Plenty of time has passed since the GPDR entered into force, and things finally stared to move forward. Companies are becoming increasingly aware of their obligations, even though generally the awareness level is still rather low. This is not the companies’ fault; the institutions have done very little to help them get up to speed with the new regulations, with many governments introducing bills only a few days before the GDPR was to enter into force. Panic ensued as a result, which should be surprising to no one.
Nowadays, most companies (even smaller ones) as well as non-profits have indeed started working on becoming GDPR-compliant. In some cases, this is due to a fear of fines and the GDPR is mostly viewed as yet another form of taxation by the EU bureaucrats.
Compliance on the Web
What exactly does it mean to be “compliant”? Well, when it comes to websites, you should consider the following:
- Does my website collect personal data?
- If it does, are my visitors aware of that fact?
Before you ask, yes, most websites do collect personal data, even if you personally are unaware of the fact (this website does so, too, for example). Cookies and related technologies are certainly at the forefront of such stealthy data collection, but data can be collected in other ways too, such as via contact forms, newsletter subscription forms, comments etc.
The law does not prescribe any mandatory elements that must be placed on the website in order to become compliant. If you are, for example, certain you don’t collect personal data via your website (which does not happen often), you truly don’t need privacy policies and the like.
A fully compliant website will contain all the necessary notices and allow your users to manage their privacy preferences. In the next section we will go over the most glaring issues we encountered in the last few months.
Contact forms
Plenty of pages contain contact forms where potential clients can submit a query without leaving the comfort of their web browser. It’s a very convenient way of getting new clients since manually sending e-mails is usually too much of a hurdle for many users.
However, care needs to be taken when implementing contact forms on your website. Great many contact forms contain plenty of unnecessary fields that unnecessarily ask for too much data. The most common superfluous fields are name and surname, phone number, sex, even occupation. These are in most cases simply not required for you to provide the answer to the query – accordingly, you shouldn’t be collecting this data in the first place.
If such data is absolutely required, you can follow-up with the client and ask them to provide it. Collecting personal data in advance because it might be needed later is not in line with the GDPR and is treated as excessive processing.
What do I have to do?
Analyse which data is indispensable for handling messages and queries and leave only those fields. Take the rest down or clearly mark them as optional. Allow contact forms to be sent even when fields are not all filled in. You should also write a short notice summarising the purposes of data processing and link to a more comprehensive privacy policy for those who want to find out more.
Consent and newsletters
You will generally need to obtain consent from individuals who sign up to receive newsletters and/or marketing communications. This means you should have some form of confirmation that a person really wanted to sign up and understood all the circumstances.
Some companies opted for complete deletion of customer databases and did away with newsletters altogether; such a nuclear option is generally unnecessary.
Simple and effective, but possibly non-compliant.
What do I have to do?
Provide an additional checkbox next to the e-mail field so that people can mark it if they want to receive your promotional messages. This applies if you are collecting e-mails for some other purpose (such as during registration), where it is not expected that the e-mail address will be used for marketing purposes. Make sure to add a short privacy notice outlining the purposes of processing and the individual’s rights (this applies to all cases).
Yet another solution is the so-called double opt-in principle. In this case, users must confirm their registration by clicking on the link provided in the e-mail, which also contains additional information. If they don’t, the e-mail record is deleted.
What about legitimate interest?
Another option that can be used to send periodical newsletters is invoking legitimate interest. For that to work, you need an existing database of users with whom you have a pre-existing business relationship, and whom you have notified in your privacy policy of your intentions to send such e-mails.
Do not go overboard and send such e-mails too often. Outline the rights of the recipients in every e-mail you send, particularly the right to unsubscribe; include a prominent unsubscribe link that will allow users to opt-out instantly. Under the GDPR, there are no exceptions allowed for direct marketing. Upon request, you must cease with such activities, no matter how strong your legitimate interests are.
Cookies
Some 99 % of all relevant websites use cookies that collect personal data as defined in the GDPR. Namely, under the GDPR, online identifiers, such as those generated and stored via cookies, are considered personal data; so are IP addresses, location data and so on.
The pervasive use of various cookies is mostly a result of a widespread use of templates, plug-ins and various other ready-made solutions that work as black boxes of sorts. It’s no wonder many website owners aren’t even aware personal data is being collected and their users tracked by various advertisers.
For example, Google Maps are widely utilised as an interactive way to mark the office location on the webpage. Google in general serves advertising cookies in this case. The situation doesn’t differ much when it comes to social media buttons or live chat platforms such as Zendesk.
What do I have to do?
Plenty. First, you should reduce the number of cookies your website sets. Remove superfluous plug-ins and elements that bog down your site anyway. This will dramatically reduce your workload in the next part.
Then, you should make a list of all the cookies you use. It’s easier to do so manually, but several online tools also exist that do this in an automated way (although with errors, so the method is not 100 % reliable). Bear in mind that not all cookies collect personal data. These remain outside the scope of the GDPR. Necessary cookies are also fine to use, as per the ePrivacy Directive.
On the other hand, analytics and marketing cookies shouldn’t be set without consent.
This is not an adequate cookie notice.
When providing a cookie notice, you should ask for valid consent first. The notice above violates two principles. First, implied consent is invalid under the GDPR. Second, according to Article 7(3), “it shall be as easy to withdraw consent as to give it”, which is not the case here.
Do not set cookies without the users’ permission; see the example below. Leave the checkboxes unchecked and provide a link to a comprehensive cookie policy. You do not have to specify the cookies you use in the brief cookie notice. Categorising them loosely according to their function is enough.
An example of a valid cookie notice.
As for the cookie policy, which is a more comprehensive document found alongside (or as part of a privacy policy), it should contain a list of all cookies you use, categorised by their purpose. You should also list the companies (other data controllers) that collect the data. In most cases these are companies like Goole, Twitter, Facebook, Cloudflare etc.
Privacy policy
A well-drafted, comprehensive privacy policy should be the crown jewel of your compliance efforts. It should contain a list of your practices with regards to personal data – collection, processing and storage, and provide a transparent overview of your data flows.
We’ve already written about what makes a privacy policy good, but the information is so important that it warrants repeating.
Make sure the privacy policy is easily accessible on your website, and available in all languages your website is available in. The policy should be written in a simple, easily understandable language. Refrain from using legal jargon whenever possible. The goal is to provide relevant information in a simple and accessible way. You should draft all publicly available documents with this on your mind.
Don’t forget formatting. Properly formatted documents are easy to read and navigate. Avoid copying and pasting plain text without any navigational elements. This is contrary to the purpose of such a document.
If you also collect data at your physical location (store, office, etc.) it is prudent to have a similar document prominently displayed for individuals to reach an informed decision on whether they want to provide you with their personal information.
Contents of privacy policies
A privacy policy must contain the basic information about your enterprise and a way for your users to contact you with their queries or data subject requests. You should also give a brief overview of their rights (such as the right to access, erasure etc.). List and explain how the data subjects can exercise their rights. Ideally, you should set up a system for handling these requests, including ID verification, but at the very least create a separate e-mail address where you will receive these requests. Consider adding a phone number as well.
Then, you should provide an explanation on what you do with the data, when, and how. List all cases when you collect data and list the data that you collect for each specific case. Set firm retention periods and stick to them. Outline the data protection measures you will undertake and state the location where you store the data. If you collect special categories of personal data or data related to children, you should take special precautions. You need parental consent for data belonging to children if you are processing such data based on consent.
If you plan to transfer the data outside the EU to inadequate countries (according to adequacy decisions adopted by the European Commission), you should mention that in your policy and state the mechanism used for such a transfer. Luckily, so far, the US is considered adequate owing to the Privacy Shield. Don’t forget listing the procedures in case a data breach occurs.
We’d like to stress that a privacy policy should be carefully drafted and encompass all the elements mentioned in this article. The list is not exhaustive, though. For example, if you employ video surveillance or process special categories of personal data, you need additional elements. Plenty also depends on your data processors (third parties) that you share data with, and they should also be part of your policy. A privacy policy is the key document used to show your commitment to compliance. No two privacy policies are the same, since there is something different about every enterprise. That’s why, if you’re in doubt, it’s best to seek expert advice.
Conclusion
These are the basic steps you should take if you want to take a step towards compliance. Do not take it lightly – a privacy policy is worthless if you do not actually adhere to its provisions. You must respond to data subject request within a month and at least abide by the retention periods you have previously defined. The rest will require an advanced compliance effort tailored to your needs.
