Do you ever wonder what website owners can do with your data after you have consented to the cookie banner? Why is that cookie banner there in the first place? That’s right, because of the GDPR. The GDPR, full form the General Data Protection Regulation, has now been in place in the European Union for some years. For companies and website owners alike, it can be pretty laborious to comply with all of its requirements. So, in this post, I will look at what the GDPR consists of and what this means for website owners like you and me.
What is the GDPR exactly?
The GDPR is a tight set of EU data protection rules, which improves your access to information organizations have about you. It also limits what organizations can do with this personal data. The legislation, like the UK’s implementation of it (the data protection act), went into effect on the 25th of May 2018. You have probably noticed the effects of the GDPR in the form of the remove cookie banner or the default blocking of third-party cookies on browsers like Safari and Firefox.
Now, you might be thinking; do these rules also apply to my website and its tracking tools? Well, when you install web analytics software like Google Analytics 4 on your website, you are storing the personal data of your users. And don’t think that when you are not situated in the EU you are off the hook. As soon as you collect data from users in the EU you need to comply. So, you must know what is required of you under the regulation.
Wat are the requirements of the GDPR?
To be clear, the GDPR consists of many different regulations. The whole document contains 99 individual articles. Still, it outlines seven basic principles for regulating and enforcing compliance with personal data:
- Lawfulness, fairness & transparency. The data subject must be informed about how their data will be used.
- Purpose limitation. Data can be collected only for specific purposes.
- Data minimization. The amount of data collected is limited to what is necessary for specific processing.
- Data accuracy. Collecting organizations must ensure data accuracy and update it as needed. Data must be deleted or changed when the person in question requests it.
- Storage limitation. Collected data won’t be retained longer than needed.
- Integrity & confidentiality. For data to be protected against theft or unauthorized use, appropriate security measures must be taken.
- Accountability. Data collectors are responsible for ensuring compliance with the GDPR.
As you have read in the final point, you are responsible for complying with the regulations. Therefore, the consequences of breaching the GDPR will be yours.
What happens if you breach the GDPR?
Breaching the GDPR can be fined by the local data protection agencies. In one of the most significant fines under GDPR, Google was fined €50 million by the French data protection regulator. There were two main reasons for the fine: Google did not adequately inform users about how it uses the data it acquired from different services, and it did not get proper consent for processing user information. This example applies to the data collection and storage of a company itself. However, it might also be the case that the tools you use are not GDPR compliant.
For example, the Austrian DPA recently ruled that the use of Google Analytics violates the GDPR. After this ruling other European countries like Italy and France followed. This means that the use of Google Analytics is now illegal in those countries. To check whether it is still allowed in your European country you can check out isgoogleanalyticsillegal.com. To avoid getting into trouble it is important to check your analytics setup. Ask yourself the following questions to find out if your website tracking tools are compliant:
- Do your tracking tools place cookies without consent?
- Is your website analytics tool a US company?
- Is your website analytics tool using web servers owned by a US cloud provider?
If your answer to one of these questions is yes, your analytics setup is probably not GDPR compliant. In that case, it is wise to start looking for compliant alternatives.
What can website owners do to comply with the GDPR?
Before I share some best practices with you, I would like to emphasize that this is not legal advice in any way. If you are in doubt, always contact a legal professional.
Below you find a summarized list of actions that you can take to check your current setup. This list severe merely as a place to get you started. As you will read, simple IP anonymization is not enough to be GDPR compliant. So, what is?
- Secure the data you store; have two up-to-date and secure copies of all personal data at two separate off-site locations.
- Have tools to edit the data; be able to edit or delete specific personal data and verify and document the edits.
- Have exhaustive privacy and cookie policy; provide transparency about your data processing, which cookies you place and why.
- Always ask before collecting personal data; set up a cookie banner on your site and make sure non are placed without consent.
- Anonymize the IP address of your users; this is done by default in many of the modern tracking tools, but it doesn’t hurt to be sure.
- Only collect what you need; don’t collect it unless you need it, because you are responsible for it.
- Don’t share data with other entities; if you work with web analytics tools, make sure you sign a Data Processing Agreement with them.
- If you store data in your database, encrypt it; you can do this with one of the many tools available on the market.
- Manage exactly what data you send to third parties; you can do this with a tool like server-side tracking in Google Tag Manager.
- Use analytics tools with servers in the EU; data must remain in the EU. Servers owned by US cloud providers are not good either.
For this article I will not discuss exact GDPR cookie requirements because these differ per country. For advice on this, I recommend you to get additional legal advice or look at parties like CookieYes or CookieScript.
The Takeaway
As you have probably noticed by now, there are many things to take into account when it comes to tracking your website under the GDPR. I have summarized the actions you can take to ensure your tracking setup is compliant. Practical steps that you can take today to avoid getting into trouble with a regulatory agency. If you would like to get help with this, or personal advice on your situation, don’t hesitate to contact us.