Many companies are unaware of the fact that their online marketing, web analytics and many of their website widgets will fall under the new European General Data Protection Regulation (GDPR) – due to the collection of web browsing data. Online tracking and profiling of website visitors are very common at corporate websites, but technically complicated and therefore often overlooked by many GDPR consultants. Has your company’s Data Protection Officer (DPO) grasped the full extent of the profiling of your customers that are initiated by your marketing department and external consultants? Are you sure that the third party ad technology vendors you are using don’t sell data from your website in conflict with GDPR? Have you prepared so that your website visitors can give unambiguous consent to your online profiling and is it really possible to turn the data collection off if the visitors say no? If not, then a lot of work remains. Without managing your online presence correctly your company could be at risk of huge fines (up to Euro 20 Million) by not complying with GDPR.
A majority of digital advertisers use third party technologies to track their website users and collect personal data such as browsing history, IP addresses, device IDs and so on. Even experienced advertisers are often not aware of what type of personal data they collect, how the data is processed or if the third parties sell or redistribute the data in an unlawful way. Targeted advertising based on personal data is a time bomb and the advertisers must defuse it quickly. To be compliant with GDPR, advertisers need to work out a proper consent process. This requirement is also expected to apply to the extensive use of the Facebook Pixel when advertising on Facebook.
Many site owners use web analytics tools such as Google Analytics for measuring traffic and optimizing web usage. Web analytics involves collecting and analyzing user data for the purpose of understanding your own website. Normally web analytics is perceived to be less intrusive than for example targeted advertising, but still the analytical tools track users across pages and sites to provide information about which visitors are recurring, which ones are new, etc. This tracking means that browser data are stored and could potentially get in the wrong hands, by for example a hacker attack. If you want to be on the safe side, get an explicit and informed consent from the end user.
Third Party Widgets
Very often site owners use third-party widgets to add popular functionality and serve their web audience better. Think about for example Disqus or Facebook for online comments, Twitter feed for news, Taboola or Outbrain for content recommendations, Mailchimp for newsletters, Google Calendar for bookings and social media buttons for sharing. Many of the third party services store a unique identifier, most often a random number, in the web browser in order to recognize the end user. This identifier is used to create a profile of the user – and profiling is covered by GDPR. In many cases the use of third party widgets will require explicit and informed end user consent.
Conzentio is supporting your internal and external GDPR teams with specialist services within online data protection. Our customers want to be absolutely confident that their digital presence (web sites, campaign sites, mobile apps etc.) is compliant with the GDPR and the future ePrivacy regulation.
We follow a three-step-process covering Audit, Strategy and Implementation.
1. Audit of your websites and promotional pages
Our experts map and analyze all third party technologies and answer the questions that are vital for GDPR compliance. We identify the technologies that fall under the GDPR, analyze how well they follow what they claim in their end user agreements and investigate where the data is distributed and if additional consent is needed.
2. Strategy to make your website GDPR compliant
Based on the results from the tech audit and general business conditions, Conzentio provides a strategy to achieve GDPR compliance and to avoid unnecessary impact on the user experience as far as possible. Our experts outline a customer specific consent collection process where we balance legal, technical and commercial aspects to optimize the performance of the online marketing activities without interfering with the data protection law.
3. Get a complete consent process
If the customer needs help to implement the consent collection strategy we are of course ready to assist. We can design, produce and deliver the complete consent process. That includes optimising user experience, producing legal copy in all official EU languages and links to all third party vendors, managing both logged-in and non-logged-in users and producing content for impact assessment (DPIA), technical documentation and manuals for future website maintenance.
Conzentio is a dynamic technology company within data protection and GDPR compliance in the online space. Our mission is to promote a data-driven and personalized web where every internet user controls their personal data. We work together with leading e-commerce companies, media companies and digital advertisers to address the challenges of data protection and privacy. We also support GDPR consultants with expertise and technical auditing. Conzentio is represented in IAB Europe’s GDPR Implementation Working Group.
Christer LjungbergCo-Founder & Chairman
Christer is leading strategic development at Conzentio. He is a professional board executive and an entrepreneur with extensive experience from launching and building tech companies on international markets.
Daniel WestmanHead of Legal
Daniel is head of legal at Conzentio. He is an academic researcher and a specialist in ICT law, including data protection, online liability, access to government data and e-commerce.
Our tech team of 15+ developers and other tech professionals is distributed across 11 European countries. Headquarter is located in Stockholm, Sweden.