You may notice that a new Cookie Consent notice appears at the top of your site today. This is a new requirement for compliance with GDPR, and we've added it to try to help your site be compliant.
As of May 25, 2018, websites that process Personally Identifying Information of European residents, need to be compliant with the new GDPR rules (General Data Protection Regulation). There is still a lot of confusion (and hysteria) around the exact scope of this law. But over the coming weeks and months we will likely see the European Union audit larger sites, issue fines or perhaps graciously notify them how to fix mistakes if there was good faith. There will likely be court cases that challenge parts of the law (in Europe and in the U.S. where the EU has complicated authority to enforce their law against U.S. companies that don't do business in the EU). The scope and best practices will be clarified and we will need to make adjustments as necessary.
But the general consensus at this time, is that every website around the world needs to be compliant, if they have European visitors (because even logging IP addresses in your server logs have to be protected).
You may take this
self-evaluation checklist to see if you are compliant, but we recommend
you speak with a lawyer to understand exactly how they apply to you and make plans to be compliant.
WHAT IS GDPR?
GDPR is a complex set of European laws that govern how you gather, get consent, use, share, and protect personal information. These are honestly good "best practices" for respectfully treating your visitors and customers (e.g. do not share personal data without consent). Compliance with these rules, also provides businesses with additional legal protection (e.g. you should have a Privacy Policy and be doing most of this already anyway). The U.S. has a patchwork of many similar state laws already, and may add their own federal rules soon as well, so it is good to to get compliant now. The GDPR requirements are complex, but some of the main requirements are listed below (NOT EXHAUSTIVE).
REQUIREMENTS FOR YOUR ORGANIZATION
• Notify Authorities of Data Breach within 72 hours.
• Privacy Policy. Provide a link to GDPR compliant Privacy Policy
• Cookie Consent Notification: Enable a cookie consent banner at the top of the site, which describes how cookies are used and gives users the option to opt-out.
• Data Usage Consent and Audit Trail: On all forms that collect data, there must be a clear statement about what the information will be used for and who (if any) it will be shared with.
RIGHTS OF THE VISITOR
• Right to be Forgotten: When requested, you will delete all user's data.
• Data Portability: When requested, you will provide a file with all user's data.
• Access: When requested, you will describe how data is stored and what third parties it is shared with.
• Rectification: When requested, you will correct user's data.
STEPS TAKEN
Updated Gutensite Privacy Policy. Gutensite has always protected your data in compliance with industry best practices and so we don't need to change our practices for GDPR, but we have updated our privacy policy to define key terms, and add language describing how we comply with GDPR.
Updated Default Privacy Policy. Your website comes with a default privacy policy (which you may not have activated), which should be customized by you and your lawyer to properly describe how you collect, store, use and protect your users' data. We've updated the default policy, but you should also review this privacy policy, customize it for your needs and activate it.
See our article about how to customize a Privacy Policy and Terms of Service.
Cookie Notification. GDPR compliant websites must notify visitors of the use of browser "cookies" (small files that store preferences and track activity of the user), and must give visitors the option to accept or decline. The default cookies on your website are key to the functionality of your website because they store "session" information. But if you use third party widgets (e.g. Google Analytics, Google Maps, MLS properties with tracking, etc) you will need to provide clear language notifying users of the cookies you use and how the data is protected or shared.
For safety, we have enabled this for all sites. But you can disable it in your Site Info if you need to.
ACTION ITEMS FOR YOU
• Self-Assessment. Take the
GDPR self-assessment and then talk to a lawyer if your are concerned about compliance.
• Review Processes. Review your internal data handling processes and make sure they are compliant with GDPR and general best practices for protecting user's data.
Note: Even if you think GDPR doesn't apply to you, every website is legally required to have an accurate Privacy Policy that informs your visitors what information you collect and how you use that data. You should also have a Terms of Service agreement if you sell products or services.We provide default pages with generic policies that you can use when you first create your website, but you should consult a lawyer to help you customize these your business. See our article about how to Write a Privacy Policy and Terms of Service.
—Allan A. Cease
Attorney, Sugar Land, TX