GDPR has been with us for some time now (since May 2018), but despite this many businesses have told me they still worry whether they have everything they need in place to meet the requirements of GDPR on their website.
This guide has been prepared to make it super easy for your business or company to review your website by acting as a checklist to help you through each step. You can also use the guide to help you to plan ahead for a new website project in preparation.
There is so much technical information surrounding GDPR which can make it difficult to understand and creates uncertainty on how to implement it which can be overwhelming.
This article is an in-depth overview of the key areas to focus on with some signposting to useful resources to help you. The information is designed to help you make progress towards your website becoming GDPR friendly.
*Caveat – Don’t forget that I am a web designer and not a legal expert, so if you are in any doubt about your own circumstances and need more expert help, then please do get in touch with someone legal who can help you. This article is aimed at businesses in the UK.
In this article, I explore each of the following topics:
- Website Policies – what policies you must have and how to get them
- Cookie Banners – a brief overview of what they are and what you need to do
- Opt-In Forms – the best way to set up your opt-ins for your lead magnets
- Contact Forms – how to comply with GDPR for your contact forms
- Blog Comments – get compliant with your comments
- Google Analytics – anonymise your web visitor’s data
- Plugins – are the plugins on your website GDPR compliant?
GDPR: A Practical Guide for Websites (2019)
Website Policies
There are three policies which are mandatory to have on your website. Let’s explore each one in turn. The policies you must have in place are:
- Privacy Policy
- Cookie Policy
- Website Terms and Conditions
What is a Privacy Policy?
“A privacy policy is a statement or a legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client’s data. It fulfills a legal requirement to protect a customer or client’s privacy.”
Source: What is a Privacy Policy? Wikipedia
In order to comply with GDPR, every company must have a privacy policy linked on their website. A privacy policy will confirm:
- Your organisation’s contact details
- What type of information you collect and hold
- How the information is collected and where it is collected from
- What you do with the information
- The data protection rights: including rights of access, processing and erasure
- How to complain
The Information Commissioner’s Office (ICO) has a template available for you to follow which explains the different areas required and what you need to include. You can view their template here View ICO Template
What is a Cookie Policy?
First of all, it is important to understand what a cookie is.
The ICO’s definition of a cookie is simply this:
“A cookie is a small file of letters and numbers that is downloaded onto your computer when you visit a website. Cookies are used by many websites and can do a number of things, eg, remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website.”
Source: ICO – Cookies
When someone visits a website the cookie files collect data about that visitor. The Cookie Law requires websites to obtain consent from visitors to collect their data. A typical example of what cookies can do is following a visit to a website you start seeing adverts for that service or product in other places you visit, such as Facebook; we call this ‘re-targeting’.
Your cookie policy would provide details of the cookies that are used on your website. Examples of the types of cookies websites often used include:
Facebook Remarketing Pixel
This cookie helps to build Facebook audiences for advertising and remarketing.
Google Analytics
This tracks the number of visitors to your website, what pages are visited and how long for as examples of the types of data collected.
Commercial Affiliations
This where 3rd party adverts for other products or services are displayed on a website and tracked if clicked.
Social Media Widgets
Data can be collected from widgets to track interaction with social networks and other external platforms.
Opt-In and Contact Forms
These types of services may collect data such as time and date when messages are viewed or interacted with.
Details of the types of cookies used on your website should be clearly referenced to on your cookie policy.
What are Website Terms and Conditions?
Every website should have its own set of Website Terms and Conditions available. Such conditions are a legal requirement. Website terms simply outline the terms of use of a website and protect the intellectual rights of a website property. It provides a framework of use between the web visitor ‘the user’ and the owner of the website.
It is important to make sure you have the right kind of website terms to suit the type of business or company and the work you do. For example, there are specific website terms required for online stores, subscription and membership websites or financial or legal websites, to name just a few.
Resources for Website Policies
SEQ Legal offer a service to be able to download properly prepared legal policies. Free versions are available to use as long as the templates are published with appropriate accreditation. These are standardised templates so if you need special requirements then please do take specific legal advice.
Policy resources: Visit SEQ Legal
Where to Display Your GDPR Policies?
The best place to display the links to your policies is in the footer of your website. It is important that you make the links clear enough and big enough to read and not hidden away in tiny writing somewhere in the depths of the footer. Each policy has a page created where the policy content ‘lives’. If you use the Iubenda solution, mentioned below, the link to your policies will be directed to dedicated URLs on Iubenda’s server, rather than being created as a page within WordPress.
What are Cookie Banners and Why Do You Need One?
Earlier this year, the ICO introduced new cookie guidance. In a nutshell, this updated guidance means that users of websites must be able to give their consent for their data to be tracked with the use of cookies. It also means that if someone does not agree to give their consent, they should still be able to access the website and it is the responsibility of the website owner to enable a user to be able to turn off cookies on the site.
Penni Pickering at Kabo Creative teamed up with legal expert Charlotte Gerrish of Gerrish Legal and together produced an in-depth article about the new cookie law and considered how to present the options available to our users in their consent to cookies and what tools we can use to enable this to be done efficiently and legally. In the article they reviewed five different plugins which potentially could provide the right balance between allowing the right consents, being able to withdraw consent to cookies and being compliant with the law.
Read the full article here: WordPress Cookie Plugins and the ICO’s New Consent Guidance, Kabo Creative
At Umbrella Digital Media I use Iubenda, which is a provider of privacy and cookie policies as well as cookie consents through a cookie banner. The resources are hosted on their server and are continually updated by legal experts. It is an all-in-one solution, tailor-made to each website. It is straightforward to integrate into your website and if you’re not great with popping a bit of code into your website header, a handy plugin to help do this for you is available.
There is a small charge for Iubenda’s service at just $27 per year.
Read More About Iubenda
Example: View my Privacy Policy
GDPR and Lead Magnet Opt-Ins
The biggest area for confusion and how to apply GDPR is when you want to use opt-ins with your lead magnets. It is a MUST to gain the subscriber’s consent before they can be added to your mailing list.
After speaking with a few businesses, the area of gaining consent at the point of opt-in seems to be the main cause of confusion and concern.
The opt-in comes in two parts.
1. Consent by Action
When someone signs up to your lead magnet, the physical process of clicking the button to sign up is consent in itself. Clicking the ‘submit’ button is a positive act of consent. If your opt-in is for say, a free checklist, then that is what they will receive in the first instance.
If you are sending subsequent emails about your business services, then this is acceptable and you do not need to obtain any further granular consent, providing the subsequent emails are still very much related to the original content subscribers signed up for. This means if someone receives your download and subsequent email nurture plus other emails relating to your business, blog articles or newsletters for example, then this does not require further consent.
2. Consent to Marketing Outside of Your Business
However, if you would like to use the data from such signup (described above), like a lead magnet, for something else which is outside of your own business, then you would need to have a checkbox to obtain consent. The checkbox must not be pre-ticked but left blank for the user to complete. It must also clearly state by ticking the checkbox subscribers wish to hear from such 3rd parties outside of the business and be granular and therefore specific in what is being signed up for.
Source: What is Granularity of Consent? Suzanne Dibble
3. Include a Link to Your Privacy Policy
The opt-in sign up on your website should also include a link to your privacy policy. It needs to be a clickable link so the policy can be easily viewed.
Here’s an example of my opt-in for my website success guide.
Contact Forms and GDPR
Contact forms should be approached with the sole purpose of someone getting in touch with you. The act of completing the form and clicking submit is clear consent for your company to use the data provided to you and to be able to make contact with a prospect using the method specified, eg, a telephone call or an email.
The data provided should only be kept as long as is absolutely necessary to carry out what has been requested. If this contact eventually becomes an engaging prospect or a client then you will have different reasons to keep their data. However, at each subsequent phase, you must gain their consent before moving to the next stage.
For example, you cannot add someone to your mailing list who has completed your contact form. They would have to explicitly sign up to that.
What you must include is a link to your privacy policy, so they have the opportunity to see how their data which they will send through the form is processed and stored.
Here’s an example of my contact form on this site:
Blog Comments and GDPR
When a web visitor adds a comment to your blog, a name, email and website address is normally requested in order for them to leave a comment. The data provided along with the comment is stored in the comments area within the WordPress dashboard where the comment is approved and replied to, or permanently deleted if it is a spam comment.
In order for this to be GDPR compliant, a checkbox to confirm the user is happy to agree to their data being processed in accordance with the terms of the website needs to be made available for the blog comments.
There are a few plugins available through the WordPress repository which will add a simple checkbox under your comments area. I use WP GDPR Compliance, a simple plugin from Van Ons which does the job perfectly.
Google Analytics and GDPR
I mentioned Google Analytics in the cookies section. Google Analytics captures data relating to the traffic that comes to the website and tracks data such as the number of users, pages visited and length of time spent on the website.
By default, Google Analytics tracks the data and also collects a small amount of personal data at the same time. The personal data captured is in the form of an IP address, but Google Analytics strips this data out before it hits our reports so although we do not see it in the reporting it is still collected.
To make our analytics GDPR compliant we need to anonymise the IP address so that the source of the data cannot be identified by the personal data which is the IP address.
There are two ways you can do this. One is to add in a bit of code into the Google Analytics script which will already be in the <head> of your website. Otherwise, if you are not sure how to do this, there are some plugins which can help you with this. If you use a reporting plugin, such as Monster Insights, there is a tick box to anonymise the IP address.
GDPR and Website Plugins
One of the main final tasks to do is to check all the plugins you use on your website are GDPR compliant. The important thing to watch out for is whether or not your plugin collects the IP address as part of its data processing. If it does collect the IP address, is there a way to turn it off in the settings?
BlogMojo wrote an extensive article after conducting research into over 200 plugins analysing whether they were GDPR compliant and what to check or look out for. The last update was in June 2018 on this blog (see link below), so double-check that the information is still relevant and up to date for any particular plugin you use.
Source: 200+ WordPress Plugins Checked for GDPR Compliance (+Plugin Recommendations): BlogMojo
Summary: GDPR and Websites
This aim of this article was to give a clear and practical overview of the key areas of consideration when implementing GDPR across your website. This overview is applicable to a typical site but if you are an eCommerce or a membership website, for example, there will be further considerations specific to that site to consider.
The main areas of focus were to pay attention to the website policies which are required by law, cookie banners, opt-in and contact forms, blog comments, Google Analytic anonymity and compliant WordPress plugins.
Remember, if you have specific business requirements then do seek specific legal advice. GDPR will affect your whole business and your website is just one aspect.
For further resources you can visit Suzanne Dibble, a qualified lawyer specialising in GDPR and I highly recommend her training and guidance. You can find Suzanne at:
Suzanne Dibble Website – fantastic resources and you can grab her free checklist for GDPR too
GDPR for Online Entrepreneurs (for UK, US, CA, AU) – Suzanne’s Facebook Group, which grew during the time before GDPR, has heaps of resources, information and videos about different aspects of GDPR for businesses.
Or if you just want someone to take your website in hand, then please get in touch to arrange a GDPR website audit to take away the pain and overwhelm and get your site back on track.
