North American brands and business need to pay close attention to the privacy legislation that will soon go into effect in Europe. Though the General Data Protection Regulation (GDPR) rules are made to protect European citizens, you will likely have to make immediate changes to your website functionality and marketing strategies in order to ensure you are not inadvertently compiling data on Europeans without their explicit consent.
If you operate a website or app, you probably use cookies or other storage technologies (such as Google Analytics code, Google Adwords code, the Facebook Pixel, etc.) to offer people a better user experience, understand your traffic and audience, and/or show them more relevant ads. In many instances, to continue doing this you will now be required to obtain consent from people first.
In this blog series, we will cover:
• Current post: What is the GDPR?
• Blog 2: What Canadian and US Businesses Need To Know
• Blog 3: How It Affects Your Facebook Tracking and Advertising
• Blog 4: How It Affects Your Google Tracking and Advertising
Chances are you’ve heard about the privacy issues Facebook has been encountering lately. As people become more aware of how much of their data is being collected and shared from their internet activity, there’s an increased demand for privacy. The European Union (EU) is even going so far as to introduce new laws giving their citizens more control of their data, with strict regulations called the General Data Protection Regulation (GDPR) going into effect May 25, 2018.
Even if you live outside of the EU, if you have a website or app that collects personal data, you need to educate yourself on the GDPR restrictions. There is a misconception that if you aren’t based in the EU, you are somehow exempt from its influence. The truth is these terms have important implications for businesses everywhere, including those in Canada and the United States. For example, if any EU citizens visit your website, you must give them the option to opt out of your tracking/data collection. Is your website set up to do this? If not, it will soon have to be.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a set of rules designed to give EU citizens more control over how companies from all over the world are allowed to use their data. Companies must be GDPR compliant by May 25, 2018.
Under its rules, EU citizens have the right to:
- Know exactly how their personal data is being processed
- Get access to the personal data held about them
- Ask for incorrect, inaccurate or incomplete personal data to be corrected
- Request that personal data be erased when it’s no longer needed or if processing it is unlawful
- Object to the processing of their personal data for marketing purposes
- Request the restriction of the processing of their personal data in specific cases (e.g. they can ask that certain companies not be allowed to process their data)
- Receive their personal data in order to send it to another business
- Request that decisions based on automated processing concerning their personal data are made by natural persons, not only by computers.
The biggest part of these regulations that most affect North American businesses is not just giving EU citizens access to their data, but the processes around getting their consent to collect that information in the first place.
Who Does It Affect?
No matter where you live, where your business operates, or who hosts your website, if you target, market, or do business with EU citizens, you are affected by the GDPR. Also, Facebook recently announced that they are extending their GDPR guidelines concerning data collection to all users, regardless of location, so you will be forced to comply with at least some of these reforms if you’d like to continue advertising on Facebook and tracking Facebook users’ activity on your website.
Key Terms
Consent
Implied consent is a thing of the past. You can no longer assume that John Doe’s permission to be on your email list means he also consented to be targeted by Facebook ads, added to another email list, etc. This is arguably the biggest hurdle companies will face when complying with the new rules, as they are much stricter than it’s been in the past.
Under the GDPR, the terms of consent are:
- it must be freely given – you cannot force someone to consent in order to use your website, app, service, etc.
- it must be informed
- it must be given for a specific purpose
- all the reasons for the processing must be clearly stated
- it is explicit and given via a positive act – for example, an electronic tick-box that the individual has to explicitly check online or a signature on a form
- it uses clear and plain language and is clearly visible
- it is possible to withdraw consent and that fact is explained – for example, an unsubscribe link at the end of an electronic newsletter email.
The takeaway from this is the importance of transparency and the use of layman’s terms. You must be specific and clear about how and why you will use people’s data and you cannot hide your intentions behind legal jargon.
Some important things to keep in mind when acquiring consent:
- You must obtain consent before you collect any personal data
- No matter what manner you use to collect data, pre-ticked authorization boxes, inactivity, or silence do not count as consent. This means you cannot have a message that says “by continuing to use this website you are consenting to etc. etc.”
- They must give unambiguous consent, so they must click something where it is obvious they are agreeing such as “I agree,” “accept cookies,” etc.
- You cannot force consent. The person must be able to use your services, website, app, etc. without needing to consent to have their personal data collected. This means you can’t have a pop-up box that prevents them from using the service until they agree, for example.
- Anyone young than 16 years of age cannot give consent, it must be given by their legal guardian
When do I NOT need to get consent?
If you need the information for the person to use your website, app, or service without noticeable issues, or when it is in their legitimate interest, you can collect the data. An additional caveat is you can also collect without consent if you have a legal obligation to do so, or if it is to carry out a task that is in the public’s best interest. Lastly, if your data is anonymized and cannot be connected in any way to someone’s personal information, you do not need consent to collect or process it.
Examples include:
- To run cookies that are necessary for your website, or app to function
- If they sign up for your online class and you need their email on file to send them coursework
- To use share buttons where your website must send data to with social media so the data subject can share the information they want
- Cookie preferences that remember a user’s login in so they don’t have to re-login each time, assuming they initially agreed to this
- If a user is doing anything on your website which creates a legal requirement for the reporting and/or sharing of their information
- Anonymized Google Analytics data used for statistical and research purposes
How can I get consent?
The easiest way to gain consent for websites is through the use of a cookie bar. This bar should contain a few sentences explaining that the website uses cookies and for what purpose (e.g. website efficiency, analytics, marketing, etc.), contains a link to their cookie policy, explains that the data subject can visit the link to learn more, and asks for the subject to agree to have their cookies recorded.
The cookie policy page is where you will specifically explain what cookies are and detail in plain language all the ones you use, including both necessary and unnecessary ones, the purpose of them, who is processing the data, how long data will be stored, and how the subject can agree to consent, withdraw consent, change processing preferences, or contact you to have data deleted or sent to them.
For email lists, consent can be acquired by contacting all those people on your list and asking them to either consent or not (e.g. unsubscribe). You MUST have a way to differentiate inactivity (e.g. people who ignored the email or didn’t respond) from affirmative action (e.g. people who agreed to be on the list) because the former is NOT consent. Realistically, this will mean having to delete all non-responding EU citizens on your list.
Personal Information
Under the GDPR, you only need to worry about consent when you are collecting personal data. This seems straight-forward, but it isn’t. The terms of what counts as personal information cast a wide net under these regulations.
According to the European Commission, under the GDPR “Personal data is anything that has been de-identified, encrypted or pseudonymized but can be used to re-identify a person […]” This means that even if all you get is a username from one source, it’s associated with a real person’s name or any information that can be used to create a profile, it’s considered personal data.
Examples:
- a name and surname, home address, and email address such as [email protected]
- an identification card number
- location data – for example, the location data function on a mobile phone
- an Internet Protocol (IP) address
- a cookie ID
- the advertising identifier of your phone
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
Examples of data not considered personal data
- a company registration number
- an email address such as [email protected]
- anonymized data
Data Controller
The party who decides the ‘purposes’ and ‘means’ of any processing of personal data (aka who provides the raw data) is considered the “data controller.” The data controller is responsible if there are charges for misuse in obtaining or use of data.
The biggest impact here is on your website. Any outside party that you give access to your site and in turn the data of anyone visiting it makes you the data controller and them the processor. Take the Facebook pixel, for example. You aren’t technically collecting the data; the pixel is doing that heavy lifting. Except, the action of putting it on your website and giving it access to your users means you are the data controller and responsible for adhering to the rules of consent.
Data Processor
The data processor is the party who uses and analyzes the raw data provided by the data controller on their behalf. They are also responsible for being compliant, as data controllers will face consequences for choosing processors who do not adhere to the GDPR. For example, if you are using the Facebook pixel or Google Analytics code on your website, they are the data processor.
The good news is data processors are liable if they share data when the data controller did not give them explicit consent to do so and have their own set of responsibilities under the GDPR.
Even if you aren’t based in Europe or are actively targeting a European audience, you may still have to make modifications to your website and advertising strategies. Read the next posts in this blog series to learn about the concrete next steps you may need to take.
Note: We aren’t lawyers, so please be sure to review your obligations with your legal team. The information we share is based on general marketing best practices and information our team has reviewed from a variety of sources.
This blog post is part of a 4-part series. Keep reading:
• Current post: What is the GDPR?
• Blog 2: What Canadian and US Businesses Need To Know
• Blog 3: How It Affects Your Facebook Tracking and Advertising
• Blog 4: How It Affects Your Google Tracking and Advertising