Website privacy practices: lessons learned from a GDPR project
August 15, 2018 · Chris Peters
Now that the mass hysteria over GDPR is long over, I thought I would take some time to record the lessons that I’ve learned after meeting with several attorneys and reading quite a few articles.
Now that the mass hysteria over the General Data Protection Regulation (GDPR) is over, I thought I would take some time to record some lessons that I’ve learned about complying and keeping my employer out of trouble. I have been fortunate to have had the opportunity to consult with several skilled attorneys who have given a great deal of practical advice, and I am happy to pass lessons learned along to you.
CYA notice: This post will not be 100% comprehensive, so be sure to do your own analysis of data practices across your business with assistance from legal counsel. I also admit that I’m know little about the implications of GDPR on HR practices and customer/partner data, so I am intentionally narrowing the focus of this post to how GDPR affects websites and digital marketing technologies.
When GDPR applies, risk profile, and privacy best practices
In general, you should worry most about GDPR if you’re doing business in the EU. If you generate a decent amount of revenue, you are likely to be a target for litigation if you don’t comply with the GDPR.
If you work for a small- or medium-sized business that doesn’t employ an army of lawyers, you’re in a particularly tough spot because you’re an easier target and likely cannot afford to get sued over data breaches and privacy malpractice.
That said, many of the practices required by GDPR are fairly common-sense, and I hope that they are adopted more widely worldwide. By taking some time to comply with GDPR, you’re likely future-proofing your data and marketing practices and also creating a better customer experience.
Top tip: enable double opt-in for your email marketing
Campaign Monitor describes double opt-in as such:
A double opt-in occurs when a user signs up for an email marketing list, and then an email is sent out to the user which includes a link to click and confirm the subscription. Only after the confirmation click is completed will the user officially be added to the email marketing list.
This helps you avoid situations where someone could be mistakenly or maliciously signed up for your email marketing without their permission.
As the mar-tech landscape grows with new communication tools, you end up with so many sources of email signups that it becomes difficult to keep track of everything. For example, chat tools like Intercom collect email addresses but do not provide a mechanism for letting the user verify how that information will be used.
An automated double opt-in process allows you to provide the customer with a chance to subscribe to your email marketing without any unpleasant surprises.
Even this isn’t a requirement in countries like the US, it is a common courtesy and a provides for a better overall customer experience.
When to add a check box to your forms
One of the biggest points of confusion for me during the GDPR bonanza was what to do with subscription and lead forms on the website.
Some companies like TechTarget add quite a complicated mess of privacy agreements to their subscription forms:
In contrast to this, I was provided with the following rules of thumb.
First, if a form’s call to action is clear about how the user’s data will be used, then you don’t need to add an extra “I agree to the privacy policy” check box. For example if the form is labeled, “Subscribe to our blog,” it is pretty darn clear about what’s going to happen if the user fills in the form, so you don’t need to require an acceptance of the privacy policy. (You should probably link to the privacy policy below the form for convenience however.)
If it’s not 100% clear what’s going to happen when the user fills in the form, then require that they tick an “I agree to the privacy policy” check box when submitting the form. If your form asks for the user’s country, then consider only requiring the extra check box if they choose an EU country or another country that requires such consent be provided.
If you need an extra consent check box, it should use as plain of language as possible. For example:
[Company name] may contact me via email or phone with information about [company name] products and services. View the privacy policy for more information.
Unlike TechTarget’s scary-ass form, you can let the privacy policy itself do the job of describing where data will be transferred. No need to spell it out so boldly on the form itself.
Audit your 3rd party data providers and update your privacy and cookie policy
Your business likely relies heavily on a variety of 3rd party vendors to store and manage customer data. If you haven’t already, now is the time to take inventory of the services where your website collects and sends personal data. Consider these services for example:
- Analytics platforms like Google Analytics
- Retargeting platforms like AdRoll
- Chat platforms like Drift and Intercom
- Social media platforms like Facebook, LinkedIn, and Twitter
It is now fairly common practice to then disclose publicly how customer data is being used by your website and even listing out the purpose of each service that your website uses. Some websites go as far as listing each individual cookie by its name.
Mailchimp presents this information in a clear, friendly way in their cookie statement. They do a nice job of categorizing the cookies:
- Essential
- Performance and functionality
- Analytics and customization
- Advertising (targeting)
Another element of GDPR that I enjoy is its call for clarity in privacy notices:
The conditions for consent have been strengthened, and companies are no longer able to use long illegible terms and conditions full of legalese.
If your privacy policy reads like a cellular service contract, you need to find an attorney who is keyed into this new style ASAP.
Keep a running list of systems where customer data is being collected, and be ready to remove a customer upon request
A complicated part of GDPR is the right to be forgotten. With some exceptions, a customer has the right to request that all your data related to them be deleted. When such a request comes in, you need to be careful to not forget any place where you stored personally identifiable information about the customer. A data breach would quickly expose your neglect.
When you audit your 1st- and 3rd-party data providers, keep a list handy of these data providers for such a use.
Your privacy policy should list a convenient way to contact a data protection officer (DPO) who can be contacted for information about your use of data and for requests to remove it.
Keep versioned copies of your privacy policy
Keep a file of each version of your privacy policy and a log of what was changed in each version. I typically name the version with a date stamp like “v20180815” (if the version was published on August 15, 2018 for example).
Bonus points if you can update your website and/or marketing automation system to record which version of the privacy policy that the user agreed to when submitting a form providing their personal information.
Understand cookies and decide how conservative you want to be with user consent
First off, GDPR is not cookie legislation. There is a separate piece of legislation called the ePrivacy Directive 2002/58/EC that outlines what is acceptable.
This legislation mainly concerns itself with user consent of profiling cookies and doesn’t apply to “essential” cookies required for your website to run properly. If you’re using cookies to send user data to 3rd parties that will then be used to track their activity across the web, you’re stripping them of their anonymity and thus will need their consent to do so.
The key thing to understand is that profiling cookies should not be planted on an EU user’s computer until he or she provides explicit consent.
A cookie notice must be displayed on the site, notifying the user of the exact situation that constitutes acceptance of cookies. These are common options, ordered from least to most conservative:
- Warning that scrolling, clicking, or continued use will trigger tracking (least conservative)
- Not planting any cookies until the user clicks an acceptance link or button on the notice (middle-of-the-road)
- Blocking the user’s ability to use the site at all until acceptance of the cookie notice (most conservative)
Personally, I think that the 3rd option above is ridiculous and a major impediment to the overall customer experience.
The notice must also provide the user with information or a mechanism for canceling tracking that is not anonymous and used for profiling purposes. This cookie-removal mechanism can be functionality built into the website or even as simple as linking the user to information about how to clear cookies in their browser settings.
Solutions like CIVIC’s Cookie Control are fairly inexpensive, easy to implement, and allow you to target the cookie notice and functionality to just the users that it affects. I recommend showing a cookie notice to every user, regardless of their location, and requiring explicit acceptance only if the user is located in the EU or another territory that requires such acceptance.
Share your tips
Are you also a seasoned GDPR veteran? Did I miss any big gotchas that you’ve learned about website privacy? I would love to hear anything that want to add in the comments.