The EU General Data Protection Regulations (GDPR) come into effect on 25 May 2018.
Technically these regulations only apply to EU companies and EU citizens but many Australian businesses will have interaction with EU-based users and so these regulations will apply.
Aside from the legality of whether Australian businesses are directly impacted by the GDPR, these regulations are being touted as "best practice" and hence many of the recommendations are worth actioning.
Online Forms
It is very common for online forms to ask for personal details. Where online forms ask for personal data they should:
-
Use an explicit Opt-in or consent where data is to be collected. This can be in the form of a check-box stating "I consent to the collection of data in accordance with the Privacy Policy". This acceptance must not be a default, users must click to consent
-
The Privacy Policy must be available and easy to access from the online form
-
Where the information collected may be used for multiple purposes, use explicit opt-in for all separate uses of data
-
Make it easy for users to opt-out at a later time.
Privacy Policy
All websites should have a Privacy Policy that is easily available. It should include:
-
Clear and simple language and avoid jargon
-
References to GDPR terminology - you may need legal advice to assist with the best wording
-
Explicit details about how long personal data is retained
-
Explicit reference to any third-parties that will have access to the personal data, why, and what they will do with it
-
For eCommerce websites, a clear description of how long personal data relating to purchases will be retained. The GDPR states that personal data can only be retained for a “Reasonable Period” which should be defined in the Privacy Policy.
Tracking Software and Cookies
The use of marketing tools and website analytics software can be valuable tools for assessing the effectiveness of a website. GDPR issues are:
-
Use of anonymous data is OK, this includes Google Analytics or similar (anonymous) assessment software
-
If tracking software is used - such as links to CRM or advertising tools - then users should be given the ability to opt-out or consent. As with other forms of consent, the user should also have the ability to revoke consent (or grant consent) at a later stage.
There are website extensions available that allow users to view and consent (or revoke) the use of tracking cookies on a website. If you believe that this is relevant to your website then please contact us for further guidance.