The General Data Protection Regulation (GDPR)
How to Make Your Website GDPR Compliant (Part 2 of 2)
The EU’s new General Data Protection Regulation (GDPR) will enter into force in just a few days. We help you with our practical tips to make your website or blog GDPR compliant. In our first part of this guide, we have addressed the topic of data protection-compliant web hosting and the correct design of the data protection declaration. We also gave tips for the correct configuration of your contact forms.
In this section we inform you about the GDPR compliant implementation and use of newsletter subscriptions, social plugins, Google Analytics and Google Fonts. We will also discuss the issue of cookie pop ups under the new basic data protection regulation.
Note: We are neither lawyers nor can we offer legal advice with this contribution. Therefore, the following measures do not claim to be complete.
Newsletter Consent According to GDPR
Due to the new commitment of data minimization, you as a website operator are only allowed to request the data you need for the respective purpose. For newsletter registrations, this means that only name and e-mail address are mandatory fields. If you want to request further data such as date of birth, address, etc., you have to make clear that this is not mandatory information. In addition, you should make sure that you always have the consent of your recipients when sending newsletters. The wording of the consent message must indicate which personal data are processed by whom and for what purpose. Furthermore, the right of revocation must be pointed out within the text. In the yellow box you will find a sample text for the consent message.
For the registration process you should use a double opt-in process to be able to show the user’s consent in case of doubt. You should check your existing data pool with regard to the criteria mentioned above. If your address pool meets the requirements of the GDPR, the previous consents remain valid. If the address data do not comply with these rules, you should update or clean up the data.
The same rules apply to the newsletter form as to the contact form: the transmission of personal data must be encrypted from the key date. Again, you should pay attention to an appropriate TLS or SSL encryption. In addition, you should check if your newsletter provider is GDPR compliant. Most of the common newsletter tools like Mail Chimp, Newsletter2Go, Episerver (formerly Optivo) and CleverReach offer detailed information and ready-to-use contracts for data processing on their websites.
GDPR compliant Social Plugins
Whether Facebook, Twitter or LinkedIn, almost every social network offers social plugins that can be integrated into your own website. These extensions allow the user to share content within the respective networks. The problem with these plugins is: By implementing the code, using an iframe, data can be automatically transferred to the respective social network each time the website is accessed. This enables Facebook, Twitter & Co to gather user data and track user behavior unnoticed. Even if the user is not logged in to the respective network, the dynamic IP address of the website visitor and the browser string are transmitted.
Within the scope of the GDPR, the use of such social plug-ins will no longer be legitimized. Therefore you should either do without the integration of social plugins, or fall back on the so-called Shariff solution. This solution ensures that social networks can only retrieve data from users when they become active and click on the corresponding button.
Cookie Pop Up – yes or no?
GDPR and Google Analytics
With the DSGVO coming into effect, the use of Google Analytics will only be permitted after meeting the following legal requirements. The following checklist will help you to meet the legal requirements:
- You should have a subcontract with Google. Here you can download the corresponding contract.
- Users must be able to opt out. To do so, you should provide the appropriate add-on and implement the appropriate opt-out cookie. The last-mentioned one is particularly relevant for mobile use, since add-ons usually do not work on mobile devices.
- The code for anonymizing the IP addresses of visitors has to be implemented in your website.
- Data collected up to now which are not GDPR compliant should be deleted.
See this useful article on how to prepare your use of Google Analytics for the GDPR
Google Fonts and DSGVO
GDPR and ePrivacy Regulation
You have to pay attention to some legal changes on your website by the end of May, even if there is uncertainty about how to implement the GDPR on some topics.
With the measures mentioned in this article, however, you have done a lot to make your website GDPR compliant. However, you should also keep an eye on the upcoming ePrivacy Regulation. This regulation will complement the GDPR, particularly with regard to electronic communications, and give users even more control over their personal data. So, stay tuned!