GDPR Comp-why-ance
There has been a lot of buzz lately regarding the EU’s new data protection law, General Data Protection Regulation, or GDPR.
This far-reaching privacy law, which fully took effect on May 25, 2018, requires companies on the web to, among other things:
- Be extra-careful with regards to security and user data
- Provide users with full transparency about how their data is used
- Provide tools for users to update or delete their data entirely
Depending on how you operate, GDPR’s tentacles may reach way into your organization’s policies and procedures, but your website is probably the first and most frequent collector of user data.
Let’s cover how GDPR may affect your site, and touch on some technical solutions/workarounds for the most direct implications.
Does this even apply to me?
Hold on, I hear you say, I’m an American business with US-based customers, so this doesn’t matter!
Well, technically the GDPR protects only EU residents, and only while they’re physically in the EU. US businesses are affected if they’re explicitly soliciting to people in a member country, but generic marketing in English maybe wouldn’t apply.
So why worry about it? Two reasons.
The Web Knows No Bounds
First of all, the magic of the Internet means that your influence reaches beyond physical borders. While you can sometimes get an idea of your users’ locations, do you know for sure if Joe Visitor is a heartland American in front of his TV instead of a Frenchman nibbling croissants at a Parisian cafe (apologies to citizens of both countries)?
Perhaps you weren’t actively trying to sell to Mr. Visiteur, but look! He’s interested in your product, he’s filling out a form, and—eek!—EU personal data is flooding your servers, and there’s a team of angry lawyers on the horizon! Shut everything down!
While it’s unclear how the EU will enforce this policy for US companies (or whether they would even bother), it may be safer to enact some of these precautions simply to cover your bases, especially if you have (or may in the future have) international customers.
Privacy Protection’s a Good Look
Second, it’s worth it to note that a lot of GDPR’s provisions overlap with both privacy and security best practices: It’s considerate to be upfront about what you’re doing with someone’s data, and allow them to have a say in it. And you should already be mindful and secure about how you store data.
Complying with the law means you’re erring on the side of protecting visitors’ privacy, while also limiting the liability and damage that a potential data breach can cause.
What Data is my Site Collecting?
Now, onto the meat: what kind of data is GDPR trying to protect? The term “personal data” can cover a whole assortment of specific things about someone, many of which (eye color or genetic data, anyone?) you probably wouldn’t dream of collecting.
However, simply collecting a user’s email address or IP address are enough to count. That gets us quickly to a few things that most likely do qualify:
- Contact/newsletter forms: Or most types of forms, really.
- User accounts: Any feature involving users logging into their accounts for commenting, shopping, creating content, etc.
- Analytics/Tracking: For most, this is likely means Google Analytics or something similar.
Be Part of the Solution
Alright, so we see how easy it is to fall afoul of this law’s provisions; what can we do about it? Here are some concrete suggestions for how to modify your site for better compliance.
Add explicit opt-ins to forms
The GDPR requires that you explicitly allow users to opt into having their personal data stored.
If you’ve got any forms on your site, you’ll need to make sure to add an explicit opt-in checkbox with plain language about the consent to store personal data. And no funny business—this must be unchecked by default, and should be required in order to submit the form.
What’s more, you’ll need separate opt-ins for each way you plan to make use of the data. For instance, using an email address for required account notices is a different purpose than sending future promotional emails.
Check your existing email lists
After you have those opt-in checkboxes in place, you need to also consider carefully your existing contact lists.
If you’re emailing people in the EU who have previously signed up to receive communications from you (perhaps with an older opt-in), you may assume they have a “legitimate interest” in further emails from you, but they still need to opt in using the explicit language and options you’ve just established. In this case, you can send out a re-permission campaign, where you allow users to re-subscribe with the new opt-ins. People who don’t positively respond would then be scrubbed from your list.
If your EU email addresses are incidentally collected (existing customers who may not have opted in explicitly, acquired through a third party, etc.), then you may have to take them off your list—even a re-permission campaign itself could count as sending marketing emails without permission!
Add cookie consent widgets
If you’ve ever noticed the ubiquitous “This site uses cookies” notice, you’re seeing the effects of the 2011 European “cookie law”, which required sites to alert users that cookies are being stored on their devices. Most of these notices imply that using the site constitutes acceptance of this policy. GDPR takes this even further.
Similar to the contact form opt-ins, the law says you should require users to know about and accept the use of cookies on your site before you set them, as well as be able to opt out of them later—two things those passive cookie alerts don’t do.
While it seems a cottage industry of cookie management services like Cookiebot and OneTrust have popped up around these new rules, there are a few free options like the GDPR Cookie Consent WordPress plugin, or ihavecookies.js, a basic jQuery/Boostrap implementation.
The trickiest part is avoiding setting cookies unless you’ve consented, especially with how often cookies are used to store analytics data. If you’re using Google Analytics and willing to get your hands dirty, it’s possible to configure tracking to begin only after user confirmation.
Track and respond to user data/deletion requests
Another rather intensive part of the GDPR compliance is allowing any user to export, update, or delete data that is associated with their email addresses. Luckily, the widespread impact of GDPR has caused many popular packages to build tools to facilitate this right in.
For instance, WordPress’ 4.9.6 release debuted built-in functionality that facilitates making and responding to these requests, and even a method of providing private links to a user’s content.
On the human side of things, you’ll need to make sure you have a solid grip on where your user data travels before and after it hits your website, but make sure to document any requests and responses so that you have a record of actions you’ve taken.
That record of requests could also come in handy if, knock on wood, you ever need to restore data from a backup (you do have backups enabled and tested…right?). DZone argues that removing user data from old backups may not be practical, but a reasonable compromise is to keep a record of deletion requests, and be able to repeat the deletions in the event you restore from a backup.
Or Just, Y’know, Collect Less User Data
If you’ve gotten this far, you may now be on the verge of hyperventilating. GDPR is very comprehensive, and changes like those above aren’t always trivial to implement (not to mention the effect on the user experience).
A surprisingly simple path: step back and consider limiting when, where, and how you store user data to begin with. After all, you don’t have to worry about data that you never kept to begin with.
Put blinders on your records
If you’re following Google Analytics’ usage terms, you know not to include personally identifiable information in your tracking.
But there are some features that could be storing data that’s close enough to being able to identify people, by GDPR’s definitions. You can anonymise IP addresses that Analytics collects, as well as disable the User ID and Client ID features that attempt to consolidate users’ activity across sessions.
You can apply the same principles anywhere else you’ve got logs that include IPs, user emails, or account names: do you really need to have that info, or can the records still be useful if the personal information was blurred out?
Set expiration dates
Alright, so let’s say you do need the data. Even so, you could consider regularly culling how much of it you keep around.
For instance, if you set some collect data to expire in under 30 days, it will be gone within the grace period to respond to GDPR requests. You can also set a data retention period on your analytics.
Conclusion
The General Data Protection Regulation can certainly take a bit of time and effort to wrap your head around. On the other hand, considering and addressing its concerns is a worthwhile exercise, if only for becoming more mindful about how you’re using your visitors’ data and what kind of risk having it around could bring.
Footnote
While I hope you’ve found this primer useful, there is more to cover. If you’re serious about GDPR compliance, you should definitely consult with legal or specialized compliance experts, since we’re decidedly neither of those.
Photo by Paweł Czerwiński on Unsplash