Cookies under the GDPR & ePrivacy, and how to be compliant
Are you tired of constantly seeing cookie banners pop up on every website you visit? Are you wondering if you need to put them on your website? Well, let’s find…
Do you ever wonder what website owners can do with your data after you have consented to the cookie banner? Why is that cookie banner there in the first place? That’s right, because of the GDPR. The GDPR, full form the General Data Protection Regulation, has now been in place in the European Union for some years. For companies and website owners alike, it can be pretty laborious to comply with all of its requirements. So, in this post, I will look at what the GDPR consists of and what this means for website owners like you and me.
The GDPR is a tight set of EU data protection rules, which improves your access to information organizations have about you. It also limits what organizations can do with this personal data. The legislation, like the UK’s implementation of it (the data protection act), went into effect on the 25th of May 2018. You have probably noticed the effects of the GDPR in the form of the remove cookie banner or the default blocking of third-party cookies on browsers like Safari and Firefox.
Now, you might be thinking; do these rules also apply to my website and its tracking tools? Well, when you install web analytics software like Google Analytics 4 on your website, you are storing the personal data of your users. And don’t think that when you are not situated in the EU you are off the hook. As soon as you collect data from users in the EU you need to comply. So, you must know what is required of you under the regulation.
To be clear, the GDPR consists of many different regulations. The whole document contains 99 individual articles. Still, it outlines seven basic principles for regulating and enforcing compliance with personal data:
As you have read in the final point, you are responsible for complying with the regulations. Therefore, the consequences of breaching the GDPR will be yours.
Breaching the GDPR can be fined by the local data protection agencies. In one of the most significant fines under GDPR, Google was fined €50 million by the French data protection regulator. There were two main reasons for the fine: Google did not adequately inform users about how it uses the data it acquired from different services, and it did not get proper consent for processing user information. This example applies to the data collection and storage of a company itself. However, it might also be the case that the tools you use are not GDPR compliant.
For example, the Austrian DPA recently ruled that the use of Google Analytics violates the GDPR. After this ruling other European countries like Italy and France followed. This means that the use of Google Analytics is now illegal in those countries. To check whether it is still allowed in your European country you can check out isgoogleanalyticsillegal.com. To avoid getting into trouble it is important to check your analytics setup. Ask yourself the following questions to find out if your website tracking tools are compliant:
If your answer to one of these questions is yes, your analytics setup is probably not GDPR compliant. In that case, it is wise to start looking for compliant alternatives.
Before I share some best practices with you, I would like to emphasize that this is not legal advice in any way. If you are in doubt, always contact a legal professional.
Below you find a summarized list of actions that you can take to check your current setup. This list severe merely as a place to get you started. As you will read, simple IP anonymization is not enough to be GDPR compliant. So, what is?
For this article I will not discuss exact GDPR cookie requirements because these differ per country. For advice on this, I recommend you to get additional legal advice or look at parties like CookieYes or CookieScript.
As you have probably noticed by now, there are many things to take into account when it comes to tracking your website under the GDPR. I have summarized the actions you can take to ensure your tracking setup is compliant. Practical steps that you can take today to avoid getting into trouble with a regulatory agency. If you would like to get help with this, or personal advice on your situation, don’t hesitate to contact us.