This post outlines current best practice for compliance with the General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR). It also offers suggested solutions for managing and future-proofing the privacy and consent preferences of your target visitors around the world.
Requirements, in a nutshell
Your website should have:
- A system for asking website visitors for explicit consent to the user of cookies; for allowing them to change their preferences; and for recording their consent.
For best practice, your privacy and cookies statements should be separate, allowing each to be clearly signposted through a link from your website footer.
Your use of email when contacting past, current and potential clients should also conform with the GDPR & PECR requirements.
We’ve found that many of our clients took GDPR seriously when it was implemented in May 2018, and put a great deal of work into compliant privacy policies; however the requirements of PECR for cookie consent were open to different interpretation at the time, and many organisations elected to do without a cookie consent system entirely or to use an ‘informational only’ cookie banner that told visitors cookies were in use, without asking for consent. In addition, many cookie policies fail to explicitly list the cookies in use on the site. Policies are also not reviewed and kept updated when any regulations may change, such as the transition from GDPR to UK GDPR after Brexit.
Future-proofing your policies
Privacy and consent regulations are not a new thing; the EU ePrivacy directive or ‘Cookie Law’, on which the PECR is based, came into being in 2002 and was responsible for the advent of the cookie banner. However, we have recently seen a lot of activity in the privacy and consent regulatory sphere, as people have become far more attached to their personal data and have got wise to how they can be tracked and targeted.
And of course in January 2021 the UK officially left the EU and created its own UK GDPR; now all UK businesses providing services through a website to the EU will have to maintain both UK and EU compliant privacy and cookie policies.
Compliance will only become more challenging to manage; data privacy and the right to consent are global issues that are gaining momentum, yet they are handled in a myriad of ways. Data and consent legislation at a national (or US state) level is becoming commonplace and will affect any one doing business (providing services or making sales) locally.
This is a brief overview of issues to consider when creating compliant privacy policies. More detail on the UK GDPR is available in the Guide to UK GDPR on the Information Commissioner’s Office website.
- To be GDPR compliant, it must explicitly inform the user of any data your business, or any third party services your website uses, collects, how it will be used, where it will be held, how long it will be held for, how the user can opt-out of the data being collected and what the user’s rights are with regard to their data.
- International data transfer must also be considered and identified, for example, will the data collected by your website – or other means – be transferred to other locations outside of the UK? You may use, for example, a mailing list service like Mailchimp based in the USA.
- If you target customers or clients worldwide, then regional data protection legislation may need to be considered, e.g. California Consumer Privacy Act (CCPA), California Online Privacy Protection Act (CalOPPA) and the federal Children’s Online Privacy Protection Act (COPPA).
- It must explicitly state what cookies are used and why, with particular attention to third party cookies and how to remove them/switch them off.
Cookie consent bars
- An ‘Accept all’ option is allowed as long as the option to select and save preferences is also available.
Other legal documentation
Doing ‘business’ incurs risk and where possible businesses generally try to limit that risk. It is important to remember that your website is an extension of your business and it can expose the business to risk. In addition to website specific legal documentation, there are other legal documents that it can be helpful, and prudent, to include on your website.
- Terms of service: a document that limits liability by setting out the rules for using the website, as well as outlining how the business will conduct itself during the provision of any service given through the website.
- Disclaimer: a statement that limits liabilities, which can be particularly useful for businesses recommending 3rd party products or featuring information and advice that might not be appropriate for all website visitors to follow.
Penalties for non-compliance
The penalties for non-compliance with GDPR / UK GDPR / PECR can be steep, even if risk of suffering them is low; it’s important to understand the potential consequences.
- GDPR: whichever is the higher £2million or 4% of annual worldwide turnover;
- PECR: up to £500,000 fine;
- And, of course, a loss of client trust if you are obviously non-compliant.
What steps can you take to be GDPR and PECR compliant?
You may already meet all the requirements above, with standalone compliant privacy and cookie policies, an explicit list of cookies used, and a cookie consent management system. If you don’t, then you have various options open to you.
One is doing nothing – we don’t recommend this, but you may decide the risk of prosecution is small and the burden of compliance outweighs that risk.
Privacy & cookie policies
If you don’t already have compliant policies, then you may:
- Write your own.
- Use a full privacy suite service which offers auto-updating policies and may include a cookie consent system too; popular ones include Complianz, Termly and Iubenda. They require a little work in customisation but make the process as easy as possible.
- Or, if your needs are complex or irregular, you may wish to hire consultants to write your policies with/for you. Herbert and Ball LLP have worked with some of our clients to create fully customised website documentation.
Cookie consent system
Again there are many cookie consent management systems compatible with WordPress websites.
- Out of the more advanced and polished systems which do offer fully compliant management of explicit consent, and granular controls, we have worked with Complianz, Truendo, Termageddon and others. Our recommendation is Complianz which offers:
- Complianz (premium): includes additional features such as auto-updating privacy and cookie policies (to conform with changes in legislation), terms of service, disclaimer, full consent statistics and a geodetection system so you only show appropriate cookie banners and policies to the right visitors, depending on their region. Price is $45/yr.
Note: any cookie management system may need a little work integrating with other plugins and services on your website, to make sure they can be disabled depending on user choices.