Welcome to WebmasterWorld Guest from 54.227.48.147

Forum Moderators: incrediBILL

Importance of the coming EU GDPR (General Data Protection Regulation)

New regulations to limit data collection for Google, Facebook, and others

     
8:16 pm on Jan 27, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:May 29, 2003
posts:779
votes: 19


GDPR = General Data Protection Regulation

It appears that Google <and Facebook> will be required to change their TOS.

The current "Accept" will no longer apply to everything that it does now.
A separate "data collection approval" will be required.

Facebook And Google’s Surveillance Capitalism Model Is In Trouble
Huff Post - Politics - 1/27/2018
[huffingtonpost.com...]


[edited by: Robert_Charlton at 1:44 am (utc) on Jan 28, 2018]
[edit reason] HuffPost article is about both Google and Facebook [/edit]

11:55 am on Jan 30, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:11993
votes: 311


Sally, thanks for calling attention to GDPR, an important topic that isn't getting sufficient attention, particularly not in the US. I've taken the liberty, as a mod in Google SEO News, of broadening your title, originally focused on anticipated trouble for Google Ads, making several edits and additions, and also of moving this thread to a more general forum. For reference...

Your original title and description...
More Ad Trouble Ahead For Google
- GDPR to limit data collection

The Huffington Post article you've cited is an excellent introduction to the data collection and privacy concerns that have motivated the current situation and EU's new regulations.

Here are several additional references to get into some of the details of the Regulations, which will affect webmasters and web marketing in significant ways.

For one, we currently have an excellent discussion here in our Analytics forum. The thread title should be self-explanatory....

EU GDPR (General Data Protection Regulation) and Analytics cookies
How will this affect webmasters?
https://www.webmasterworld.com/analytics/4877103.htm [webmasterworld.com]

The discussion goes into a lot of the concerns about operational questions raised by the law and how they might affect webmasters.

Also, here's a Business Insider article interviewing a privacy expert, which I've felt was particularly good in explaining what marketers need to know about the law and discussing some strategies. I'd call the article a "must read"...

Marketers need to comply with coming European data law or risk fines
Business Insider - Oct. 4, 2017
[businessinsider.com...]

A web privacy expert lays out everything you need to know about the new rule that could upend the marketing business....

- European regulators will start cracking down on the use of data for web ad targeting starting next May.
- Any digital media company or ad tech firm doing business globally will need to make adjustments or risk major fines, says web privacy expert and Evidon CEO Scott Meyer.
- "Somebody is going to get strung up really fast."

To give an idea of the language of the law, here's a quoted section from the GDPR language on consumer data consent:
Consent
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

The article points out how unprepared many marketers are for these new regulations. Not all US businesses need to be concerned, but some doing business internationally should be. As I've said, I think the article is worth a careful read.

I can't resist mentioning that one of the other articles I chanced to read today was a fairly long overview in a major online marketing publication about the importance of personalization in 2018... but with absolutely no mention of GDPR on the horizon, which could have a significant effect on those predictions.

2:29 pm on Jan 30, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1546
votes: 200


Here's a link to the UK's ICO. It appears there is no US equivalent to compare it to, but they are responsible for policy in regards to data handling (a wider remit than GDPR):
Guide to the General Data Protection Regulation (GDPR) [ico.org.uk]

Key Terms
Data Subject - The visitor
Data Controller - The entity the visitor intends to interact with
Data Processor - Any entity doing anything useful with the data
Personal Data - Anything that can be conceivably used to identify a person. Includes email addresses, IP addresses and the obvious stuff like names, street address, unique official references (Social Security number, National Insurance number, passport number, etc)

While Facebook and Google might be facing problems (and analytics and re-marketing for all EU-serving sites will be affected), consent is by far the weakest reason for justifying data-processing. Try these:

Grounds For Collecting Data
Consent [ico.org.uk]
You ask, they give. Be explicit. Also, Avoid.

Contract [ico.org.uk]
Data processing essential to a contract. This is a good one for ecom - but excludes remarketing or analytics.

Legal Obligation [ico.org.uk]
Possibly applicable to ecom, especially for Export and tax reasons. I would also argue that some Consumer Law requires evidencing of comms to consumers. You would need to keep the contact info to prove you sent it to an appropriate place.

Vital Interests [ico.org.uk]
Not my remit, but only for life and health. And only then when "Consent" is not possible.

Public Task [ico.org.uk]
Generally, you are part of the State, or a contractor for same.

Legitimate Interests [ico.org.uk]
IANAL. But this one is for you. Certainly it is for Big Data. Look what it covers:
    The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

Obligations under GDPR
So you have collected data for a legitimate reason, probably without needing consent (either explicit or unambiguous, depending on how sensitive). Easy right? Wrong!

Now you have obligations. Some of these are onerous. Be afraid, very afraid...

Right to be informed [ico.org.uk]
Easy. This is a privacy notice. No problem.

Right of access [ico.org.uk]
Without delay, and no more than a month after request, you must present all data, free of change, and without breaching anyone else's privacy. Across your organisation, and within any partner organisations. I suggest mining your own data automatically, and having a utility that displays it to a customer behind a login, on request.

Right to rectification [ico.org.uk]
If you have done the above, then rectifying should be easy.

Right to erase [ico.org.uk]
Be aware this is not a universal right. But it is for anything gained under "consent" - think of the nightmare of IPs and analytics.

Right to restrict processing [ico.org.uk]
Basically like Erasure, but when you are not obliged to erase. You can't touch it. Pseudonymisation is the way forward, IMHO.

Right to data portability [ico.org.uk]
"It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability."

Right to object [ico.org.uk]
As far as I can tell, this is effectively the same as Right to restrict Processing, but includes making use of data.

Rights in relation to automated decision making and profiling [ico.org.uk]
This apparently requires consent. Good luck to airports. Or indeed concert organisers.

Grounds Vs Obligations
Some grounds for data processing mean you do not have to undertake all obligations. For example, on the "Legal Obligation" grounds, you are not obliged to Erase or Port data.

For a Pro Vs Con breakdown, see this table. [ico.org.uk]
9:11 pm on Jan 30, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Oct 5, 2012
posts:775
votes: 98


It appears that Google <and Facebook> will be required to change their TOS.


OR...

It appears that residents of the EU may be required to use something other than google <and Facebook> in the near future.


Also, likely coming soon from the EU: Residents of the EU will no longer be required to buy one in order to get one free...
10:54 pm on Jan 30, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member ken_b is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 5, 2001
posts:5824
votes: 95


This whole thing confuses me a lot. I've tried to read whatever I could, but I'm still confused. I have 2, ok maybe 3 basic questions, I fear the answer to both is "maybe".

Does this apply to websites outside the EU?

Does this apply only to ecom sites?

Does it apply to an ad supported info site?
8:16 am on Jan 31, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1546
votes: 200


Does this apply to websites outside the EU?
Yes- it affects any website that captures personal data, if that site is served in the EU.

Does this apply only to ecom sites?
No. Any site that captures an IP, or drops a cookie will be covered. IANAL, but I would be relatively relaxed* until you start collecting explicit data, such as email addresses.

Does it apply to an ad supported info site?
Yes, if you drop a cookie. You might not need consent for this any more- see my above post (3rd in thread) about "legitimate interests" which covers commercial interests.

As I've said elsewhere, it's not the collecting that is the problem- it's the obligations you then have. Especially the Right to Access, and the Right to Erase.
________
ETA
*Relaxed, because you are likely to receive very few demands on your obligations. And if you did receive a request, you could almost certainly interrogate your own system to present the data. 3rd Party analytics, or remarketing widgets, may present a problem with Right to Erase.
1:05 pm on Jan 31, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 15, 2001
posts: 1582
votes: 16


We will be making some changes to our website as a result of this, mainly around cookies the retention of IP addresses and specific privacy policies and others.
2:41 pm on Jan 31, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member ken_b is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 5, 2001
posts:5824
votes: 95


Thanks Shaddows
2:17 pm on Feb 3, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Oct 14, 2013
posts:2823
votes: 346


When it comes to EU "stuff" I always go and see what "they" have done to conform since if it's good enough for them then a slight modification, if necessary, is good enough for me:

Cookies, note that they do not use a pop-up check box:

[europa.eu...]

Legal notice, note they do not have Privacy but Personal Data Protection:

[europa.eu...]

On this page there is also a submittal form for enquiries which states The collection of only email as a means to communicate with the European Commission does not fall under Regulation 45/2001 on processing of personal data. and contains a link to this Regulation which is a 22 page.pdf.
11:39 am on Feb 5, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1546
votes: 200


Regulation 45/2001 is an internal regulation for the EU, and how it handles it's own data processing. Unless you are an EU Institution, it has zero bearing on you.

As I say, the cookie popup is deprecated as it is covered by "Legitimate Interests". You just need to talk about it somewhere.

Besides the "legal notice" link, they have a separate link about Analytics [europa.eu]. That is probably more the info you are required to disclose.