The GDPR transition window officially closed this weekend and GDPR is now in full effect, which has many businesses worried. Hopefully you already have a solid grasp of how GDPR will affect your business, but if you have any outstanding questions or concerns about GDPR compliance here are the answers you’ve been looking for.
What is GDPR?
GDPR is the General Data Protection Act written by the EU to protect their citizen’s data. It regulates how a business can collect, use and distribute an EU citizen’s data, specifically Personally Identifiable Information (PII) data.
Does it Apply to My Business?
The GDPR applies to all businesses that sell goods or services to EU citizens or residents. Even if your business is located outside the EU, the GDPR probably still applies. An easy test is to consider whether your business would be OK blocking all traffic from the EU. If the answer is no, then you should be GDPR compliant.
What are the Penalties for Non-Compliance?
The penalty for breaching GDPR is a fine up to 4% of worldwide revenue or €20 Million. This is the maximum fine that can be imposed for the most serious infringements. However, there is a tiered approach to fines for lower infringements. It is important to note that these rules apply to both controllers and processors.
What is Considered Personal Data?
In the GDPR, Personally Identifiable Information (PII) is any piece of information that can be used to identify an individual person. Often individuals may not be identified by only one piece of information, however, if an individual can be identified when the information is used with a second piece of information, then it is considered PII. For example, transaction IDs, IP addresses, cookie identifiers, and geolocations are all considered PII because they could be used in conjunction with secondary information to identify a specific user. Google also advises requesting consent if you use Analytics features like Demographics and Interests.
How do Cookies Fit into GDPR?
Not all cookies are used in a way that can identify users. These cookies are used for website usability and user experience. However, when a cookie can identify an individual on its own or in conjunction with secondary information then it is considered personal data. This includes cookies for analytics, advertising, and functional tools like surveys and chat tools. Best practice recommendation is to ask for cookie consent, but to give tiers for consent. For example, asking users if they want to accept only cookies that are necessary for the website’s functionality or all marketing cookies to help the business assess their website’s success.
What Constitutes Consent and When Can Data Collection Start?
When collecting any type of PII, you will need to get consent from the user BEFORE you begin collecting data. Furthermore, businesses need to keep records of consent that they have received. Businesses should not keep any records of individuals who have opted out of data collection. Consent must be actively given through an opt-in feature via form or privacy settings.
What is the Right to Erasure?
The Right to Erasure allows a user to demand that all of their data be deleted from your system (the controller) and any third-party system you have transmitted data to (the processor). Google Analytics has announced it will support user ID data deletion.
What Should My Consent Form Include?
There are 6 key elements to follow when building your consent form:
- Clear and Unambiguous: The information must be provided in clear and plain language, and include the purpose for data collecting and processing. No confusing or lengthy legal jargon is permitted.
- Optional and Detached from Other Terms: Consent for data collection must be separate from consent to Privacy Policies or Terms and Conditions. Consent cannot be a precondition for signing up for a service unless necessary for that service.
- Active Opt-In: Forms must use unticked boxes that require a user to actively opt-in to data collection. Forms using pre-ticked boxes or language stating “by continuing to use this website you are consenting to the use of cookies” are both invalid.
- Granular: The best practice is to give granular options for users to consent differently for different types of processing or types of contact.
- Named: Your form should name your company and any third-party organizations explicitly.
- Withdrawal: Users should be able to withdraw their consent as easily as they gave it. Your form should state this.
What is the Difference Between a Data Collector and a Data Processor?
The Data Controller is the entity that determines the purposes, conditions, and means of collecting and processing data. The Data Processor is the entity that processes data on the behalf of the controller. For instance, under GDPR your business would be the data collector and Google Analytics would be the data processor since you control which data is sent to Google Analytics. It is important to note that both parties are responsible for GDPR.
Do I Need to Worry About My Google Analytics?
While Google is taking steps to comply with GDPR, it is ultimately your business’ responsibility to be GDPR compliant. You cannot simply filter out PII using Analytics Filters. You must address PII at the code-level to prevent any PII data from being transmitted to Google Analytics.
To ensure you are GDPR compliant for Analytics:
- Audit Your Data for PII: Check your page URLs, titles, and other data dimensions to ensure no PII is being collected without consent. Common examples are UTM or querystring parameters. Also check that any PII data being entered into forms is not being collected by GA.
- Turn on IP Anonymization: Although IP addresses are not exposed during reporting, Google uses this to provide geolocation data. Google will anonymize IP addresses by removing the last octet of the IP address and replacing it with a 0. The full IP address will never be written to the disk with this feature. However, this will slightly reduce the accuracy of geographic reporting.
- Update your Privacy Policy: You should include any pseudonymous identifiers that you are using in your privacy policy and opt-in consent form, such as user IDs, hashed or encrypted data, and transaction IDs.
- Google Analytics Data Retention: Google Analytics has recently added new settings to control how long user and event data is stored to comply with GDPR. This setting will automatically erase user and event data after a specified timeframe. The default setting is 26 months which Anvil recommends leaving as is, as your reporting will be largely unaffected based on these changes, and it will ensure you follow recommended best practices.
Do I Need to Worry About Display or Social Advertising?
In terms of paid advertising, the platforms that Anvil uses to display ads to users are the data collectors and are custodians of that data. Anvil utilizes tools within those platforms for display criteria and reporting. As such we do not consume user data.
If an EU user wishes to opt out, view, or modify their user data related to our ads, they would contact the platform on which the ads are displayed, not the business whose ad is being displayed, unless the business exported or stored the user’s personal data.
If you are concerned about your business’ performance following the launch of GDPR, Anvil can help you update your marketing strategy including ways to encourage more users to accept your marketing cookies.