GDPR: Europe’s General Data Protection Regulation

You’ve no doubt noticed that more and more websites are notifying you that they use cookies while you browse their website. So why now, what changed? The answer is the GDPR, or the General Data Protection Regulation which was implemented on May 25th, 2018. It’s a series of regulations that cover how businesses can handle their customer’s information, a topic that has been in world-wide focus after massive data security breaches.  First a little background.

Troubling Privacy and Security Trends

According to IdentityForce, 2017 saw more data breaches across the globe than any prior year. That metric is considerably more staggering considering how much of our personal data is now stored on remote servers, hosted databases, and online platforms, etc. Today people are even sending their DNA off to the Internet to help trace their roots and if last year is any indicator, it’s only a matter of time before that information will be traded in the same places that stolen credit cards are traded today. What will the dark web do with your DNA once they have it? Only time will tell, but the chances are very good that this data will also find it’s way out of secure storage at some point.

When you allow a third-party to store personal information like credit card numbers, social security numbers, family lineage, etc. you are trusting that company’s security protocols, internal processes, and simple maintenance procedures to keep your information safe from those who would do you harm. And it’s not always a clandestine act by a far-away hacker that steals your information. In 2017 we saw Wells Fargo accidentally release confidential information on tens of thousands of its clients. The hits just kept on coming for Wells Fargo, as we also learned in 2017 that employees of the company had internally accessed the confidential information of their customers to open as many as “3.5 million potentially fake bank and credit card accounts” according to CNN.  Those accounts were opened due to plain and simple greed as employees sought to exploit internal sales performance incentives for personal financial gain using the confidential information of their customers. 

But we don’t mean to pick on Wells Fargo, high profile data breaches/hacks were reported by Equifax, Verizon, Yahoo, Uber, eBay, Kmart, and even the SEC in 2017, and there were plenty more.  These breaches are a worse-case scenario, but most of them involved the distribution of personal/private information collected and held by the organizations.

Privacy and You

The fact that people are stealing personal information is really only part of the story.  Most of the data discussed above was freely given by consumers to those organizations, and in most cases without the transfer of this private data there could be no relationship between the two entities.  For example, Verizon needs to know your address and telephone number to be able to communicate with you and provide service.  The relationship cannot exist without this transfer of PII (personally identifiable information).

But what about personal data collected about you without your knowledge?  Or information you freely give to one organization that’s then sold or traded to another company for a purpose you didn’t explicitly authorize.  It’s many of these interactions that privacy regulations are also trying to curb by requiring companies to be transparent about not only what they collect online, but what they do with it, how they use it with 3rd parties, and what your options are for preventing them from doing so.

This was on full display after the 2016 US presidential election when it was revealed that Facebook allowed an analytics firm named Cambridge Analytica to leverage the personal data of millions of Facebook users to facilitate targeted advertising for political candidates.  What’s under-reported is that the same data mining techniques were used by campaigns in the previous election four years earlier so the problem isn’t new.  In this case Facebook users hadn’t consented to the distribution of their information, and Facebook has since strengthened their privacy policies as a result.

Have you noticed that when you start your car your smart phone may automatically share a drive time estimate to where it “thinks” you’re headed?  Mine alerts me that it’s going to take 12 minutes to get my kids to karate on Wednesdays, and it freaks me out a bit.  This sort of data is being compiled by your phone and it allows the device to create a profile that’s obviously pretty good at predicting your behavior.  Pretty scary stuff if you ask me, because it’s very difficult to turn all of that on-board tracking off.

Cookies Aren’t Just for Dessert Anymore

By simply highlighting a very small number of data breaches above, you can begin to see why countries and entire continents are strengthening privacy laws to protect their constituents.  It’s an attempt to give the consumer control over how a company may consume and use their personal information.  Online that covers more than just data that you provide freely to a website, it extends to data that a website captures about you and your browsing habits.

This data is stored in what’s called a cookie; a small file that’s stored on your computer that’s updated, read, and tracked by a website.  Some of this code is 100% necessary for the website to function properly, like a “session” cookie which exists only while you’re interacting with a website and is destroyed when you leave.  But other cookies may persist for months or even years if you don’t clear your browser cache and can track your online behavior and allow companies to do things like target advertising based on your browsing history. 

Have you ever visited a shopping website only to see their ads follow you around on other websites for a week?  That’s a tracking cookie which has logged your interest in a specific product or service, reported that interest back to an advertising partner, and is then used throughout their network to serve banner ads to you as you browse.  It’s these cookies, the data they collect, how they interact with 3rd parties, and your ability to understand and refuse participation that’s covered by the GDPR.

What are the specifics of the regulations and their impact on your website?

• You cannot assume that users understand your website’s use of cookies or that they automatically give their consent by using your website.
• Website guests must actively opt-in to your cookie policies by signaling their intent through some sort of website call-to-action. This means an update to your privacy policy expanding on the use of cookies is likely not enough as implied consent is no longer sufficient.
• If a guest refuses to grant you consent their experience on your website must be no different.
• You must make it simple and obvious for your guests to either grant or deny consent by providing an opt-out option.

These requirements stem from GDPR Recital 30:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

The generally accepted practice to achieve GDPR compliance is to provide a pop-up DIV on your website when a guest first lands. Most of the notices we’ve seen, even on sites like CNN above (at least at the time of publishing), simply require direct interaction with a call-to-action that paraphrases “by interacting you’re accepting”. From what we’ve read the regulations seem to require a bit more than that, and many of the European websites we visit take the opt-in a step further by allowing guest to opt-in to individual cookies.  Again, we’re not lawyers (see below), but we feel it’s prudent to at least provide both an option to accept and an option to decline if you’re running a website that caters to primarily domestic American visitors. This pop-up should persist on every page of the website until it is interacted with either granting or denying permission to use cookies. For most public-front ends, that means preventing tracking cookies from platforms such as Google Analytics from being deployed.

The overall impact of these new regulations across Europe and the United States remains to be seen, but we recommend preparing yourself and doing everything you can to be in compliance before a problem arises.  For many of our customers, organic European traffic isn’t something their actively seeking, but it’s in your best interest to seek compliance across your entire web portfolio.

This post was published on July 17, 2018. As stated on this page multiple times, we’re not lawyers and have no direct legal experience in compliance with the GDPR. ReachFarther recommends that our customers act on the direct advice of their own legal counsel. The information published on this page in no way will make your website compliant with the GDPR, you are ultimately responsible for ensuring that all requirements of the GDPR are met on your website.