How to make your website compliant with GDPR
General Data Protection Regulation (aka GDPR) is a European privacy law that restricts how personal data is collected and handled. It came into force on May 25, 2018, and applies to businesses and organizations that operate in the European Union or process data of EU residents.
The GDPR protects users and ensures that they know, understand, and consent to data collection and usage. So your company must be clear and concise about collected personal data, and you need to ask the website’s visitors for consent.
Here’s what your website should have:
- Procedure for responding to data subject rights: For that, you can use a form for data subject requests in Consent Manager that is linked to a panel for managing data subject requests.
- Tracking method: By default, we use anonymous tracking mechanism, but you can adjust it to opt-in only tracking or zero-identity tracking depending on your company’s policy, local interpretation of GDPR, and risk assessment. For more about tracking methods, read this article.
- Pop-up, bar or other form for collecting consents: Ask visitors for consent prior data collection. Describe in plain language what data you collect and what for. The form can’t have any pre-ticked checkboxes on categories of cookies apart from those strictly necessary for your website’s basic function. For that, you can use our consent forms in Consent Manager.
- Consent for using data by third-party services: Make sure that the tools and services you use on your website comply with the GDPR. Look at the data flow between your site and these services. If you plug in Google Ads, Facebook Ads, or similar tools to your website, add a remarketing consent. (The consent for remarketing is added automatically to a consent form when you use Google Ads or Facebook Pixel tag in Tag Manager.
Personal data according to GDPR
The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
So according to the GDPR, this information is treated as personal data:
- Online identifiers: IP addresses, cookie identifiers, account login, and other identifiers.
- Location data: geolocation of the website visitor.
- Other: email address, first name, last name, middle name, postal address, and more.
Data that is anonymous is exempt from the GDPR unless it can be re-identifiable.
When you use Piwik PRO on your website, you need to be aware that you’ll:
- Use first-party cookies to collect data and run scripts on your website. All cookies are described in this article.
- Collect data that are described in this article.
- Share collected data with third-party tools if you use Google Ads or Facebook Pixel tag or other advertising tools connected to Piwik PRO.
- Combine collected data with other data and create audiences based on collected data if you use Audience Manager.
When you adapt your website to GDPR rules, you need to talk to the legal team and come up with a clear and concise solution. Applying Consent Manager with consent forms and backend system for managing data subject requests is one option. But, you may also consider other ways of tracking that will limit the amount of collected data, like cookieless tracking or zero-identity tracking. For more information on this topic, read this article.