The General Data Protection Regulation (GDPR)

How to Make Your Website GDPR Compliant (Part 2 of 2)

The EU’s new General Data Protection Regulation (GDPR) will enter into force in just a few days. We help you with our practical tips to make your website or blog GDPR compliant. In our first part of this guide, we have addressed the topic of data protection-compliant web hosting and the correct design of the data protection declaration. We also gave tips for the correct configuration of your contact forms.

In this section we inform you about the GDPR compliant implementation and use of newsletter subscriptions, social plugins, Google Analytics and Google Fonts. We will also discuss the issue of cookie pop ups under the new basic data protection regulation.

Note: We are neither lawyers nor can we offer legal advice with this contribution. Therefore, the following measures do not claim to be complete.

Newsletter Consent According to GDPR

 

Due to the new commitment of data minimization, you as a website operator are only allowed to request the data you need for the respective purpose. For newsletter registrations, this means that only name and e-mail address are mandatory fields. If you want to request further data such as date of birth, address, etc., you have to make clear that this is not mandatory information. In addition, you should make sure that you always have the consent of your recipients when sending newsletters. The wording of the consent message must indicate which personal data are processed by whom and for what purpose. Furthermore, the right of revocation must be pointed out within the text. In the yellow box you will find a sample text for the consent message.

DSGVO - Datenschutzrechtliche Einwilligungserklärung

For the registration process you should use a double opt-in process to be able to show the user’s consent in case of doubt. You should check your existing data pool with regard to the criteria mentioned above. If your address pool meets the requirements of the GDPR, the previous consents remain valid. If the address data do not comply with these rules, you should update or clean up the data.

The same rules apply to the newsletter form as to the contact form: the transmission of personal data must be encrypted from the key date. Again, you should pay attention to an appropriate TLS or SSL encryption. In addition, you should check if your newsletter provider is GDPR compliant. Most of the common newsletter tools like Mail Chimp, Newsletter2Go, Episerver (formerly Optivo) and CleverReach offer detailed information and ready-to-use contracts for data processing on their websites.

GDPR compliant Social Plugins

 

Whether Facebook, Twitter or LinkedIn, almost every social network offers social plugins that can be integrated into your own website. These extensions allow the user to share content within the respective networks. The problem with these plugins is: By implementing the code,  using an iframe, data can be automatically transferred to the respective social network each time the website is accessed. This enables Facebook, Twitter & Co to gather user data and track user behavior unnoticed. Even if the user is not logged in to the respective network, the dynamic IP address of the website visitor and the browser string are transmitted.

Within the scope of the GDPR, the use of such social plug-ins will no longer be legitimized. Therefore you should either do without the integration of social plugins, or fall back on the so-called Shariff solution. This solution ensures that social networks can only retrieve data from users when they become active and click on the corresponding button.

Cookie Pop Up – yes or no?

 

The scope of GDPR includes cookies as so-called online identifiers, even if the identifiers are pseudonymised. The use of cookies without appropriate notification / pop up is only possible under very restrictive conditions. Exceptions can be cookies that improve the user-friendliness of a website such as session IDs or shopping basket cookies. Further, the use of cookies for web analysis such as Google Analytics could be justified through the balancing of interests, especially as Google is certified by the Privacy Shield. However, the legal situation regarding cookie information has not yet been fully clarified. For now, it is therefore recommended to get the consent of the user by a cookie notice. To keep the pop-up as lean as possible, you should put a short general text about cookie usage in the pop-up and link to the detailed cookie consent from there. In the yellow box you will find an example for your cookie notice

GDPR and Google Analytics

With the DSGVO coming into effect, the use of Google Analytics will only be permitted after meeting the following legal requirements. The following checklist will help you to meet the legal requirements:

  • You should have a subcontract with Google. Here you can download the corresponding contract.
  • You have to inform your visitors about the use of Google Analytics in your privacy policy.
  • Users must be able to opt out. To do so, you should provide the appropriate add-on and implement the appropriate opt-out cookie. The last-mentioned one is particularly relevant for mobile use, since add-ons usually do not work on mobile devices.
  • The code for anonymizing the IP addresses of visitors has to be implemented in your website.
  • Data collected up to now which are not GDPR compliant should be deleted.

See this useful article on how to prepare your use of Google Analytics for the GDPR

Google Fonts and DSGVO

 

Do you currently use Google Fonts on your website? If you downloaded the font files from Google and placed them on your local server, there is no problem with using Google Fonts. However, if you access the fonts directly from the Google server, you should mention this in your privacy policy, as it allows Google to track any movement on your site, including the IP address of the user.

 GDPR and ePrivacy Regulation

 

You have to pay attention to some legal changes on your website by the end of May, even if there is uncertainty about how to implement the GDPR on some topics.

With the measures mentioned in this article, however, you have done a lot to make your website GDPR compliant. However, you should also keep an eye on the upcoming  ePrivacy Regulation. This regulation will complement the GDPR, particularly with regard to electronic communications, and give users even more control over their personal data. So, stay tuned!

Further Articles