Privacy and the GDPR European General Data Protection Regulation
Different countries, and in the case of the European Union, different continents, have different privacy regulations. Being a small business in Australia mostly means you need to be aware of and adhere to the Australian Privacy Principles which we’re written previously about here.
However websites, and other online marketing activity, by the virtue of it being the world wide web, have a global reach and therefore come under the jurisdiction of the country your website visitor or email reader or Facebook fan resides in.
GDPR European General Data Protection Regulation
In this article we’ll talk about the GDPR European General Data Protection Regulation. This regulation comes into effect on the 25 May 2018.
Typical online activities that require you to sit up and take notice
- You have Google Analytics connected to your website
- You have language translation on your website, especially if any of those languages are European
- You have currency conversion on your website, especially if any of those currencies are European
- You have sign up forms on your website
- You send marketing and promotional emails and in your email list there is, or could be, people who live in Europe
- You collect, record or use health or financial information from people and some of those people may live in Europe
- You run remarketing ads on Facebook or Google
When you don’t need to worry about it
- Your business exclusively markets to local Australian consumers or businesses
- You only provide products or services to Australians
- You have no sign-up forms on your website
- You don’t have, or use, a list with email addresses for bulk emails
- You don’t undertake remarketing advertising
Even if all the above apply, you may wish to comply with the GDPR as consumers here, will, over-time, come to expect higher privacy protection as a result of their exposure to the practices taking place overseas.
The bare basics of the GDPR European General Data Protection Regulation
- Collection of data by businesses needs to be with the knowledge and consent from the person it is collected from
- Silence, pre-ticked boxes or inactivity do not constitute consent
- Opt-out is not sufficient. It needs to be opt-in
- Data can only be used for the purpose the person consented to it being used for
- An easy, well understood opt out needs to be provided
- Data is not forever – a person’s data needs to be able to be completely removed
- The fines for non-compliance are significant
Some examples of non-compliance
Example 1: A European person is a LinkedIn connection of yours. You previously exported your LinkedIn connections and sent them a promotional email and they remain in your MailChimp or other email marketing list
Reason for non-compliance: The data was available via LinkedIn and communicating or using the data on that platform is fair, however the person has not consented to their email being used.
Example 2: A person in Europe visited your website for curiosity, more information or for what-ever reason they had at the time. Your website has the Facebook advertising tag on it and you use this to remarket to them.
Reason for non-compliance: The person could not reasonably know or expect they would receive advertising as a result of visiting your website and even if they knew, they didn’t consent.
Example 3: A European person brought something on your online shop or used your online contact form to enquire about your product or services and they end up on your email promotion list
Reason for non-compliance: Buying a product or making an enquiry does not mean giving consent to receiving newsletters
The collection of personal data for people who are located in Europe comes under the jurisdiction of the GDPR. Examples of personal data are:
- Phone number
- Email address
If you are collecting, storing and using sensitive data and the people you are collecting it from could be from Europe you are required to have a Privacy Officer who is located in Europe. It would be advisable to find out more about the GDPR if you are collecting and/or using sensitive data. Examples of sensitive data are:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Health information
- Sexual behaviour or orientation
- Criminal record
- Financial information
- Credit rating
- Trade union membership
An example of pseudonym data is non-identifying data such as IP addresses and some information collected via cookies that is anonymous information collected and used for statistical or research purposes. However when that pseudonym data is combined with other data to create profiles which identify people it then becomes personal data.
How to comply – Google Analytics
It would appear that for most users, Google Analytics is collecting, recording and using pseudonym data for most of its work and therefore its activities can continue fairly seamlessly.
However to comply with the data isn’t forever clause in the GDPR set your data retention at 36 months or some other timeframe of your choice. You will still be able to maintain the historical standard aggregated reporting that Google Analytics provides. Only highly customised reports appear to be impacted.
However Jeff notes in his article that other online marketing tools do not comply as easily as Google Analytics does. For example:
- Landing Page software
- Customer Relationship Management (CRM) systems
These tools collect and use IP addresses to give contacts ratings and scores. If you use these or similar tools you may like to stop using them if they aren’t essential to your business. It would be advisable to find out more about the GDPR if you are using software or plug-ins that collect IP addresses and when combined with browsing history and website actions (such as clicks on buttons) a profile of your website visitor is developed as this would then constitute the collection of personal data.
How to comply – website
If you have European languages or currencies on your website it could be reasonably supposed that you are marketing to Europeans. Therefore if you do breach the regulations it would be difficult to talk your way out of it. Seek further guidance if this relates to your site.
Having a sign up form for newsletters, to access reports, to register for a webinar or various other offers is commonplace. To sign up people to newsletters and be compliant with the GDPR they must have expressly consented to this. More about this in the email section below.
The Cookie Conundrum
- Cache the site to assist with site speed and page load times
- Remembering items added to shopping carts
- Identify known hacking bots and preventing them from accessing the site
The GDPR appears to accept this as pseudonym data and this is not included as the collection of personal data and therefore no further action is required from website owners and developers for these cookies.
However there’s also a bunch of other cookies used on sites that would be considered optional to the user’s experience and could be collected and used with other data to become personal data. Examples are:
- Google AdWords remarketing tag
- Facebook advertising pixel
And as mentioned above CRM’s and landing page software.
As such the user needs to consent to this information being collected and be given the ability to opt out if they wish.
For website owners there are a bunch of plug-ins and apps available that state they comply with the GDPR but in my research and interpretation they don’t. Merely informing a person that cookies exist and giving them no option but to accept does not comply with the European privacy regulations.
For a website to be compliant with GDPR it needs to:
- Use only the strictly necessary cookies
- Give the ability for users to reject superfluous cookies if they wish and still use the website
For WordPress website owners and developers there are three plug-ins that look compliant:
The image below from the GDPR WP plug-in has 3 options for the website visitor.
- Cookie Settings
- Accept Cookies button
By clicking on the Cookie Settings option the user can set their cookie preferences for this site.
The two images below show how in the Optanon plug-in the website visitor does not have the option of accepting or rejecting the Strictly Necessary Cookies (which is set to Always Active) but they do have the option of retaining as Active or disabling the Targeting Cookies.
Facebook have recently prompted users to check their privacy settings and if the user works their way through all the prompts they eventually get to a part that allows them to choose (or not choose) to receive adverts based on partners, eg. data from advertisers, app developers and publishers.
Here’s the screen that allows a user to allow, or otherwise, ads to be shown to them based on Facebook partner information.
Facebook then confirms the setting and lets the user know they won’t be shown ads based on data they receive from advertisers and other partners. However they do note that they will still use this data to personalise the Facebook experience, promote safety and provide analytics as per their Data Policy.
We’d have to think the above is Facebook’s way of complying with the GDPR. It is my view that to comply with the GDPR both parts of the equation need to be in place – that is Facebook needs to comply with using the data but the business owner still needs to comply for the collection of the data. Therefore the collection of data on a business website via cookies for Facebook advertising purposes (i.e. the Facebook Pixel) would still need consent from European website visitors at the time of visiting the website, as per the above cookie discussion.
The same would apply to Google remarketing using their site tag.
Facebook Advertising – change your settings
If you missed Facebook’s prompts and your super keen to check out, and possibly change, your advert settings, go to the drop down arrow on the top right of the screen (while on a desktop – may be a little harder to find on a mobile).
Choose settings (2nd from bottom, just above log out)
On the left there are a lot of options in settings – down near the end you’ll find ads. Click on that.
And then you’ll find yourself in a section where you can work through the various choices.
How to comply –your current email list
Go through your email list and look for European email addresses. No method is a 100% accurate, but the following two will help:
- Identify and sort by domain country suffix. For example the Australian domain suffix is .au, Germany is .de, Netherlands is .nl and Spain is .es. Here’s a full list of internet country domains.
- Find any who could be from Europe as a result of the email software (eg. MailChimp) identifying this via IP address when they opened the email
If their consent to be on your email list is not already recorded, email them and ask them to opt-in to continue receiving your newsletters. MailChimp has a template for this email. Here’s an example email.
Repeat this email a week or fortnight later. If they have not opted-in, remove them from your marketing list. If it’s super important to keep them on your list, ring them or send them an individual email or in some other way make contact to encourage them to opt-in (but not via a competition or free offer!)
Canada also has an opt-in approach. Therefore if you have an international email list it would be advisable to go through the same method for Canadians on your list at the same time.
How to comply – your future email lists
Two tips for your list maintenance going forward to comply with the GDPR changes and any other changes that come along from Europe or anywhere else in the world is to:
- Add in country and continent for your email lists, if you haven’t already, and begin recording this information as it comes to hand
- Add in a source field for your email list, if you haven’t already, to complement the automated source field that probably already exists in your software. This way you can manually add information to records if and when people opt-in through an avenue other than an online form. Knowing how someone came to be on your list is required to comply with Australian Privacy Principles so you may already have this in place.
How to comply – your online email sign-ups
A double opt-in is where the person receives an email to double-check they want to subscribe. This is best practice and advisable.
If you currently sign up people to your newsletter upon a purchase of a product, registration for a webinar or from an enquiry update these online forms with a visible and obvious consent to receive a newsletter tick-box. The sign up for a newsletter tick box needs to be obvious and not pre-ticked as yes if it is to comply with the GDPR European General Data Protection Regulation.
I am not a lawyer. The above information is from a study of the regulations and other resources. Seek further guidance from appropriately qualified and experienced people and/or read the regulations directly to ensure your business is compliant.
The regulation itself
If you’re keen as mustard, you can read the GDPR European General Data Protection Regulation in full here Regulation (EU) 2016/679 dated 27 April 2016
Sources and Further Reading
In addition to the websites already linked to in the body of this article, the following sites have been informative.
GDPR Portal: Site Overview – a resource to educate the public about the main elements of the GDPR European General Data Protection Regulation.
Get in touch
Use the contact form or send us an email. We’ll get back to you within 1 working day.
Better yet, call us on 0400 835 161 and let’s have a chat.