on the IP Anonymization feature in Google Analytics. This will require some code changes that will remove the last octet from an IP address. (for example, an IP address may look like this: 123.123.123.0, where the last octet is replaced with a ‘0’. Learn more about IP Anonymization in Analytics and How to make anonymize IP
Data Retention Control
Google has introduced the data retention control that allows you to determine how long you wish to store data within Google Analytics. It lets you set a specific period for which you can store data in your Analytics account. This data will be deleted permanently after the period expires.
Post 25th May 2018, all user data along with events that are older than your retention settings will be deleted permanently.
It is therefore recommended to review and confirm these settings through Property -> Tracking Info -> Data Retention. You can read more about the Data Retention Controls in Google Analytics.
Checklists to make sure your website is GDPR Compliant
GDPR is vast and its difficult to keep everything in place. But, one thing you miss and you’ll need to pay a huge fine. Therefore, we’ve found a set of checklists that you can refer to in order to check whether your website is GDPR compliant.
- Checklist for Consent
- Checklists for Individual Rights
– Right to be informed
– Right of access
– Right to rectification
– Right to erasure
– Right to restrict processing
– Right to data portability
– Right to object
Final thoughts
GDPR is not just a regulation meant to obtain user consent. You need to look into all the points mentioned above. However, as mentioned, this is not a legal platform and therefore you cannot 100% rely on just these factors. It is recommended to take adequate legal help with reference to all the articles and recitals under GDPR.
Are you already using Convert Pro and wondering whether it is GDPR compliant? Well, yes, it is! You can refer to our blog post that will explain you some easy methods to comply with GDPR while using Convert Pro.
Is there something more you wish to say? Please feel free to comment below.