On May 25th, the General Data Protection Regulation (GDPR) went into effect, providing European Union residents insight into how their personal information is collected, stored, and used by websites. Just being located outside the EU does not relieve your company from having to comply—the regulation protects any user accessing your website from within the EU.
Under GDPR, personal data is defined as information that can be used to identify someone, directly or indirectly. This includes IP and email addresses, cookies, location data, and names. We recommend you take the following four precautionary measures, and, of course, seek legal counsel.
1. Update Google Analytics’ Data Retention settings to 50 months
Google Analytics users are now required to set the length of time user-level and event-level data is stored on its servers before that data is automatically deleted. This update will not affect aggregated data currently used in dashboards, but will affect components such as “Custom Segments” that rely on advertising user IDs, cookies, etc.
2. Update your website’s Privacy Policy to ensure it addresses the collection and use of all website and customer data
Inform users how the information your company collects is used, who it is shared with, and how they can act on their right to be forgotten. Privacy Policy Generators, such as Iubenda’s, provide helpful tools for getting started. See this example from AdRoll for reference.
3. Add a pop-up to your website that requires user consent
We recommend intercepting new visitors with a message such as, “We use third-party cookies to improve your experience and to analyze the use of our website. If you continue, we assume that you consent to receiving all cookies on our site. For more information, click here [link to privacy policy].” HubSpot and WordPress offer out-of-the-box GDPR and pop-up plugins for this purpose.
Example of a user consent pop-up
4. Add a disclaimer to any lead capture forms that explain the exact use of a user’s email address and contact information.
This disclaimer can be a one-liner that links to your company’s privacy policy. For example, “Opt-in now to get discounts and exclusive offers. For more information, click here [link to privacy policy].”
If you have questions about GDPR, how to ensure you’re compliant, or want help executing the steps above don’t hesitate to reach out.
