We know that publishers everywhere are confused by GDPR and what it means for them, so we asked Jamie Lieberman of Hashtag Legal to break down GDPR in clear, straightforward fashion.
NOTE: We’re currently working on a custom solution for Mediavine publishers that will allow for explicit consent (as Jamie discusses at length below) from European Union-based web visitors.
Stay tuned for more details in the coming weeks. In the meantime, take a moment to read Jamie’s post to learn more about what GDPR is and what these new regulations require of publishers.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union law taking effect May 25, 2018. The intent of GDPR is to give residents of the European Union greater control over how their personal information is collected, stored and used.
Well, that sounds awesome. But I’m not located in the European Union. Do I have to comply?
It’s possible. GDPR applies to anyone, including those located outside of the European Union, who is collecting or processing personal data of an EU resident.
Note: residency does not require that a visitor to your website be an EU citizen. For example, if an American citizen lives in the European Union, the law applies to them too.
Help! What does “personal data” mean? How do I know if I’m collecting it?
Personal data is any information that can be used to identify someone. This doesn’t just include asking for a website visitor’s name and email address. Personal data also includes indirect data collection, such as collecting IP addresses or location data.
In other words, if you are collecting information that could identify a visitor to your website, the GDPR most likely applies to you. Some common examples are:
- Embedding content from other sites or use of social widgets.
- Collecting information for your email list.
- Running a subscription service through your website.
- Selling products or offering free downloads through your website.
How Do I Comply?
To start, always remember the phrase: “explicit consent.” If you collect the personal data we described above from an EU resident, GDPR requires that you obtain explicit consent before doing so.
In other words, your visitor’s consent must voluntary, specific, informed and unambiguous. Your EU visitors should also automatically have strict privacy settings in place, should you offer a service that allows them to control the settings.
Therefore, before you collect any personal information, any EU resident visiting your website should be presented with the opportunity to affirmatively opt-in to any data collection.
Importantly, the opt-in should not precondition use of your website on their acceptance. That means you should not rely on a box that has already been checked or silence to indicate a visitor accepts that you will be collecting their personal information.
We recommend presenting any EU resident visiting your website a checkbox to affirmatively click that gives you permission to obtain their personal information. In that box, you should use a clear statement, with no legalese, that is easy to understand, separate from other terms and conditions and explains what you are doing with the data you seek to collect. You should also let your visitors know if any third-parties will be relying on this consent and how your visitor may withdraw consent.
This is an important detail. If you would like to use your visitor’s data for multiple purposes, i.e. subscribing to your mailing list and sending a free download, you must inform the visitor of each purpose and allow them to consent or decline for each one separately.
Finally, a parent must give consent for any website to collect personal data of any child under the age of 16, so be sure from whom you are collecting information.
Checklist to Create a Compliance Plan
1. Audit your website
- Determine what data you collect when a visitor accesses your website.
- Examine the data you collect to determine if you have information from any EU residents.
- Review your third-party service providers to see how they are handling GDPR compliance.
- Be more specific about the information you collect, including how you use it and how it is transferred to or shared with third-party providers.
- Include a process for EU residents to request access to their personal data or to be forgotten.
3. Obtain Explicit Consent for each reason you collect personal data
Remember, you may need to obtain explicit consent more than once. Consider the following common areas for publishers to engage in data collection, as any of these services could potentially trigger GDPR requirements:
- Google Analytics
- Retargeting Ads and Tracking Pixels
- E-mail list opt-in
- Affiliate Links
- Display Ads
- Contact Forms
- Product Sales
This is just a brief overview of some of the potential implications for publishers when GDPR is official on May 25, 2018. The law is quite complicated, so if you have questions or concerns, contact an attorney to discuss your business needs and to assist you in becoming GDPR compliant. Don’t be afraid!
We’ll be continuing the GDPR discussion with Jamie in a Facebook Live next Monday, April 30th at 12:30 p.m. EST.
If you’d like additional resources on GDPR for U.S. businesses, give a listen to episode 32 of The Businessese Influencer Marketing podcast. It’s co-hosted by Jamie and her business partner and fellow attorney Danielle Liss.
Jamie Lieberman is a partner and founder of Hashtag Legal, a law firm specializing in influencer marketing and online businesses. Jamie has been practicing law for more than ten years and loves partnering with her clients to help them build their businesses, using her experience as a lawyer and business owner.
She has experience with trademark and copyright registration, drafting website, online products and mobile application terms and conditions, privacy policies and contracts, advising about proper FTC disclosures and entity formation.
Jamie is also the co-host of the Businessese Influencer Marketing Podcast, producing interviews and content about the business of influencer marketing.
Subscribe for Updates
Stay up to date with the latest from Mediavine