GDPR: Laying Down the Law on Consent, Communication and Cookies

By Morgan South and Brynne McGarry

As of Friday May 25, the General Data Protection Regulation (GDPR) formally went into effect, and big companies are already feeling the pain. Privacy advocacy group Noyb lodged formal complaints against Google and Facebook on day one for violating privacy terms, with similar organizations promising to file complaints with other digital giants, such as Skype, WhatsApp and Instagram. In general, sanctions for violating the GDPR range from warnings and regular data audits to fines of up to 20 million euros or 4 percent of global revenue.

Wait, back up, what’s GDPR?

The General Data Protection Regulation is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). To break it down in simpler terms, its goal is for the EU to standardize privacy legislation throughout Europe and raise the bar for how marketers are collecting, storing and using users’ personal information.

Okay, cool — but I’m not in Europe, so I don’t need to do anything, right?

Wrong. Even if you’re not a European citizen, your business is not based in the EU, and neither you nor your IP address has ever visited Europe, if anyone in the EU interacts with your website or uses your business, you need to be up to speed on the GDPR.

In fact, you need to be compliant if any of the following conditions apply to your site or business:

  • You translate your site into a non-English language spoken in the European Economic Area (EEA)
  • Your site uses a two-letter country domain of an EEA country (.uk, .fr, .de, etc.)
  • You are displaying prices or accepting payment in euros or other European currencies
  • You are shipping products to customers in the EEA
  • You are marketing to persons in the EEA through direct email
  • You are monitoring or tracking online behavior of EEA residents to serve targeted ads

With such steep consequences and broad scope, it’s key to understanding what meeting these regulations means for your business. We’ve laid out a quick cheat sheet of items to consider here for site browsing, email communications and data collection — but please seek your individual organization’s legal guidance when making decisions involving GDPR compliance!

Browsing your website?

Whether you’re a huge e-commerce site or a small personal blogger, chances are you’re collecting user information or using third-party services to track cookies on your website, and those practices need to comply. The key takeaway for implementing compliance on your site is clearly identifying what data you’re processing and how you are protecting your consumers’ privacy.

Here’s a list of key considerations:

No more cookies — at least not without consent. Anyone accessing your site, specifically within the EU, should have a clear option to click and enable the use of cookies while browsing your site.

How about some cookies, but not every variety? That works! Consider setting up privacy preferences that allow users to opt in to the use of group cookies, i.e. those for stats and analytics, marketing, or preferences.

Read (and update) the fine print. Privacy policies and statements are worth reviewing and updating to ensure you’re clearly and adequately informing website visitors of the types of information you’re collecting and how you’re using it.

Poof, be gone. If at any time a user requests complete erasure of their data within your systems, you’ll have 30 days to meet that request. Be sure your users have a clear contact option to submit such requests and that your organization has dedicated processes for handling them.

Getting to know your audience?

If your site hosts forms that allow users to submit any personal information, you’ll also want to make sure those are up to standards. For GDPR compliance, users must explicitly check consent boxes that state your intentions to use and store their information. Additionally, clear language detailing how you’ll use and store those details is a must.

Here are some quick pointers on how to revise your current forms or build new ones to be in line with the new practices:

Don’t bundle consent. Provide separate check boxes allowing users to consent to each option — email, text messaging, agreement to terms and conditions, etc.

The days of prechecked consent boxes are over. Users will need to manually select all options they want to consent to. On the flip side, be sure you’re also keeping records of who is opting into what, as you’ll need to have that on file for housekeeping.

Where possible, reduce your form fields. If you really need just users’ names and email addresses to add them to your mailing lists, only ask for that information. As a plus, less input required to sign up typically results in higher form submission rates.

Sending out email?

For email subscribers based anywhere in the EU, you’ll need their explicit consent to keep emails coming their way. If you don’t have consent or you’re not sure, your best bet is to set up a campaign to refresh or update your email subscribers’ explicit consent. However, instead of simply sending a reconfirm email blast, craft a strong, creative message that is tailored to your business and clearly puts your audience first.

Consider the items listed below for a start:

Communicate to your list. Send reminder emails (more than one, if needed) to opt back in, or incorporate a CTA to stay subscribed in an already-scheduled email.

Show off a little. Remind the user of the benefits of staying subscribed to your communications by showcasing what’s in it for them.

Give them an easy way out. We know you don’t want to see anyone go — however, unsubscribe and/or preference center options need to be clearly visible and easily accessible in each email.

Measuring or analyzing?

If you’re currently using a web analytics tool to collect data on your site’s users, there are a number of ramifications to be aware of.

Here are some of the most important:

Set an expiration date.

If your site uses Google Analytics data (even outside of the EU), you were asked to choose a data retention window prior to the GDPR going into effect. This selection determines how long Google will retain user-level data before permanently deleting it — options are 14, 26, 38, or 50 months, or “do not expire.” There is also a “reset on new activity” option, meaning each user’s data retention period starts from that user’s most recent visit to your site. There are no explicit requirements laid out in the GDPR for data retention — just be sure to only keep data for as long as needed, and lean toward shorter windows for sites with an EU presence. Note that aggregate data is not affected, just data that is stored at the individual user level.

Keep it anonymous.

You should review all web analytics data to ensure that no personally identifiable information (PII) is being recorded. This includes but is not limited to users’ names, email addresses and precise locations. Be sure to conduct a quick review of your reports to ensure that only anonymous user-level data is being captured. You can also take this a step further and turn on IP anonymization, a feature that, when enabled, retains most of the user’s IP address while never capturing or recording it in its entirety. This ensures you can continue to run geolocation reports while complying fully with GDPR requirements.

Watch your traffic.

Be aware that in the EU, web analytics tools can only capture data for users who have consented to cookies. The specific effects of cookie opt-ins on your site’s data can vary, but do not be surprised if you notice declines in traffic post-GDPR compliance, especially if you have a large EU presence.

The gist

GDPR may sound overwhelming, but the goal of better protecting consumers’ personal information is key in the digital age we live in. Remember to communicate your intentions clearly to your audience, require their consent, and keep them anonymous, and you’ll likely stay out of courthouse dramas with the European Union.

Keep reading in Analytics