By Lisa Moore
You may have heard about the General Data Protection Regulation (GDPR) or seen an increase in notices in your email or on websites speaking to your privacy. Established in May 2018 by the European Union (EU), GDPR replaces an older directive called The Data Protection Directive of 1995.
A second part of GDPR revamps the ePrivacy Directive of 2002, also known as the Cookie Law. This deals with data in transit such as cookies, telemetry, metadata, and consent for marketing and is still in draft negotiations.
GDPR specifically protects the personal data of EU citizens and applies to how any organization treats or uses their personal data. The long and short of it is that if you collect, change, transit, erase, or otherwise use or store personal data of EU citizens, you must comply with GDPR.
Affected marketing practices include collecting email addresses for enewsletters, including contact forms on your site, or simply using cookies on your website (which a majority of sites do based on various services such as Google Analytics).
It has been nearly 10 months since GDPR has taken effect and in that time, we have seen several big companies face consequences for not being compliant with these new policies. An example of such a violation occurred in January, as France fined Google $57 million for GDPR violations.
In order to ensure that your organization does not suffer the same fate, here are some measures that can be taken.
- On Google Analytics, change user and event data retention setting so that information will not automatically expire.
- Your privacy policy should be updated with plain English verbiage (no legal talk) to explain what cookies are, what data you collect from website visitors, how to request a copy of that user data, and that user data may be erased upon request.
- Contact pages and any pages with forms and/or an enewsletter signup form should link to your page's privacy policy.
- A request must be sent to users who are signed up for any mailing lists that asks them to opt-in again. Additionally, there should always be a way for users who sign up to a mailing list to verify their intentions through an email link. This practice is known as double opt-in.
Even though your website may not serve a European audience, it is important to be able to respond to the rights of any European citizen who happens to use your website here or abroad. The EU has begun to levy hefty fines against websites that do not provide a way to remedy these new user rights.
Additionally, there is increasing conversation regarding protecting Americans' privacy, which could soon echo GDPR standards. California has already pushed this forward with the Governor signing a bill known as the California Consumer Privacy Act (CCPA).
This is where LKF can help you. Since the implementation of GDPR, we began working alongside our clients to ensure that their websites are compliant.
If you have questions or concerns about your site, GDPR standards, or any other questions, please contact us. We would be more than happy to help.
