Updates on the General Data Protection Regulation (GDPR)
Attention: Clients with active website and web application projects with audiences in Europe, the General Data Protection Regulation (GDPR) is now being enforced. It is, therefore, important to take note of the following items, as they may require you to take further action to adjust how user data is collected and stored.
Data, Fonts, Forms. If you haven’t already, the following merit further investigation to ensure compliance with the GDPR:
—Data Storage: Google Analytics Data Retention is a new feature provided by Google that can aid in your GDPR compliance. It allows webmasters to set the amount of time before data stored by Google Analytics is automatically deleted from Analytics’ servers. While the European Commission states that you “must store data for the shortest time possible”—it's up to you to determine—Google Analytics Data Retention provides a means for eliminating user data and not getting caught with it beyond a reasonable lapse of time. Note that this doesn’t affect standard Analytics reporting, but it may affect any advanced features or special reporting being used.
—Third-Party Custom Fonts: Custom fonts and other third-party hosted assets, such as TypeKit, may need to be included in your website’s privacy policy. Why? Purveyors of custom fonts may collect and track information, e.g., IP addresses, when serving them to users. If they do, you may want to update your privacy policy to inform your users as much.
—Form Usage: Forms are a great way to collect data and engage users that want more of your content. We highly recommend that you request consent to ensure that users agree to anything that you wish to send them. This may require adding language to the bottom of your form or including an “opt-in” checkbox that is unchecked by default. [Right: Finnegan uses forms to request consent.]
Why this is important: Your website may already be covered in most respects for GDPR, but it’s critical to properly obtain consent from users (and then to handle their data properly).
“Consent” has different definitions and determining what is specifically meant, as it pertains to the GDPR, can be difficult. This GDPR Consent Guidance document may be helpful in your quest.
What action will RubensteinTech take and when? Current RubensteinTech clients can request a review of their site to determine if any form-related changes are recommended or if third party fonts are being used that require privacy policy updates. Knowing that the GDPR deadline has already passed, these requests will be scheduled into our workflow as soon as possible. To make these and any other GDPR-related changes, please contact Support.
What happens if we do nothing? If your business is not compliant with the GDPR, your business may be subject to penalties.
It’s also worth noting that, while your website may not get flagged in violation immediately, it can happen at any time without notice. The GDPR is well-documented, but it’s not yet clear to what extent the EU will be enforcing this new law and who, if anyone, will be targeted. All businesses (and therefore websites) are subject to this new regulation. As the first companies have already been flagged by the EU as not being GDPR compliant, we recommend being compliant and vigilant.
As with all RubensteinTech GDPR notifications, the above does not constitute legal advice. We recommend that you consult with legal counsel to determine appropriate GDPR compliance for your business.
In the event that you don’t know what the GDPR is… please read our previous alert for an overview of the GDPR.
For more information on this matter, please visit the following:
— RubyApps Insights: GDPR you ready?
— Google Analytics Data Retention
— Adobe TypeKit Privacy Policy
— Key Changes with the GDPR
— Medium: How to Design GDPR Compliant Consent
— Consultation: GDPR Consent Guidance
— TechCrunch: Facebook, Google face first GDPR complaints over ‘forced consent’