In this article, I would like to debunk some of the most common GDPR regulation myths, in the simplest form possible. No one is a stranger to ‘regulations’ such as: enormous fines, the need for consent on every script or cookie that runs on your website, the need to send an e-mail out to your entire e-mail list, in order to get them to sign up for newsletters, and lastly the need to add checkboxes to all forms and opt-in forms.
1. First GDPR Regulation Myth: Fines
It’s not true. You will not be charged large sums of money immediately if your website isn’t 100% compliant by the deadline (May 25, 2018). So no need to panic.
Fines are the last resort as confirmed by the EU. In all truth, the upper-level fines, with regards to failing to comply, is in the regions of €20 million/$23,561,000 or 4% of annual revenue.
The Information Commissioner of the EU, Elizabeth Dunham, said:
“It’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm. The ICO’s commitment to guiding, advising, and educating organizations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
“While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective. The GDPR gives us a suite of sanctions to help organizations comply – warnings, reprimands, corrective orders. While these will not hit organizations in the pocket – their reputations will suffer a significant blow.
2. Second GDPR Regulation Myth: Consent for every Script or Cookie
You DO NOT need to get consent for every cookie, so don’t worry too much about it, as the GDPR is squarely about the user’s personal data. So as long as the cookie, or script does not capture or process any of their personal data, then you needn’t worry. The previous cookie law is still valid, so it’s good to leave general GDPR/cookie consent notification bar.
For example, Divi Bars have an optional function, that will set a cookie on the users’ browser when closing a popup or promo bar. Thus, no longer irritating them, with every page visited, or when returning to a previous page.
The cookie does not, in any way, collect personal data, nor does it communicate with any external source, as long as the browser is instructed not to trigger the popup or promo bar until the cookie expires. Therefore, there is no need to get consent for the specific cookie since it does not collect or track any personal data.
However, in the case of cookies or scripts that DO collect or track personal identifying information, then yes, there is a requirement to request the consent, specifically for that cookie or script.
When using Google Analytics there is no need to request for specific consent, as long as there is no personally identifiable information that Google Analytics is accumulating, then you do not need to get any specific consent.
You need to take a few steps to ensure your Google Analytics is GDPR compliant. Don’t worry it’s quite easy and we will guide you through it.
If using the Facebook Pixel on your website, you will need to give the users the capability to opt-out. The Facebook Pixel gathers data and reports back to Facebook to build the user’s behaviour profile (even when you don’t have access to it). Therefore it’s advisable to provide users with the ability to ‘opt-out’ of the Pixel.
1. Check if you have your IP Address anonymity Turned On
According to GDPR, an IP Address is viewed as personal data. Google Analytics used the IP Address for Geo-location data, however, in order to be protected, you can simply make the IP addresses anonymous. Thus for Google, the impact on geographic reporting accuracy is slightly reduced.
Turning on anonymous IP addresses will depend on the method you’re using to add Google Analytics tracking code to your website.
2. Check if you have some personally identifiable information that comes through in your reporting.
Sometimes email addresses or other personal data will show through in the URL via a query string parameter ([email protected]). In order to avoid it, it is advised to take a look at your GA reporting (Site Content > Content Drill-down) and page through to your least popular pages. This shouldn’t be happening on most websites, if so it is due to a plugin, contact the specialists.
3. “Opt-Out” possibility
You do NOT need to get consent in order for Google Analytics to run, when the user first lands on the site, according to the first two items in this list.
Provided that there is no collection of any personal information, (as I stated in the first two steps), then you do not need prior consent.
What I recommend to you is, to have one general GDPR cookie notice that users accept, that includes a link to further information of what it entails exactly.
3. Third GDPR Regulation Myth: E-mails
Before the big date (Jun 25, 2018), we’ve all received dozens, if not hundreds of e-mails from different companies, all asking us to confirm our wishes to continue receiving e-mails from them. Furthermore, receiving e-mails with updated privacy policies. These rumours weren’t necessarily mandatory, despite what a lot of “experts” are saying online about it.
If you have proof of their consent to receive e-mails from you, then you don’t need to make them re-consent.
If you are using Mailchimp it will show you the history of a subscriber, when they subscribed, and the method they subscribed.
Therefore, if someone ever claims that they never subscribed to your list, you have a log that proves precisely what lead magnet they subscribed for.
4. Fourth GDPR Regulation Myth: Check-Boxes
It is a misguided concept assuming GDPR will be nothing more than check-boxes.
GDPR expect clear consent, but check-boxes are not necessary. If it’s perfectly clear what the user is subscribing to/for, then you don’t need to get additional consent via a check-box.
If the opt-in clearly says what will be happening when the users subscribe, then adding a check-box is unnecessary.
It would not be compliant if it did not clearly define that the user would be subscribing for regular updates.