Things to consider as you prepare for GDPR compliance on your website & web application
Disclaimer: This blog post does not constitute legal advice. I am not a lawyer; this post is based on my work with clients and my own research, which may have large gaps or even be flat out wrong. Project Ricochet suggests that you consult with legal counsel as you plan your own General Data Protection Regulation (GDPR) compliance strategy. In this blog post, I will lay out a framework for the types of things you might consider thinking about as you approach compliance with this new regulation.
Does GDPR apply to you?
Do you market to European residents, do business in Europe, or have offices in Europe? If so, then it might, and you probably need a game plan.What sorts of things should you be thinking about as the deadline approaches?
Essentially, anything that could conceivably allow you to personally identify users will be covered under the auspices of this law. This includes server logging, cookies, synchronous or asynchronous tracking scripts, etc. A website or application of sufficient complexity will have a lot of moving parts. You should perform a thorough audit of your site’s functionality to verify what is being tracked where.Let’s break this down
There are three types of cookies:
- Cookies that collect identifying information like user_id, name, email, etc.
- Cookies with identifiers that *could* potentially be used to identify a user, either directly or over time. These cookies are the reason you see ads everywhere on the Internet for stuff you just looked at on a different site.
- Cookies that store values for settings that are not trackable to a user (for example, whether or not a user wanted a menu to expand automatically on page load).
Tracking scripts
Your site may or may not contain various scripts that track information about users. These may be scripts your developers have written for the explicit purpose of tracking, or they may be tracking scripts like Google Analytics. Just because you aren’t storing cookies doesn’t mean identifiable information like IP address isn’t being stored. You need a game plan for this.Server logs
Recording IP addresses with site visits is a pretty essential part of how most Internet servers work. As I understand it, the law does allow for this sort of tracking as long as it is essential for security. But it should be coupled with timely destruction of the logs when they are no longer necessary for this purpose. Please be sure to do your own research on this point, and consult an attorney if you have any questions about the legality of the tracking on your site.Explicit opt-in acceptance of tracking
You have probably seen notices about tracking cookies on various websites. As I understand it, what’s unique about GDPR is that sites must now get explicit (not implied) acceptance to use tracking cookies. This can happen in a number of ways, but many sites have an opt-in widget, popup, or lightbox that is hard to miss.
Verbiage of your opt-in messaging & privacy policy
Depending on how careful you want to be, you might allow that third class of cookies that don’t retain personally identifiable information (such as configuration options). But be careful about the verbiage in your opt-in box. If you state that your site doesn’t allow cookies but you actually do allow *some types* of cookies, you could be opening yourself up to liability. You also probably don’t want to state that visitors need to opt in to “tracking cookies,” because this will likely alarm them unnecessarily. However, you might, for example, craft a message that implies that users must opt in to cookies that fall under the GDPR law. You should also make sure that your Privacy Policy is accurate and specific (specificity is another aspect of the regulation). It might be wise to have your counsel review for accuracy and potential liability. Again, I’m no lawyer, and this is not mean to constitute legal advice—just some things to consider.Tracking consents
How careful do you want to be? Your lawyer will probably tell you to track *everything.* This tracking will probably only matter if you end up in court and need to prove explicit acceptance. You could track IP address, mac address, date/time, etc., or track nothing—it’s up to you. Just make sure you know the implications and have assessed the risk with a professional!How might user experience be affected by GDPR compliance?
Depending on how your site functions, cookies may be required for an ideal user experience. So you should either prepare the user for this or have a graceful fallback strategy for any functions that require cookies to work properly. For example, if the user sets a preference for a particular menu to load in a specific way on page render, and the cookie that stores this preference cannot be set, then each time the user loads the page, it’ll be like Dory the fish in Finding Nemo—your page will keep “forgetting” the user’s preferences. The user may not realize that his or her decision to not accept cookies is the cause of this; instead, he or she might simply conclude that your site is buggy. Also, if you run an ecommerce site or a site that requires users to log in with a username and password, you will almost certainly need cookies for this functionality to work. You may consider not allowing users to utilize some subset of functionality if cookie use is not accepted. Also, keep in mind that you may be utilizing Javascript to alter the customer experience based on users’ opt-in of cookies. Not all users have Javascript enabled. If your tracking of cookies depends on users having Javascript enabled, you may be opening yourself up to liability when they do not (if cookies are then set). Be careful!Different experience for non-EU users vs. EU users
Putting a consent “gate” on your site will certainly add some friction to your visitors’ experience. You might be tempted to create a different experience for EU and non-EU visitors. As you plan and consider this, however, keep in mind that the law applies to EU citizens and residents (as I understand it), and it may even extend to visitors to your site who are physically outside of the EU or visiting through a VPN that is routed outside of the EU. In both cases, you wouldn’t really know anything about the visitor’s citizenship by looking at the IP address (which would not be EU-based). It’s possible that being this paranoid about compliance is overkill, but because the law is so new, it’s not been tested in court. Beware!
Watch out—things can change over time
This is the sort of thing that keeps me up at night: you get everything on your site locked down and compliant, and then someone on your team embeds a YouTube widget in the body of a blog post that ends up setting a cookie—and no one knows about it. You need to be careful here. I advocate regular scans of all sites to ensure that no cookies on any pages are set now—or in the future—without consent. I would also advise reminding your team regularly about the risks of embedding third-party elements.What’s the worst that could happen?
I don’t really know what would get you on the radar of the governing body that regulates violations of this law. But you may want to be careful about lawyers on the hunt for violators against whom class-action lawsuits could be brought for damages on behalf of their clients.Tools that can help simplify compliance
Whatever your framework, there is probably some sort of an opt-in acceptance plugin or module that will allow users to opt in to tracking (such as Drupal’s Cookie Consent module). You can also construct mechanisms to prevent Javascript from being run and setting cookies by using tools like Google Tag Manager. Even a custom solution generally isn’t very difficult. It’s just important that it be developed well to be ironclad.Conclusion
Yes, this is another law that you need to track, but you can take this opportunity to audit your site and make sure that everything you do on it is intentional and in line with the level of risk you want to assume as an organization. Privacy is becoming a bigger and bigger issue, and with each new wave of technologies, it is having an ever-larger impact on society. Find a great tech team and get to work. This law isn’t going away any time soon!Suggested reading:
- General Data Protection Regulation
- What is Valid Consent Under the GDPR?
- America should borrow from Europe’s data-privacy law
- Cookies Consent Under the GDPR
- Fines and Penalties
- EU GDPR and personal data in web server logs
Project Ricochet is a full-service digital agency specializing in Open Source.
Is there something we can help you or your team out with?