Practical guide to tackling GDPR for your site

GDPR feels like a messy burden for most website owners. Most owners aren’t likely to do anything untoward with data, but the many suffer because of the few. On the flip side, making it clear how data will be used and the ability to make an informed decision about your behaviour is probably a good thing.

This post provides a list of things to do on your site and provides a multitude of ways those things can be done. So many guides out there have been written by plugin and service sellers who are simply self-serving. This isn’t helpful. It’s over-complicated and biased.

The aspects of GDPR as we see them

This is based on research done on other blogs and websites and does not constitute legal advice. That’s out of the way.

  • Cookie consent – with all cookie types identified
  • Cookie policy – a clear explanation of what the visitor is consenting to
  • Privacy policy – providing guidance on data procedures, how to request data or request its deletion
  • Data usage based on entry and submission – providing a clear explanation of how data being entered will be used

When it comes to the business as a whole, there’s more to GDPR, the business processes that sit outside your website are outside of scope here.

Cookie Consent & Cookie Policy

There are two schools of thought out there.

  1. Create a complicated “User Interface” for users to select which types of cookies to accept.
  2. Create a simple “acceptance” option with a link to more information if the site visitor can be bothered

Neither are strictly “implied consent” but option 1 is definitely “explicit consent”.

Here’s an interesting WordPress support thread that discusses the use of the UK Cookie Consent Plugin

Basically the discussion concludes the following:

  • You can place cookies from the moment a visitor lands on your site
  • The Cookie Notification should lead them to a page explaining what cookies are used and why
  • The cookie explanation page should also explain to them how they can use the standard browser functionality to delete cookies
  • The cookie explanation page could also include information on how to prevent cookies in the first place
  • Explicit consent is deemed as needing to select “accept” or similar to dismiss the banner
  • Explicit consent doesn’t include dismissing after an elapsed time or through scrolling
  • Selecting “accept” ultimately places another cookie to prevent the banner from continuing to appear

Ok that’s all great. But we’re after an example of a ‘big dog’ or at least a decent sized one applying this interpretation.

Enter Frank Body…

These guys appear to be applying the above principles.

There’s a brief explanation of cookies. But if you want to be selective about cookies, they firmly direct you towards using your browser settings. They even provide a helpful link for each browser on how to configure your cookies.

It’s not slopey shouldered. It’s just sensible. It’s practical. And it’s completely in line with their brand anyway. But that’s not really the point.

This is validation that the above interpretation is not a standalone view. It’s one being taken in common law.

Anonymising Cookie Data

PII or Personally Identifiable Information is the key consideration when it comes to the the difference between “implied” and “explicit” consent.

Google Analytics allows the anonymising of IP addresses through modification of the tracking code. Find more detail about anonymising Google Analytics Here.

Privacy Policy Implications Of GDPR

More on this soon…

Clear Explanation of use of Entered Data – like emails

Basically if you’ve got an email signup form or a comments form or a contact form, you need to be clear how you’re going to use the information.

There are again a couple of schools of thought.

  1. You need a thorough explanation or at least a link to a more detailed explanation at entry point
  2. You need a checkbox to force people to acknowledge what they’re agreeing to

Now practically, most form plugin providers, comments box providers etc. Got their shit together and just took the option 2 ‘belt and braces’ approach. But there’s still an argument that says, if you’ve provided a clear explanation of what’s going to happen if a user enters their data and clicks “submit” you’re pretty much covered. Maybe there’s an issue here with “recording” their agreement, however, I don’t see how a checkbox resolves this any more than a button click.

As long as you explain how the information will and could be used this would appear compliant.

So if for example they’re signing up for a blog email, but you also use the email to create lookalike or retargeting audiences on Facebook, these uses need to be explained. So that’s an explanation for:

  • Receiving a weekly article by email
  • Receiving retargeting Ads on social channels
  • Used to identify people with similar interests to more tactfully advertise to others

Most of this explanation will go well over the head of most individuals who aren’t savvy marketers.

As a result, the risk here is fear through complication and lack of clarity. A real balance needs to be struck in the privacy policy and any ‘at entry’ messaging.

Advised Plugins and Settings

UK Cookie Consent Plugin

GeoIP Detection Plugin

Using the combination of these plugins you can limit the annoying cookie policy notice only to global regions where it’s relevant.

When setting up UK Cookie Consent, ensure the Cookie Banner dismissal is as a result of an active click. So don’t set the banner to disappear after a certain length of time, or after scrolling.

More Examples Of Other Serious Sites taking the same approach to GDPR

More coming soon…

GDPR plugins that have a belt and braces approach

What I mean by this is that the plugin provides granular explicit opt in options. The key differentiating feature here is that the cookies are NOT placed until consent has been given for that specific cookie type.

First up EziGDPR…