Lots of interesting discussion sparked by my last post on the new EU privacy law, so I thought it worth while to follow up and clarify a few points that were raised:
- The new EU law came into affect on 25th May and is applicable to all EU member countries – right now
- Its up to the individual member states to enforce the law in their countries
- As a website owner, you need to obey the law in the country/countries you operate from. So if you have an office in the UK and France, you need to comply with both UK and FR law – hopefully these will be very similar. Hosting your website in Barbados does not change this…
- The law is applicable to all websites – commercial and non-commercial.
- The reality is that no one (the regulatory bodies for each EU country) is ready yet and so more thought and discussion is going on – so people are not going to be prosecuted just yet.
- The UK have announced a 12 month grace period to allow site owners to sort themselves out. That means time for you to understand the new privacy law, audit your website for tracking capabilities (such as cookie collection), and adjusting your site accordingly. That means changing what information is collected, how it is collected, and how the practice is communicated to the visitor.
- The law is there to protect visitor privacy – that means no 3rd party techniques (sharing information with other organisations) and no personal information such as name, email address etc. being collected, UNLESS the explicit consent of the individual is given.
- The wording of the law is *not* technology specific. That is, although we discuss this in terms cookies, as all the major web analytics vendors use these for visitor tracking, this law still applies should an alternative technology be developed.
As you read the above list, you realise the difficulty for the authorities, such as the UK’s ICO, who are trying to word this in a legal or even guideline document. Behavioural targeting and the abuse of private information is what this law is about – and I am happy that its here. The people that work at the ICO and other authorities are smart people that work in the digital world as much as we do. Benign, anonymous, aggregate reports – such as that provided by GA is not the target of this law.
What you should do as a website owner
Don’t panic. Follow point 6 now and get a full understanding of what information you are collecting. Ensure your privacy statement is up to date and accurate – keep it simple, not full of legal jargon. There is an example privacy statement in my book, Chapter 3. Funnily enough this was the original ICO’s privacy statement (they have been using GA since 2006).
If you wish to perform behavioural targeting or collect personal information, then get explicit consent from your visitors. If your audit reveals you are benignly tracking visitors anonymously and in aggregate (as per Google Analytics), then you are going to be fine*.
*You must complete an audit in order to show this – thats the ICO guidance and I agree. Simply saying “we use GA so we are fine” is not good enough. I just worked with a Google Analytics client today and discovered they were inadvertently collecting visitor email addresses (it came from the confirmation link sent out for an opt-in subscription).
As always, please add your thoughts with a comment.