How to comply and adapt to Europe’s GDPR and recent Google Analytics/FB Pixel Regulations

How to comply and adapt to Europe’s GDPR and recent Google Analytics/FB Pixel Regulations

(Yes, this affects American companies too!)

What’s going on?

With all the recent stir with Cambridge Analytica and other events, users are demanding changes in privacy regulation. Put simply; people want to know when their personal information is taken, why it’s taken, who it might get shared with, and that their personal data file can be completely erased when they ask.

And their voices have been heard.

First, Google Analytics is implementing new rules and regulations that require much more transparency in terms of personal data management and storage between users and companies. This will require companies using certain data collecting systems, such as Facebook Pixels, to increase their clarity in describing their intentions of collecting, using, and protecting their user’s personal data.

Second, the EU is implementing a new law called the General Data Protection Regulation (GDPR) that will be going into effect May 25, 2018.

Before you scroll away saying, “I’m an American business, this doesn’t affect me.” Think again. If you have a web presence, then chances are you have a few Europeans in your data file.

There are two ways to think of these new rules and regulations. You can think of them as a rock glued in the sole of your shoe that you’re going to have to deal with. Or you can think of it as an opportunity.

A lot of these preparation tips and steps I mention are actually cybersecurity best practices. They’re like running or exercising every day. Although they may take some getting used to in terms of making them a regular routine, once they do become one, they will greatly benefit your business. They’re an opportunity to boost customer confidence and increase operational efficiency for data management.

So, I’ll try to keep it simple, but here are some of the steps and changes you can do to make sure you’re in compliance. I would like to add, that I am not a legal expert. These steps and solutions are not and should not be seen as the golden ticket to compliance, and I do recommend that you talk to your legal advisor about this matter. But, here are a few things thoughts and steps you can take to make yourself better off.

What is GDPR:

The General Data Protection Regulation (GDPR) is a 99 article regulation going into effect May 25, 2018. Although it’s an EU law, it still affects most American companies that have any online presence (as they will likely have a degree of European peoples in their audience).

The GDPR is all about providing protection for business’s data subject’s personally identifiable information (PII), and it stems from companies not having a viable privacy plan and an effective process in place when a breach occurs.

 

GDPR main points:

Your users have the right to be forgotten.

  • If they want to be deleted, you have to be able to do that. You have to have a process in place that will allow you to do that. This includes their information stored in your database and all of their other information such as emails.

You have 72 hours to notify authorities and users of a breach.

  • What sometimes used to take 3 months to accomplish, you now have 3 days. This means you have to have a procedure in place for when it does. Nearly every company gets breached at some point. It’s not a matter of if, it’s a matter of when.

You must ask for consent to gather personal data in a clear and concise way.

  • No hidden language, no pre-checked consent boxes. You need to tell them when, why, and how long you’re going to store their data.

There are certainly more rules within the GDPR, but these ones stick out. If you want to see what they’re saying, check out EU’s website on the matter: https://www.eugdpr.org/

 

How to comply with GDPR:

Here are some steps you can take to be in better compliance with GDPR:

  1. Make sure people in your company know this is coming.
    • Yes, this sounds elementary, but if everyone’s on the same page, it will make organization that much easier.
  2. Identify what data you hold onto and where the data came from.
    • You need to record if you share data with any other third parties.
    • You need to keep clean records of all processing activities for everyone – employees, volunteers, users, members, donors, supporters – all of them. (This might require an audit of your different systems to find out)
  3. Update your privacy policy and/or cookie policy.
    • You need to have clear and concise privacy notices that are easy to understand. People need to know what their information is used for, who it’s shared with, how long you’re going to keep it, etc. No more hiding the sentence, “we share your information with 3rd party companies” on the 97th page of your privacy notice.

So, what does a good cookie policy look like? For this, why don’t we look at some big fat corporations that have well-payed lawyers to make sure they’re following the rules correctly.

Tiffany’s Cookie Policy:  (http://www.tiffany.co.uk/Service/policy_coo.aspx)

Notice how concise and transparent Tiffany’s policy is. They have clear headlines breaking up the policy. It clearly shows what purpose the cookies serve, that they help with advertising, etc. Great job Tiffany, you and your blue boxes are cookie policy geniuses.

Alright, but let’s bring on a few more examples, just to make sure everything is clear.

BBC Good Food has a longer cookie policy, but it’s still clear. (https://www.bbcgoodfood.com/cookies-policy)

And here’s the Food Network’s cookie policy.  (http://www.foodnetworktv.com/cookies)

Last but not least, here’s the cookie policy for Every Day Should Be Fun. (http://everydayshouldbefun.com/cookie-policy-2 )

Okay, so there you see it, some big fat corporations with come crystal clear cookie policies. Take a look at them while you update yours! After we finish these GDPR compliance steps, I’ll explain to you what makes a great cookie policy or scroll down if you want to find out now. You can do whatever you want, I’m not your Mom.

Back to more GDRP compliance steps… woohooo!

  1. Make sure you can fully delete someone’s personal data.
    1. This includes all data. There should be no trace of that person’s data within any of your systems. A good way to do this would be to make one specific person responsible to review data and remove user data upon request. This will save the confusion whether Betty, or John, or Mike, or Susan already did it. You’ll know every time, that’s Mikes job.
  2. Be ready to deal with a “subject access” request
    1. If someone asks for their subject access request, you need to be able to give that to them. This is usually a hard copy explaining what personal data you have of theirs, why it’s being processed, if there are third parties you’re sharing it with, and more.
  3. Identify and document your lawful basis for processing data
    1. Whether it be to complete a contract between a user or something else, there are different lawful bases as to why you are collecting and using someone’s data. So, look them up, talk to your legal genius friend, and make sure you know yours.
  4. There’s special protection for children, so make adjustments
    1. The GDPR says that peoples under 16 cannot give consent, so make sure you are collecting consent from their guardian. (Note: it is possible this may change to 13)
  5. Develop a sound monitoring, analysis, and incident response plan
    1. As I said, you only have 72 hours to contact authorities and users about a breach. Make sure you have a plan in place to deal with that. This may include designating a data protection officer within your organization to oversee compliance efforts.
  6. Check third-party product themes etc.
  7. Have an opt-in for elements or the entire marketing
    1. Have separate checkboxes so subscribers can choose whether they want to opt in for a specific element of your marketing or not. This is all about giving users choice. So, give it to them… they’re adults!
  8. Implement a notification to use cookies!!! Here are some examples.

Cookie Warning from the Daily Mash:  (http://www.thedailymash.co.uk )

Cookie warning from the Food Network: (http://www.foodnetworktv.com )

Cooke warning from the HSBC:

So, there you have it. These small cookie warnings on these websites are saving these companies lots of legal $$$. I advise that you take a note from them.

While there are more, these are some of the major steps you should take to make sure you are in compliance with the GDRP. As I said, it could take talking to a legal advisor to make sure you have your checks checked and your crosses crossed, but this is a start.

Let’s find out what makes a good cookie policy in four easy bullets…

What makes a good cookie policy?

(Have you noticed I haven’t made any jokes about chocolate chip cookies or sugar cookies. I know… it’s been hard, you’re welcome)

  1. Consent:
    1. This is obvious but you have to get their consent. If there is no consent, it’s like you’re stalking them. Don’t be a stalker, get their consent.
  2. Why you use Cookies:
    1. This is kind of obvious too. Tell them why you’re using cookies. Using cookies probably enhances your site’s functionality. You’re probably using them for analyzing advertising success. In the end, you’re probably using cookies for the same reasons Tiffany’s and those other three companies are using them. So, make sure to review their cookie policies closely.
  3. Disclosure:
    1. Tell them if you’re sharing their cookies with third parties and anything else that should get disclosed to them.
  4. Opt-out:
    1. If they want to opt out, they should be able to do that, and they should be able to do it easily. Provide them with directions on how to do so. Provide them with the links they need, etc.
      1. Here’s the google analytics link: https://support.google.com/analytics/answer/6004245
      2. Here’s the Facebook ad policy link: https://www.facebook.com/policies/ads/

The above four characteristics are what constitute a good cookie policy. Review them closely and review the examples above. If you do that, you’ll be in good shape!

I hope this post has been useful to you guys, and if you have any questions, please feel free to reach out. Good luck with everything!

 

More Resources:

Web choices tool: The companies participating in the Web Choices tool provide transparency and choice under the DAA Principles. We are evaluating this browser’s compatibility with the Web Choices tool and verifying its opt-out status.  http://www.aboutads.info/choices

Google Ad Settings: Make the ads you see more useful to you. Control the information Google uses to show you ads: https://adssettings.google.com

Google Analytics Opt-out Browser Add-on https://tools.google.com/dlpage/gaoptout

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.