OverviewSince GDPR came into effect in 2018 in Europe, more and more countries have followed suit. The shift toward consumer data protection across the globe has resulted in CCPA, LGPD, and POPI, among others. According to DLA Piper, the following are already in effect or will be in effect shortly: As such regulations spread worldwide, sooner or later, each and every business will be forced to adhere to data privacy regulations. This will impact anyone who runs a website, too.
Data collection prior to GDPRPrior to the introduction of the GDPR, data collection was completely hassle-free and did not require user consent. The user opened a web page in a browser on their device, and as soon as the website was downloaded, various scripts (so-called tags) sent data to the corresponding systems – regardless of whether these were web analytics systems or marketing automation platforms. Even the mere inclusion of certain technologies triggered data collection by third parties (e.g., Google Maps or YouTube).
(Some) Requirements to fulfill GDPRLet’s briefly examine some of the requirements to fulfill GDPR regarding data collection on websites.
|Consent on a free-will basis User must be able to provide consent freely, and it must be possible to access the website without consent (i.e., access to view those services. It is not technically necessary to provide the service).
|Making informed decisions All relevant information (i.e., purpose of processing, processor, etc.) must be available at the point of giving consent.
|Granularity The purpose of the data collection must be explained granularly; general consent is not valid.
|Explicitness Consent must be given explicitly, e.g., by clicking or tapping; implicit consent is not considered valid.
|Consent prior to data collection Technologies not covered by legitimate interest should only be loaded if consent was given.
|(Easy) Opt-out Refusing to consent or revoking a given consent must be as easy as giving consent.
|Documented consent The website owner must be able to prove that the user’s consent was given and that the consent meets the requirements for valid consent.