Running a business is hard. Every day it seems there is something new that we have to take care of. Whether we like it or not, rules and regulations are in place to help all of us. If you couldn’t guess from the title – yes, I am talking about the new GDPR (General Data Protection Regulation). Today, we’re going to go through two cases of websites that need to address these new regulations:
You’ll learn that even though this is European law, you need to review the following areas even if your website is in the US:
- Area to Review #1 – General Google Analytics
- Area to Review #2 – Google Analytics with Demographics or Retargeting Enabled
- Area to Review #3 – Display Advertising on Your Site
- Area to Review #4 – Newsletter Sign-up or Lead Generation Form
- Area to Review #5 – Purchases
It goes without saying that this is not legal advice. We advise that if you are within the EU or if you market heavily to European members, you work with local legal advice on all of your steps. These are in many cases the most basic steps. If you are a company over 250 employees, are located right in the EU, or have any concerns about the fines of €20million and more, it is a good idea to talk to your attorney and privacy professionals.
Case #1 – Local US Website
If your website is local to US and you only market to people in the United States, you can take a little bit of a breath. The case applies to, for instance, a website for a local US company in Utah that performs HVAC and plumbing services. While of course, it is possible that someone within the EU could come to your website, sign up for your newsletter or order your services, you are not actively marketing to that audience.
Why just a little bit of a deep breath? If you haven’t noticed, here in the United States and everywhere else, citizens are a little fed up with the amount of data being spread around. Think about it – there may be advertisers making more money off of the data generated by your website and social media profiles. I suggest you start to look at the regulations in place in Europe and prepare yourself.
At the same time, there is nothing wrong with bypassing the need for regulation by being completely transparent to your users about how you are using their data.
Case #2 – Publisher, International Site, Lead Generation
Great example of this case is a blogger selling and buying ads. Let’s say you’re an influential blogger who offers advertising opportunities for your own revenue, and you also spend on ads you purchase for yourself. Additionally, you offer users a monthly subscription to receive curated recipes.
As you might have guessed, you have some work that needs to be done. There are some amazing guides out there explaining all the rules down to nitty gritty details, so we are linking to them further in this article. Instead of walking you through every step you may need to take, we’ll give you areas to review based on the functionality of your website.
One option you have is to simply disable all functionality. It is not a great option. You probably want to continue to get the wonderful metrics that Google Analytics, Google AdWords, DoubleClick, retargeting audiences and similar can give you. This will help you get prepared.
Area to Review #1 – General Google Analytics
Your old “Plain Jane Google Analytics”, where you have simply placed the analytics code onto your pages, is 99% A-Okay as is. As a data controller, Google has the responsibility to make sure that they are compliant. While they are a little late in the game of disclosing exactly what they are doing, it would be a lawsuit for the ages if they did simply nothing. That being said, there are still a few things we think you should do to be ahead of the game. Click here for detailed DIY setup instructions. In short, you must do these three things:
Step 1 – Accept and Sign Policies
Step 2 – Set User Retention Policy
Areas to Review #2 & 3 – Google Analytics with Demographics or Retargeting Enabled & Display Advertising on Your Site
If you do NOT want to notify users, and also don’t want to be fined, please go to Step 4 of our Google Analytics DIY Guide for GDPR. The rest of you data-driven marketers, please keep reading here.
Step 1 – Install a Cookie Consent Solution
Until someone gets behind this, you are and will be seeing many more banners like the following:
Note that Marketing is not checked. For 3rd party data sharing such as Marketing the user must:
- Explicitly check the box (Opt-In)
- Accept (or Press OK) or have an obvious means of approval
There are quite a few players in the game that you can work with to help with pop-up notifications for your users. We recommend Cookiebot or iubenda (discount included) for most websites or Cookie Notice by dFactory for WordPress
- Concise, transparent, intelligible and easily accessible
- Written in clear and plain language, particularly if addressed to a child
- Free of charge
And thus must contains answers to the following:
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- Will the data be shared with any third parties?
- How will the information be used?
- How long will the data be stored for?
- What rights does the data subject have?
- How can the data subject raise a complaint?
Luckily there are a few solutions out there. We liked the ease, look and feel of iubenda.com (discount code included with the link), so we got a <$30/yr policy for our own site.
Area to Review #4 – Newsletter Sign-up or Lead Generation Form
Chances are extremely high that you are collecting one, if not many, of the items the EU and several other institutions have dictated as “PII”. Personally identifiable information.
Now quite honestly, this should have been common sense a long time ago. There have been too many iffy companies capturing email addresses with zero transparency around what is being done with them. We applaud the EU for making this a higher priority.
The new regulations require that the user opt-in (no pre-checked boxes or lack thereof). There are also requirements for you to allow the user to unsubscribe from each communication that you have with them. Further, you have to give them the ability to ask for their data to be deleted altogether. Many of the top plugins that you may use for opt-in lead-generation are likely working to build this functionality into their systems. eConsultancy has put together 10 examples of best practice UX for obtaining marketing consent.
Area to Review #5 – Purchases
If you perform transactions on your website, whether that’s for subscriptions or products, it goes without saying that you are collecting all kinds of personally identifiable information about your customers. This falls under the same category as a newsletter subscription and you must notify the user about how you expect to be using the information in the future. But you also must have tools available to delete the data if asked.
It is important to note that base transactional functionality is mentioned in the GDPR regulations. You have the right to essentially force the user to provide information when it is necessary for you to do business.
Within Google Analytics, the requirements changes are minimal. That being said, if you are taking full advantage of what the internet has to offer, data about your customers is being collected and shared. As a responsible business owner, you want to protect the rights of your users.
Some people have said that this whole chapter feels a bit like the Y2K debacle. In some ways it does, but as Jeff Sauer stated: “even Y2K made companies look at the way they stored and were processing data.” There are plenty differences, too:
- This is law, not optional
- This is for the overall good of the Internet
- This will force business owners to look at all their data, and perhaps find some amazing opportunities along the way
Please note that this article not legal advice. We advise that if you are within the EU or if you market heavily to European members, you work with local legal advice on all of your steps.
We have partnered with one of our agency friends, JSMM + VBM to offer packages starting at $1500 to work with a licensed GDPR attorney and DPO to update privacy policies, compliance matters, email form updates, etc.