GDPR

[Darth]

I am sure many of you know about GDPR, I have only a very basic understanding, but am primarily interested in knowing what you plan to do about changing your policies to be in compliance?

For example, many here have affiliate sites and while you don't necessarily collect emails or other info, I understand even collecting cookie or IP info will be caught under GDPR.

I'm kind of at a loss to figure out what to do with my privacy policy for such basic sites (no user registration or email capture).

 

[finnegan]

Are small companies even going to be targeted for this stuff? I think they'll go after a big fish and fine a few of them to try to scare the crap out of everyone else.

 

[Ryuzaki]

My understanding is if you operate outside of the EU then no worries.

I don't know much about it. I've only read what others interpreted, which is sketchy at best. But the consensus was you need to let everyone know about the information you collect and store (including cookies) and be ready for "the right to be forgotten" meaning you need to disconnect any private information from identifying information in your database.

For instance, if a user of a forum requested to be forgotten, you'd need to delete their email address from their account, delete any personal information they posted from the posts and private conversations, and change their username if it's identifiable. Otherwise you can keep their posts (or just change the username to something like Member8219).

For an affiliate site, I think you need a typical privacy policy page that tells exactly which info you collect and store and the means of collecting them. So really nothing other than "some ad agencies will drop cookies on you, take it up with them."

Again, that's just what I gathered from what other people gathered. Don't take it as gospel.

 

[Stephen]

It's still an issue outside of the EU potentially if you come into "contact" with European users.

 

[Darth]

I understand if you give EU users a cookie, even record their IP address, you are captured.

 

[Tucky]

Some good information here with resources https://www.gdprforwordpress.com

 

[Future State]

They can kiss my crumpet and teabag. I won't be changing anything. What are they going to do, ask Google to stop sending EU traffic to my site bulletproof hosted in CN with my AU registrar and my global CDN with CAR whois privacy that I logged into with a JP VPN from my shared workplace IP in the US? All because I didn't put a site wide banner telling people that Google drops an Adsense cookie on them?

None of that's true but it illustrates the point. They aren't going to be doing much more than waving their virtue banner around unless you're an EU citizen, in which case you'll probably go to jail for a few decades because you didn't have a license for your keyboard.

All it boils down to is being able to delete people's information from your database and making sure they know you collect data. Any software that we use will be rolling out updates or already has to accommodate this mess.

 

[Darth]

My own update on this, I looked around and there is several plugins that can do all this for you - manage consents, requests for info, etc.

Updating my privacy policy is no biggie, but the problem for me is identifying all the cookies.

I have entertainment sites that can place hundreds of cookies via passbacks etc, I am not identifying all those (or even keeping them current would be a mission) nor seeking explicit permission from every user to place them via a pop-up.

Question: can any EU user sue or prosecute you for failing to comply with GDPR or is it only the EU itself that can take action? If the former I would be worried about law firms scraping millions of websites that aren't in compliance and suing. if the later, then no worries, they ain't gonna bother with me.

This almost feels Y2K buggish

 

[Stephen]

The EU and member states can sue you, also an individual can sue you and not just from within the EU, if an EU law has been broken it is perfectly possible to bring someone outside to justice, but deep pockets are required!

 

[Darth]

The EU and member states can sue you, also an individual can sue you and not just from within the EU, if an EU law has been broken it is perfectly possible to bring someone outside to justice, but deep pockets are required!

Thanks, I meant in the content of the GDPR only... it talks about fines which I am assuming can only be levied by a Government

 

[MuffinS]

Hi All,

Here is my research. Assuming you are

• NOT in EU and
• you are NOT serving EU clients
• or you are not fussed about the EU government (because you're a small time website owner, your market is not in EU, or you're a naughty blackhat that doesnt care about laws)

then GDPR does NOT affect you.
....
UNLESS YOU CARE ABOUT YOUR DATA.

If you are using Goals, Events, tracking, Care about GEO data reports, etc etc.
YOU MUST BE ALARMED.

What will happen on the 25th of May is that Google Analytics will AUTOMATICALLY start deleting data that the EU government has deemed to be "private". Most accounts by default will have data older than 26 months set to expire. This does not mean you'll lose everything rather if you do not do anything, data before 2016 will be nerfed.

E.g data before 2016 will be transformed from... too...
192.23.124.23 becomes 192.23.124.--
Event Data (clickdata) becomes deleted

If you are a data analyst, care about conversion or preserving your user data (just in case), then you should be concerned. Why?

Event, IP, Goal and all data metrics that EU have deemed to be "private information" will be deleted (or altered so that specifics are lost).

What this means is that period by period reports will no longer accurate as the data is no longer apples to apples.

This means your data set will be DIRTY (as it is incomplete) making side by side analysis very hard. Geo reporting, event reporting and other reports may be impacting.

So no more comparing "prestine" pre 2016 to 2018 data sets!

My recommendation

Update your Google Analytics settings and set to "Do not automatically expire".

This will exempt you from the auto-deletion and leave your data untouched. How to do this?

1. Login to analytics.google.com
2. Click the admin icon in the bottom left
3. In the middle column ‘Property’ click Tracking Info then Data Retention
4. Change the User and event data retention from 26 months to "Do not automatically expire"
5. Leave "Reset on new activity" to ON (it's a good thing)
6. Click save

In some installations of mine, I see an auto pop up that looks like this.

Apply the same steps.

After doing this, your data set will not be deleted.

FURTHER RESEARCH (SCIENTIFIC WILD ASS GUESS?)

I do not believe that there are any SEO or Traffic implications. I do not believe that Google will penalize you in any way (aside from deleting your data if you don't update).

LEGALITIES

The only negative that I can see (outside of the data loss) is that should you be operating in a EU territory and do not comply to the GDPR policy (expire data or else!) you'll be breaking EU law.

In short... ACT URGENTLY.

Change the User and event data retention from 26 months to "Do not automatically expire"

Resources used:
https://www.sixfive.com.au/2018/05/...data-on-may-25th-2018-here-is-how-to-stop-it/
https://www.gdprforwordpress.com

 

[CCarter]

-- Warning Incoming Rant --

(Europeans cover your eyes and ears - this content is not for you, you are violating my policy if you read further. Again Europeans do not read further otherwise face heavy and hefty fines... This content is geared for non-European users ONLY.)

To be honest I think the EU has lost it's mind. It's seems to be think it controls the world.

Some holes in their theory:

#1 they can leverage 2% fine on global sales of a company - how in the world are they going to find out how much a private mom and pop operation makes in revenue? Whether it's located in the Brazil, USA, Canada, Somalia, or anyone outside the EU? I can't even find what a company's global revenue is unless they are a publicly traded company. The IRS just doesn't "hand" over tax information on US companies to other government agencies. So what's GDPR left to do outside the EU - come ask "nicely": "Hey mom and pop how much are you making globally so we can fine you?"

I can only imagine someone from the EU trying to sue "ABC company LLC" from Nevada; The State of Nevada doesn't even know nor require the names of the persons of the corporation to be listed. Or better yet try getting a response from a bank in Antigua and Barbuda on how much money this corporation has in its bank account...

GDPR would only work if the rest of the world was in sync with how Europeans govern their businesses in the same manner - the rest of the world is NOT in sync with Europe, that seems to be a glaring oversight.

We as internet marketers can barely find who the owners of some of these websites are - WHOIS loopholes and other protects put in place make it extremely difficult, how is an average European citizen or institute going to? That's why it'll only make sense to target large public organization, and scare everyone else into "complying".

#2 It literally says you have to be seen to targeting European citizens, meaning you have a language filter for that European country, or a domain TLD targeting that country, or specifically show customers from within Europe using your website or have marketing channels that are specifically targeting European countries. Okay wouldn't it be as easy as going into your Privacy Policy or Terms of Services and stating "We do not service European citizens? If you are a European citizen we do not recommend you us our services or buy our product." So even if a European citizen comes to the website it specifically stated that you are not allowed to use the service in the TOS. If they want to be up in arms about it well it's in the TOS. If they go ahead and use it, then they are aware that they are violating the websites' TOS.

So you can simply avoid GDPR by not targeting or seeming to target European countries/citizens specifically. If you got a global market campaign, don't display any European flags, etc. Make sure to not translate your site into those European languages, or have content that even talks about Europe - BAM problem solved.

Europe's lost it's mind, you need a license for a damn TV over there - their mentality is to fine and tax people to death - somehow that will bring back their old prosperity. Once you start getting into 40-50%+ taxes, the smart people leave and move to countries better suited so they can keep more of their money.

Sauce: INFOGRAPHIC: Denmark pays the most tax in the EU - and Sweden has the world's highest personal income tax rate

You know where most of my new foreign neighbors have 100% come from - Europe (more than 80% from France). You know their reasoning "Taxes are too high"... If that's not foreshadowing I don't know what its.

The reality is Europe is in decline technologically and power wise. The fastest growing economies in the world are in Africa and Asia. Remember: "Always bet on the future". This is Europe's grasp at being relevant. You can say that their economies aren't growing cause they've matured, but that's a cop-out and ignoring the endless new taxes, fines and whatever they can think of to levy on the world now to pump money into their socialist programs. You can't keep tightening the grip on your citizens with more and more taxes and somehow think they'll start growing. Tech companies starting in the EU are at a severe disadvantage simply due to all the employment laws, business laws, and rules imposed on them (Why Europe failed to match America's tech boom and Why US-based Tech Companies Are Winning over Europe). Even though Europe has the technological infrastructure and wealth to become technology behemoths they are crippled by endless rules and regulations that just end up frustrating entrepreneurs (Example: Spotify, a Swedish company, gave up on Europe and started targeting USA and the UK and started winning).

And now they want to take this experiment to the world... GTFOOH!

The over-zealousness of this GDPR are because internet marketers need new "blog content", and it give them a new weapon to charge people more money. I am not hating the game, but at the end of the day you have to realize it's a game being played.

What's glaringly obvious is this is just scare mongering is all these articles out here are just rehash of the GDPR guidelines which are vague. These internet marketers aren't really telling you HOW to become compliant. But do you want to learn how? "Sign up for our ebook course for $49.99" or "Buy our consulting package so we can guide you."

This is the equivalent of Somalia telling the world that if a Somalian citizen comes to your website you have to the content translatable to Somali AND Arabic or face global fines of 50%. Pardon? How would Somalia even enforce that?

-- End Rant --

But yeah, you guys should really get GDPR certified along with Somalia authenticated.

 

[CCarter]

Is this really the future we want? This is considered "GDPR compliant":

This is how the mobile internet will look from now on:

Sauce: https://www.cookiebot.com/en/

It's like Europe is intentionally trying to destroy the internet here. Imagine that GDPR popup banner on mobile on EVERY SINGLE WEBSITE IN THE WORLD.

This is beyond silly.

This is not the Independence we fought for! This isn't freedom, this is tyranny's last grasp at life before Europe falls into the void of irrelevancy.

 

[bernard]

CCarter,

As one of those pesky Europeans, let me say I do agree with you regarding taxes and general socialist douchebaggery.

I do think Google, Facebook et al, are increasingly hostile political actors and need to be strongly curtailed unless we want to end up in sci-fi dystopy with megacorps fighting for power with the Eurasian trade union. Which could be cool and all don't get me wrong. I'd be a shadowrunner (original is possibly my favorite game ever).

I'm gonna sit tight on this one and wait to see what happens.

What it seems to me now is that it is so far a great money scheme for useless lawyers. I fucking hate accountants and lawyers in Europe, who are goody two shoes and can never give a straight, let alone usefull (profitable!) answer. What they can do is bill and sell useless products about this. We have nowhere near the same legal protection and agency as you have in the US. Basically if the gov or taxman wants to fuck you, then they will do so.

 

[darkzerothree]

Right now, the biggest threat is to small to medium companies in Europe.
Sitting outside of Europe, you can probably wait this out.

Also the wording of the whole law is fucking flawed (tbh, I only read the German translation)

"Targeting" EU consumers can be as little as "using a language not used in your country, but in the EU" - live in Turkey, but offer an English translation? bamm, you are it!

The law goes even deeper.

You have to list ALL the "data processing" done in your company and provide a complete list upon request. Even a small shop can have dozens of these.

Cookies for tracking​

email for the CRM​

Name and address to send invoices to​

payment processing credit cards​

payment processing bank accounts​

etc..​

You have to provide all data gathered on a user by request.
You have to delete all data gathered on a specific user by request.

Now these idiots determined that an IP adress is already protected data.

At the same time, the deletion of data runs across other laws requiring businesses to keep data - sometimes for years.

All in all, this thing is a big clusterf***.
Talked to a few lawyers and they were all "we'll need a few dozen cases and court decisions to clear this up."

 

[Frequencies]

In my search for a solution, I also came up with solutions such as https://www.cookiebot.com. Which in my opinion ensure that almost no one will tick all the boxes.

Which means that I must ensure that affiliate links and embedded content that provide an ip address and / or a cookie are no longer available to these visitors. However, I must provide these visitors with a good working website and I can not send them off my website or ask for money.

Or am I wrong here in terms of affiliate links?

 

[Tucky]

Looking at it from a business point of view as a web designer, I've approached most of my clients with a GDPR package for a set fee which makes their sites GDPR compliant. Have made a nice bit of dosh from it as they all wanted it

 

[RomesFall]

I agree with @CCarter all of this is just beyond a joke. The ignorance of the EU to how things work abroad and passing off these "laws" under the guise of the panic about Cambridge Analytica is proof that the laws are bullshit.

Then from a personal perspective as someone who loves the world wide web, runs businesses on the internet and wants to see the internet stay the way it is (creative, competitive, free) this disgusts me as well, because this is such a HUGE step back in a lot of ways. It's going to hurt more small businesses than the big ones that actually do dodgy shit, and it's going to harm the iterative improvements that business owners, be it bloggers or SaaS owners are making to their sites, services and products. Then lastly the actual user, I feel like all of this hurts the user ultimately. The UX side that CCarter pointed out alone is enough of a joke.

Time for governments that can't even run their own nations successfully to stop butting into how the internet is run when they probably couldn't even tell you what HTTP stands for.

On a personal note, I'm just updating my privacy policy on my affiliate sites and leaving it at that. Fuck the rest of it.

 

[darkzerothree]

My strategy so far:

Small popup "we use cookies..."​

Updated privacy policy​

​

Done.

 

[CCarter]

It's crazy cause it's pretty obvious not a single human being is going to check the "Marketing" cookie. It's clear as day to anyone with a brain.

 

[ryandiscord]

Looks like some of the big brands are using a popup with a consent button and a "more information" link to take them to a page that controls cookie settings. From there you can opt out of the marketing cookies. To me that seems like work, if these people are willing to work to not be tracked or advertised to I can't imagine retargeting would be that effective on them anyway.

The "not be retained longer than necessary" approach to keeping data over time bothers me. I'm sure as soon as it's gone I'm going to need it.

Anybody have any good solutions for geotargeting in wordpress?

 

[jäger]

This whole GDPR nonsense is a royal pain in the ass, no doubt about it. They may have went overboard with the application, but I do see the need to control mega-data-houses like Facebook et al.

It's like Europe is intentionally trying to destroy the internet here.

Well, at least Europe hasn't throttled the internet.

EDIT - Also:
I see a ton of technical issues with smaller companies. How are most non-tech savvy people, who just operate their website or small business, even going to know what metadata their hosting collects, what data is transferred, or even worse: how to "fix" it?

If someone asks to be forgotten or asks for full report on their data, how are most people even going to be able to provide that? How many mom and pop shops would even know how to operate Google Analytics to this degree?

 

[mrodriguez27]

From someone currently living in Spain: I think it's necessary to force big companies with large amounts of data such as Google & Facebook to offer users clear info on how to manage their data and delete it if they want to. But this GDPR thing is just bullshit.

What I've done is simply setup a cookie & privacy policy banner with an "accept" button and a link to the privacy policy with an e-mail address in case any random user wants to check/delete their info. I've removed every form in my site, leaving only comments. Also removed personalized AdSense ads for european users.

In the end, the same politicians that passed these laws will one day check their favorite newspaper site on their mobile phone, with a fucking huge banner asking them what cookies they wants to store and realize they fucked up.

 

[CCarter]

So it begins...

Day 0: Google and Facebook just got sued for GDRP

(Copying & Pasting Whole Article cause of Paywall)

​

Facebook and Google became the first large tech groups to be accused of breaking the EU's far-reaching new privacy rules that came into force on Friday when an Austrian activist who has already beaten Facebook in a major privacy case filed complaints against them across Europe.​

​

Max Schrems and his non-profit organisation None Of Your Business filed four complaints under the General Data Protection Regulation — one against Facebook, one each against its subsidiaries Instagram and WhatsApp, and another against Google's Android.​

​

Tech groups have been preparing for an onslaught of similar claims under GDPR, new rules that govern how organisations process data on European citizens. Privacy International, a campaign group, is also planning action. Ailidh Callander, its legal officer, said it will write to four data brokers and advertising technology companies asking why they gather certain information and share it with third parties.​

​

Other companies were left scrambling to comply with the data rules even though they had two years to prepare, with uncertainty over the regulations having already triggered a landslide of emails seeking consent for the use of data held on customers.​

​

US news websites owned by the Chicago-based media company Tronc — including the Los Angeles Times, Chicago Tribune and Baltimore Sun — were not available to European readers after the rules came into effect. Some US apps have also withdrawn from the EU.​

​

Under the new regime, companies can face fines of up to 4 per cent of global revenue for ignoring GDPR rules on data gathering. Last year, that would have amounted to $1.6bn for Facebook and $4.4bn for Alphabet, Google's parent company.​

​

Mr Schrems said the fines were "mind-blowing" but he was "astonished" at what he said was companies not even trying to comply with the law. "They totally know that it's going to be a violation, they don't even try to hide it," he told the FT.​

​

Erin Egan, Facebook's chief privacy officer, said the social media giant spent the last 18 months making its privacy policies "clearer, our privacy settings easier to find and introduced better tools for people to access, download and delete their information".​

​

Google said: "We build privacy and security into our products from the very earliest stages and are committed to complying with [GDPR]. Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU."​

​

All four of Mr Schrems' complaints challenge the Silicon Valley companies on how they are obtaining consent from users. GDPR requires "informed and specific consent". But Mr Schrems says Google and Facebook require a form of "forced consent" because users have to tick boxes agreeing to privacy policies or completely lose access to services they use.​

​

Companies can rely on different legal methods to collect personal data. They can argue the data are necessary to provide a contract, such as when an ecommerce provider needs to know an address to deliver a package, or they have a "legitimate interest", which balances the companies' need to process the data with the individual's interests, rights and freedoms.​

​

Mr Schrems is known best for bringing down "Safe Harbour", the mechanism used by thousands of companies to transfer data to the US. In a case that began as a complaint against Facebook, the European Court of Justice ruled that mass government surveillance in the US meant the companies using Safe Harbour could not guarantee Europeans' fundamental right to privacy in America.​

​

He is also pursuing a second round of that case against Facebook, which is headed to the ECJ, and another privacy case against Facebook in Austria .​

​

None Of Your Business is helping four users file complaints to different data protection agencies — in Austria, Hamburg, Belgium and France — because, under GDPR, complaints no longer have to be filed in the European country where a company has its headquarters. Previously, complaints often went to the Irish data protection agency because many tech companies are based in Ireland, often because of its low tax rate.​

​

The case against Google was filed in France, where the company was fined €100,000 in 2016 for not complying with the European right to be forgotten. The case against WhatsApp was filed in Hamburg, where the data protection commissioner has already issued an order banning Facebook from sharing data with the messaging app.​

Sauce: Activist Max Schrems accuses Facebook and Google of GDPR breach

--

So we've already got a wave of companies/websites simply blocking European from seeing their website... Geez - who would have thought that was going to happen? Some people will be like, "Well that gives opportunity for European sites?" Well - if that was the case or possible why were the Europeans going to the US sites in the first place?

 

[Ryuzaki]

Anyone freaking out about making a decent anchored banner to get people to accept cookies can check this one out. I'm guessing it's pretty effective and non-intrusive: https://codepen.io/zoka123/full/erwKdm/