If you use a lot of online services, you may have noticed a recurring theme in your email inbox in the past few weeks: companies updating you about changes to their privacy policies and what they're doing to make their services compliant with the GDPR. So what's all the fuss about and why is this happening now?
The EU General Data Protection Regulation (GDPR) is a new privacy regulation that goes into full effect on May 25, 2018. Though it’s a European Union regulation, the GDPR isn’t something that the rest of the world can ignore. It applies to companies and organizations outside the EU that collect data about or offer goods or services to, citizens of the EU.
In a nutshell, the GDPR requires that organizations give their users detailed information about what personal data they are collecting and how it will be used. Consent must also be obtained for those specific uses. In addition, users must be able to request that organizations give them access to their personal data (in a portable format if desired), make corrections to it, or completely erase it from their records. In the event of a malicious or accidental data breach, organizations are also required to notify authorities within 72 hours.
Though it’s currently unclear as to how strictly all aspects of the regulation will be enforced, fines for not complying with the GDPR will be up to €20 million or 4% of worldwide annual revenue (whichever is higher). The severity of the fine is based on a number of factors, including how many users are affected, whether or not the infringement was intentional, and history of other violations. There's a lot of vague terminology and room for interpretation in the regulations, so it seems unlikely that we'll see the maximum fines doled out immediately, but it is vital for companies and organizations to be making a public effort to improve their compliance.
What constitutes “Personal Data”?
Personal data includes anything that can be used to identify an individual and can be either “sensitive” (meaning that it can pose risks to an individual’s fundamental rights and freedoms) or “non-sensitive” (meaning that it can be tied to an individual but doesn’t pose such risks). Fully anonymized data (meaning that there is literally no way for a computer or human to identify an individual from that data via any method) is outside the scope of the GDPR.
Sensitive personal data includes:
- racial or ethnic origin
- political opinions
- religion or philosophical beliefs
- trade union membership
- genetic or biometric data
- data concerning health
- data concerning sex life or sexual orientation
Non-sensitive personal data includes any information that can be tied to an individual but doesn’t fall under the category above. This includes a variety of things like names, e-mail addresses, ID numbers, location information, etc.
This obviously has some major implications for global services like Facebook and Twitter, but for a standard marketing website, most information collected is going to fall under the non-sensitive category. Things like name and e-mail address are commonly collected in contact forms or newsletter signups, but it’s also important to know that your website - or the plugins and third-party services you’re using - are probably collecting information like IP address or tracking cookies that may include user or session IDs that can be used to look up a specific individual.
You should always be aware of what third-party scripts your site is running, but the GDPR implications make for a good reason to spend some time digging into this and deciding what's essential. As a bonus, removing any unnecessary marketing or tracking scripts may even increase your site's loading speed and general performance. If you have users in the EU, you should also consider delaying the loading of any tracking scripts until after the user has given their consent.
What kind of consent do I need?
Users must explicitly opt into data collection when sensitive personal data is involved, but for non-sensitive data, "unambiguous" consent will suffice. Consent must be requested from users in a straightforward, easy to understand fashion. In addition, different uses of personal data need to be consented to on an individual basis. That means no long pages of legalese and no catch-all “Terms of Service” agreements. It’s also important to note that the user must be able to withdraw their consent at any time.
According to the GDPR, consent needs to be “freely given, specific, and informed”. Each of those terms has a few considerations. “Freely given” means that consent given under any kind of duress is invalid. This includes situations where an employer is pressuring an employee for consent, or there would be clearly negative outcomes for an individual if they refused or withdrew consent. “Specific” means that the organization or company needs to specifically identify what data is going to be collected and how it’s going to be used. “Informed” requires that the user knows who the data controller is and that it’s clearly explained how their data will be processed and used.
As an example, let’s say a user on your website is filling out a newsletter sign-up form. The form asks them to put in their email address. This is non-sensitive data, but let’s consider six possible ways we could set up this form:
Option 1 is the best choice, because the act of checking the box makes it explicit consent, while the wording makes the consent specific and informed. Options 2 (with a pre-checked checkbox) and 3 (with no checkbox) constitute “ambiguous consent” because the user didn’t take any explicit action to consent, even though the wording is the same. Option 4 is both ambiguous and not specific enough regarding how the information will be used. Option 5 is ambiguous, unspecific, and uninformed (because it doesn’t adequately identify who will be using the data). Option 6 lacks consent entirely.
The example above demonstrates how relatively minor UI decisions have major impacts on user privacy and GDPR compliance. Whenever you find yourself asking a user for data, make sure that you're informing them why you're collecting it and what you'll be using it for, and then get their consent.
Google Analytics considerations
The vast majority of websites are running Google Analytics to gain insights into their page traffic, user behaviour, and search performance. The GDPR is leading to some major changes in how Google collects data. They recently rolled out their data retention controls which allow you to specify how long you want to keep user data and soon they'll also release their user deletion tool which will allow you to remove data associated with specific users (as is required by GDPR when a user requests erasure of their data).
You can get an idea of what percentage of your users are coming from the EU in Analytics under Audience > Location. The GDPR can't just be ignored if this percentage is low, but if it's a significant chunk of your traffic, you'll definitely want to put extra attention into improving your GDPR compliance. Google determines location based on IP address, and though it may make your audience location information slightly less accurate, you may want to consider activating IP Anonymization in Analytics. This is a simple feature to implement and can help limit the amount of personally identifiable information Google is collecting on your behalf.
Real-world implementation
The GDPR will affect almost every service you use online, in some way or another. A lot of major players are still scrambling to give their users the resources and tools to comply with the regulation, but the technical implementations can be a huge challenge.
Imagine that you run an online store and a user who has made several purchases from you over several years contacts you and asks for their data to be deleted. You can't simply delete the records of all of their transactions as that would ruin your accounting. What happens if you get audited? Are purchases tied to user accounts in your database? If you delete their user account what happens to their purchases? Does the platform you're using allow you to remove name/address/credit card information from guest purchases? What happens if the user requests a data deletion after their order has shipped and then initiates a chargeback on their credit card for the transaction you can no longer link to them? Depending on how your e-commerce platform is built and the steps they've taken to comply with the GDPR, any of these questions could become problems for you.
There are a lot of technical and legal issues which arise from all-encompassing regulations like the GDPR and over the next few months, we'll start to see how strictly it's enforced and how businesses respond. In the meantime, make an effort to understand the services that power your website, what kind of data they're collecting on your behalf, and how you can control that data if the need arises. Despite the lack of specificity and detail in some aspects of the GDPR, its end goal is to protect users' privacy, and a little extra consideration when choosing/configuring your third-party services can go a long way in improving your compliance.