May 25, 2018
If you’ve never seen such a notice, please visit this site, which has one at the bottom of the screen: carlmarletti.com
The idea behind all this transparency is to protect consumers from having their personal information tracked and used in ways over which they have no control.
What hasn’t been in place before now (May 25) is any requirement that websites of companies based outside the EU need to comply with this transparency requirement. And that’s what the GDPR is changing. The European Union is making it illegal, worldwide, to collect data from users without their express permission if that data can be used to target them for any purpose.
Here is where I’m discovering a new wrinkle to what I understood before, as the Google Analytics data that’s been gathered in the past has included IP addresses. You can’t ever tell exactly who has visited your site from Google Analytics, but the IP addresses help Google to provide data about what countries and cities your visitors are coming from. Google doesn’t ever reveal those IP addresses to you (so even if you know someone’s IP address, you can’t get information about whether they visited your site) but they do store them somewhere. And they are used by companies who engage in what’s called “retargeting advertising” (this is how you suddenly get flooded with ads for Coach bags, no matter what site you’re on, if you visit the Coach bags website, for example).
As I understand it, Google is taking care of its basic settings in a way that will ensure compliance for passive websites that effectively simply provide information. This will mean you’ll see slightly less accurate city/country-based data in the future, among other things. IP addresses will still be collected but they will be missing the final bit of information that gives precise identification. This will take care of future compliance but I’m not 100% sure how this affects the already-stored data.
For companies who do want to use data to re-target their visitors, Google is adding more granular controls to enable websites to offer users the option of agreeing to be tracked or not (by Google Analytics) and in these cases (only), the IP addresses will still be fully stored.
You’ll also find other technologies that websites use are stepping up their game to comply with GDPR. For example, if you have a WordPress site and allow comments on your blog posts, the quiet collection of data that used to occur there is now (if you keep your WordPress install up to date and use the default WordPress comments functionality) an option your visitor can choose to accept or not. Your website may still require the comment-poster to enter their name and email before posting a comment, but your website won’t leave a cookie on their computer as they do so.
Many websites automatically place what’s known as a cookie on your computer as soon as you visit their website. Some people elect to set their computers to not receive cookies but on the whole, they do no harm and often make life easier for you. It’s how your computer knows to fill in a login field with your user ID when you open a website (like your bank’s), for example. And it’s why, when you occasionally undertake (at the request of a tech support person, for example) a full “clear cookies” clearing of your browser’s cache and cookies, you have to fill in a lot of information that’s been auto-filled for you for a long time.
If you clear your cookies, however, all the websites that have seemed to “know” you will suddenly be strangers again. You will experience the site as any other new visitor experiences it, you will have to re-enter all your login information, and you will have to endure all the popups again.
IF you have a passive, information-providing website that collects no information from your visitors (including no visitor-tracking like Google Analytics) and does not create cookies, you absolutely don’t need to do anything.
On that note, it’s also de rigueur these days to have SSL (an https address). I’ve written about this elsewhere. Same thing. Basic internet tightening up in your best interests.
And if you don’t use Google Analytics, you miss out on an incredible tool for understanding how and why your website performs as well or as badly as it does. No website is perfect as published and if you want your business to thrive, you should be learning from your website constantly and adjusting your strategy in accordance with what you learn. This is not something you can do without reliable information about how people are finding your website and how they are using it once they find it.
IF you have a website that collects visitor information simply to serve your visitors better in the course of their visit (eg cookies that control popups and animations, forms that collect information for purchases, forms that collect email addresses—like contact forms, comment forms, newsletter signup forms, free-offer forms, etc), then you should have one of those page-top or page-bottom notifications informing visitors that they must agree to your terms (and provide a link to the full information).
IF you have a website and have been engaging in the kind of behavior that has prompted the new regulations (surreptitiously collecting personal data and targeting your visitors via other channels like Facebook or newsletter platforms, for example) then you really have to step up and become fully transparent (or stop retargeting).
Non-compliant websites will not get fined straight away—there’ll be a warning at first, followed by a “reprimand” if the warning goes unheeded, followed by a suspension of data processing if the reprimand also goes unheeded. But eventually there will be fines. And, get this: the fines are set to be “up to 4% of a company’s annual global revenue OR €20 million (whichever is greater)”.
Presumably you’d need to be a very large company to be hit with those fines but why mess around? The times have changed and it is no longer legal to play with other people’s data without them knowing you’re doing it.
For those of you familiar with Paul Thomas Anderson’s film There Will Be Blood, I think that means no more “I drink your milkshake!”.