How to make your website compliant with GDPR

General Data Protection Regulation (aka GDPR) is a European privacy law that restricts how personal data is collected and handled. It came into force on May 25, 2018, and applies to businesses and organizations that operate in the European Union or process data of EU residents.

The GDPR protects users and ensures that they know, understand, and consent to data collection and usage. So your company must be clear and concise about collected personal data, and you need to ask the website’s visitors for consent.

Here’s what your website should have:

  • Information on the privacy policy page: Inform visitors about the types of personal data that you gather, how you collect it, where you use it, and with whom (third parties) you share it. List the following: purpose, scope of tracking, cookies, data location, data retention period, subprocessors. Piwik PRO collects data from this scope using log files, cookies, and other tracking technologies. Piwik PRO also uses collected data to run scripts on the website if you use Tag Manager, to combine it with other data, and to create audiences if you use Audience Manager. You can contact us at support@piwik.pro, and we’ll share guidelines that may apply to your particular case.
  • Form for accessing, changing, or deleting data on the privacy policy page: Add a form that will allow people to look into, change, or remove their data. According to the GDPR, data subjects must be able to exercise their rights. For that, you can use our form for data subject requests in Consent Manager.
  • Procedure for responding to data subject rights: For that, you can use a form for data subject requests in Consent Manager that is linked to a panel for managing data subject requests.
  • Tracking method: By default, we use anonymous tracking mechanism, but you can adjust it to opt-in only tracking or zero-identity tracking depending on your company’s policy, local interpretation of GDPR, and risk assessment. For more about tracking methods, read this article.
  • Pop-up, bar or other form for collecting consents: Ask visitors for consent prior data collection. Describe in plain language what data you collect and what for. The form can’t have any pre-ticked checkboxes on categories of cookies apart from those strictly necessary for your website’s basic function. For that, you can use our consent forms in Consent Manager.
  • Consent for using data by third-party services: Make sure that the tools and services you use on your website comply with the GDPR. Look at the data flow between your site and these services. If you plug in Google Ads, Facebook Ads, or similar tools to your website, add a remarketing consent. (The consent for remarketing is added automatically to a consent form when you use Google Ads or Facebook Pixel tag in Tag Manager.

Personal data according to GDPR

The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

So according to the GDPR, this information is treated as personal data:

  • Online identifiers: IP addresses, cookie identifiers, account login, and other identifiers.
  • Location data: geolocation of the website visitor.
  • Other: email address, first name, last name, middle name, postal address, and more.

Data that is anonymous is exempt from the GDPR unless it can be re-identifiable.

When you use Piwik PRO on your website, you need to be aware that you’ll:

  • Use first-party cookies to collect data and run scripts on your website. All cookies are described in this article.
  • Collect data that are described in this article.
  • Share collected data with third-party tools if you use Google Ads or Facebook Pixel tag or other advertising tools connected to Piwik PRO.
  • Combine collected data with other data and create audiences based on collected data if you use Audience Manager.

When you adapt your website to GDPR rules, you need to talk to the legal team and come up with a clear and concise solution. Applying Consent Manager with consent forms and backend system for managing data subject requests is one option. But, you may also consider other ways of tracking that will limit the amount of collected data, like cookieless tracking or zero-identity tracking. For more information on this topic, read this article.

Was this article helpful?

Be the first to rate this article.

Technical Support

If you have any questions, drop us a line at support_SPC@piwik_SPC.pro.

We’re happy to help!