Since May 2018, brands have been scrambling to ensure that their websites comply with the EU’s General Data Protection Regulation.
GDPR REQUIREMENTS FOR GDPR COMPLIANCE
GDPR places equal liability on data controllers (the organization that owns the data) and data processors (outside organizations that help manage that data). Organizations must inform customers of their rights under GDPR, informing them of the purpose and method of data collection, including instructions on how to opt out of data collection.
Explain the rights of the individual. You are required to explain what privacy rights your visitors have. Their rights include the following:
- They can request that their data be deleted or corrected.
- They can access the data a company has about them.
- They can request that their data be transferred to another party.
- They must give consent for their data to be used.
- An appropriate description of how you're using data collected online.
- A message about how you or third-party vendors use the data you collect.
- Information about how your visitors can opt out of data collection.
General statements should include overall data policies. How is this data primarily used? More importantly, how is it stored? Make sure users know if their information is being shared with third parties or if your tracking anonymizes their identity.
Give users an overview of select services you may be using – for example, Google Analytics. Google Analytics is probably something you have installed on your website. When you use third parties such as this, it’s also important to include sections outlining specifically what each service is used for in data collection.
Let users know the website uses Google Analytics, which is primarily for tracking and measuring website traffic. Google Analytics anonymizes identity, so no personally identifiable information is stored on the platform. Be sure to include this disclaimer in the policy, too.
Let your users know you are monitoring traffic to make website enhancements and user experience improvements. Remind them their information won’t be shared unless explicitly stated.
You will also need to include a way for users to opt out of Google Analytics tracking. Follow this link to get a tool to allow your browser to do so.
Google AdWords - Targeting and Remarketing
If you are using Google AdWords for remarketing or targeting, which extends to Google Analytics as well, you need to write a special disclaimer for what type of data collection and process you are conducting. Whether you are remarketing to an audience defined by website tracking, or you’re using the behavioral targeting through the display and video advertising, you need to let users know specifically what you are doing with the audience segment.
If you are using Facebook Pixel to track or target, via a Business Page or Ad Account, you will need to include a special section about the social network. Follow the same format as Google Analytics and Google AdWords, because Facebook tracking and targeting essentially share the same data collection process.
If you have integrated your site with Facebook (regarding advanced features such as adding the login to your website, or other developmental options), you will need to include a special section on how you have installed this technology on your website. For example, if you're using the Facebook Login package, you’ll need to let users know how you have set up the integration.
With most third-party tools you need to include an opt-out component. To opt out of Facebook Pixel tracking and data collection, follow this link to change the settings in your Facebook profile.
This reminder may be getting repetitive, but do not forget the opt-out component. To opt out of Crazy Egg, follow the instructions to remove yourself from the data collection process.
Again, please do not forget an opt-out! To opt out, you can adjust your privacy settings for tailored advertisements. Twitter also supports “Do Not Track” (DNT). If you have activated this option in your browser, Twitter will not receive any browser-related information.
DON'T BECOME COMPLICIT WITH COMPLIANCE!
Use these guidelines to generate a decent starting point for your document and have a legal professional or your company’s attorney review the literature. Include every third-party technology you utilize, and if you are unsure about how certain tracking or targeting software functions, be sure to contact a specialist at Ascedia. We can walk you through how these tools function, including how they collect data and how you may potentially use this data.
If you get stuck writing, look around at similar brands in your industry who have adopted new policy statements. This will help you conceptualize how to form this essential piece for your website. It’s time to get compliant.