General Data Protection Regulation (aka GDPR) is a European privacy law that restricts how personal data is collected and handled. It came into force on May 25, 2018, and applies to businesses and organizations that operate in the European Union or process data of EU residents. To be compliant with this law, you need to ask your site’s visitors for consent to data collection and usage.
Here’s what your website should have:
List the following:
- Purpose of collected data
- Scope of collected data (scope in Piwik PRO)
- Cookies (cookies used by Piwik PRO)
- Data location
- Data storage period
- Sub-processors (Business or contractor through which the collected visitor data may pass.)
Tip: You can use this sample disclousure on your site.
- Form to collect data requests: Add a form that will allow people to look into, change, or remove their data. According to the GDPR, data subjects must be able to exercise their rights. Read more
- Procedure for responding to data subject rights: You can use a form in Consent Manager that is linked to the panel for managing visitor’s data requests. Read more
- Method for collecting data: We recommend using Consent Manager that lets you collect all data from visitors who consent and non-sensitive data from visitors who don’t consent (or none data from those visitors if you decide to do so). If you don’t want to use Consent Manager, you can turn off a session ID and visitor cookies. Data will be less accurate then, but that could be a way to stay compliant with privacy laws. Read more
- Form to collect consents: Ask visitors for consent before you collect their data. Describe in plain language what data you collect and what for. The form can’t have any pre-ticked checkboxes on categories of cookies apart from those strictly necessary for your website’s basic function. You can use our consent forms in Consent Manager. Read more
- Consent for using data by third-party services: Make sure that the tools and services you use on your website comply with the GDPR. Look at the data flow between your site and these services. If you plug in Google Ads, Facebook Ads, or similar tools to your website, add a remarketing consent. (The consent for remarketing is added automatically to a consent form when you use Google Ads or Facebook Pixel tag in Tag Manager.)
The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
So according to the GDPR, this information is treated as personal data:
- Online identifiers: IP addresses, cookie identifiers, account login, and other identifiers.
- Location data: geolocation of the website visitor.
- Other: email address, first name, last name, middle name, postal address, and more.
Data that is anonymous is exempt from the GDPR unless it can be re-identifiable.