May 25, 2018
As you probably know, websites in the European Union have, for a long time, been legally required to disclose to visitors whether or not their websites use cookies or otherwise track or retain personal data. You’ll probably have visited a website with an overlay at the top or bottom of the screen with this disclaimer, letting the user know that continuing their use of the site requires their acceptance of the site’s use of visitor tracking and/or cookies. There’ll be a little link to accept—which makes the notification disappear (giving the appearance of a formal acceptance, though the fact that you can navigate the site without clicking it leads me to believe that the prominence of the notice is enough to comply with the law).
If you’ve never seen such a notice, please visit this site, which has one at the bottom of the screen: carlmarletti.com
FULL DISCLOSURE NOTICES
As you can see, clicking the other link they offer there—“En savoir plus” (“To learn more”)—takes you to a page that provides details of their website’s services, privacy policy and liability limits. Browsing the site is quite a nice experience, too. The pastries look quite special.
The idea behind all this transparency is to protect consumers from having their personal information tracked and used in ways over which they have no control.
What hasn’t been in place before now (May 25) is any requirement that websites of companies based outside the EU need to comply with this transparency requirement. And that’s what the GDPR is changing. The European Union is making it illegal, worldwide, to collect data from users without their express permission if that data can be used to target them for any purpose.
GOOGLE ANALYTICS & IP ADDRESS COLLECTION
Here is where I’m discovering a new wrinkle to what I understood before, as the Google Analytics data that’s been gathered in the past has included IP addresses. You can’t ever tell exactly who has visited your site from Google Analytics, but the IP addresses help Google to provide data about what countries and cities your visitors are coming from. Google doesn’t ever reveal those IP addresses to you (so even if you know someone’s IP address, you can’t get information about whether they visited your site) but they do store them somewhere. And they are used by companies who engage in what’s called “retargeting advertising” (this is how you suddenly get flooded with ads for Coach bags, no matter what site you’re on, if you visit the Coach bags website, for example).
As I understand it, Google is taking care of its basic settings in a way that will ensure compliance for passive websites that effectively simply provide information. This will mean you’ll see slightly less accurate city/country-based data in the future, among other things. IP addresses will still be collected but they will be missing the final bit of information that gives precise identification. This will take care of future compliance but I’m not 100% sure how this affects the already-stored data.
For companies who do want to use data to re-target their visitors, Google is adding more granular controls to enable websites to offer users the option of agreeing to be tracked or not (by Google Analytics) and in these cases (only), the IP addresses will still be fully stored.
COMPLIANCE BY THIRD-PARTY PLATFORMS
You’ll also find other technologies that websites use are stepping up their game to comply with GDPR. For example, if you have a WordPress site and allow comments on your blog posts, the quiet collection of data that used to occur there is now (if you keep your WordPress install up to date and use the default WordPress comments functionality) an option your visitor can choose to accept or not. Your website may still require the comment-poster to enter their name and email before posting a comment, but your website won’t leave a cookie on their computer as they do so.
HOW COOKIES WORK
Many websites automatically place what’s known as a cookie on your computer as soon as you visit their website. Some people elect to set their computers to not receive cookies but on the whole, they do no harm and often make life easier for you. It’s how your computer knows to fill in a login field with your user ID when you open a website (like your bank’s), for example. And it’s why, when you occasionally undertake (at the request of a tech support person, for example) a full “clear cookies” clearing of your browser’s cache and cookies, you have to fill in a lot of information that’s been auto-filled for you for a long time.
However, some websites are set up to create cookies on the computers of visitors not to keep personal information, but to simply remember that they have visited so that the website can behave differently. The most common example of this is when a website “pops” a newsletter signup form at you when you visit a website. Typically, a website with one of these installs a cookie on the visitor’s website that will control whether and when such a popup will be allowed to pop again (to prevent the popup happening every time you return to the homepage, for example). You can set a cookie to enable a popup to pop once per visit, once per month, once ever—or whatever you want. You can also use cookies to control animations on your site—to prevent them from repeating once people have seen them once. Another thing cookies can be set to do is track what pages you visit and then feature promotions that are more likely to appeal to your apparent interests next time you visit.
If you clear your cookies, however, all the websites that have seemed to “know” you will suddenly be strangers again. You will experience the site as any other new visitor experiences it, you will have to re-enter all your login information, and you will have to endure all the popups again.
WHAT DOES THIS MEAN FOR YOUR WEBSITE?
IF you have a passive, information-providing website that collects no information from your visitors (including no visitor-tracking like Google Analytics) and does not create cookies, you absolutely don’t need to do anything.
However, even at this level of simplicity, it will not be a bad idea to create a privacy policy page that is available from every page in your website. The GDPR is a legitimate response to big-data breaches by giants like Yahoo and Facebook and a lot of people are spooked about internet privacy at the moment. It’s going to be fairly commonplace to see privacy policy pages on websites and you may not want to stand out by not having one.
On that note, it’s also de rigueur these days to have SSL (an https address). I’ve written about this elsewhere. Same thing. Basic internet tightening up in your best interests.
And if you don’t use Google Analytics, you miss out on an incredible tool for understanding how and why your website performs as well or as badly as it does. No website is perfect as published and if you want your business to thrive, you should be learning from your website constantly and adjusting your strategy in accordance with what you learn. This is not something you can do without reliable information about how people are finding your website and how they are using it once they find it.
IF you have a website that collects visitor information simply to serve your visitors better in the course of their visit (eg cookies that control popups and animations, forms that collect information for purchases, forms that collect email addresses—like contact forms, comment forms, newsletter signup forms, free-offer forms, etc), then you should have one of those page-top or page-bottom notifications informing visitors that they must agree to your terms (and provide a link to the full information).
IF you have a website and have been engaging in the kind of behavior that has prompted the new regulations (surreptitiously collecting personal data and targeting your visitors via other channels like Facebook or newsletter platforms, for example) then you really have to step up and become fully transparent (or stop retargeting).
Non-compliant websites will not get fined straight away—there’ll be a warning at first, followed by a “reprimand” if the warning goes unheeded, followed by a suspension of data processing if the reprimand also goes unheeded. But eventually there will be fines. And, get this: the fines are set to be “up to 4% of a company’s annual global revenue OR €20 million (whichever is greater)”.
Presumably you’d need to be a very large company to be hit with those fines but why mess around? The times have changed and it is no longer legal to play with other people’s data without them knowing you’re doing it.
For those of you familiar with Paul Thomas Anderson’s film There Will Be Blood, I think that means no more “I drink your milkshake!”.