The new European General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. This brings with it a risk of serious fines for non-compliance. Ensuring that a company and its online channels are in line with GDPR is usually a major undertaking, which is why there has been a grace period since May 2016. But let’s be realistic: a lot of companies are still not ready for GDPR, or are currently working at full speed to become compliant by May 2018. In this blog post, we will show you five quick fixes for your website to take a major step towards GDPR compliance.
1. Add a Cookie Banner
GDPR stipulates that the user must be informed about the storing of personal information. This includes amongst other things, IP addresses and online identifiers, such as those stored in cookies. The collection, processing and storage of personal data also requires the consent of the data subject (user). The current European e-Privacy Directive of 2002 (e-Privacy Directive) recognizes that tracking and functional cookies are necessary for the improvement and operation of a website and allows for an implied consent, but the user must be clearly informed. This has led to the implementation of the already well-known cookie banners.
At the very least, you should include a cookie banner on your website. If you use marketing cookies (Display Ad Networks, Remarketing, Marketing Automation etc.) on your website, these may only be set after the user has given consent.
Example cookie banner for tracking with implied consent by further use of the website:
Example cookie banner for tracking and targeting: Here, marketing cookies may only be set after clicking on “Accept Cookies”.
Ideally, you should give the user an opportunity to decide what kind of cookies he wishes to allow. Cookies can be subdivided into:
- Required cookies (like login session, shopping cart etc.)
- Functional cookies (like vimeo.com etc.)
- Tracking/performance cookies (like Google Analytics etc.)
- Advertising & targeting cookies (like DoubleClick, AppNexus etc.)
- Customization cookies (like. HubSpot, Marketo etc.)
It is important to note that the user’s explicit consent is required, especially for the categories Advertising & Targeting and Customization.
Example of an out-of-the-box cookie management solution from OneTrust:
GDPR also stipulates that withdrawing consent must be just as easy as giving it. In the example above, this is guaranteed by a link to the cookie settings in the footer of each page.
2. Adapting Forms
A tried and tested approach to checking forms from a GDPR point of view is to imagine that each field with personal information deserves the same care as your credit card number, your passport number or your mother’s phone number.
- Each form field should only exist if it is clearly necessary. If this is not the case, explain the necessity or remove unnecessary fields. Take a minimalist approach and collect only what is absolutely necessary.
- The user must be able to find out what happens to his or her data before submitting the form, including why, where and for how long the data is stored.
- Do not use any prefilled checkboxes (especially for newsletter subscriptions, as explicit consent is required).
- Forms containing personal information may only be transmitted in encrypted form.
- Avoid the GET method, as it maps the form content in the URL and thus saves it in Analytics Tools and log files.
- The information collected by means of a form may only be used for the purpose agreed to by the user when filling in the form. For example, you may not automatically use the e-mail address for e-mail marketing if it was included in an order form.
- Alternatively, you can also completely remove the form and replace it with an e-mail link and/or a telephone number.
3. IP Address Anonymization in Analytics Tools
Activate IP anonymization in your analytics suites. In Google Analytics, you cannot see the IP address of a visitor, but it is stored on the Google servers during tracking. This can be prevented if you enable IP anonymization. In Google Analytics, this can be set up in the tracking code with the addition of ga(‘ set’,’ anonymizeIp’, true).
According to GDPR, the data controller (in our case the operator of the website) has to provide information clearly and unambiguously in a language comprehensible to the user about the storage and use of any personal information that is collected. Among other things, the following points must be reported:
- What information is collected?
- Who collects this data?
- How is this data collected?
- Why is this data collected?
- How is the data used/processed?
- With which third party entities and for what purpose is the data shared?
- Is the data leaving the country?
- How can a user make contact to: 1. view data, 2. correct data, 3. delete data and 4. withdraw consent to the processing of this data?
5. Review/Remove Third-Party Content
It is therefore advisable to check external sources and remove unnecessary content where possible. Any sources that are kept need to be included in the data protection agreement and in some cases, when collecting information for targeting by the third party provider, explicit user consent is also required.
Please note that the implementation of these Quick Fixes does not in any way imply complete GDPR compliance. Other important conditions need to be met. We therefore recommend that you carry out a full GDPR compliance audit of your online channels.