The Australian Government OAIC (Office of Australian Information Commissioner) has guidance for Australian businesses in relation to the GDPR (General Data Protection Regulation).
The guidelines state, that any business offering goods or services in the EU, or collecting information on the behaviour of people in the EU, should adhere to the new regulations.
At Matter Solutions, we are going one step further, and recommend that you take action now as it is highly likely that this kind of legislation will be enacted in other countries in the future.
Google Analytics requires Data Retention settings to be reviewed and implemented by the 25th of May 2018
However, considering there is very little information on the internet other than a whole heap of questions around what is a recommended timeframe (14, 26, 38, 50 months, or no expiration), we are setting our client’s data retention with the longest expiration date of 50 months, which is just over 4 years.
While not ideal, considering marketers monitor and act on trending data, the information provided so far indicates that indefinite retention of data is against the GDPR. Like much in the digital arena, there isn’t an official “you can only keep Analytics data for X period of time” yet. If this changes, we recommend changing with it. Consider this article when working out what might be “reasonable”.
The basic concept of the GDPR is that companies that collect data, sensitive or non-sensitive MUST collect explicit opt-in consent. That’s name, address, phone number, but also includes IP address and cookie info (this includes Google Analytics, etc), which is a new addition to the old privacy laws that previously covered the digital arena.
Here is some basic advice regarding how to implement opt-in consent:
- Unbundled: Consent requests must be separate from other terms and conditions and consent should not be a precondition of signing up for a service unless it is necessary for that service.
- Active opt-in: Pre-ticked opt-in boxes are invalid, instead use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
- Granular: Give granular options to consent separately for different types of processing wherever appropriate.
- Named: Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
You can find information more here, and additional information about how to implement these changes with User Experience in mind:
Further to this, it’s may get tedious if you have any advertising that requires cookies, such as Retargeting in Facebook and Remarketing in AdWords:
- Anonymize the data before storage and processing begins, or
Let’s hope that UX doesn’t suffer…
If a customer does opt-in, you must protect their data
The business is responsible for the security of the data, no one else can be blamed, no matter how much you want Google to fight the legal battle on your behalf. Sharing collected data with third parties that are not specifically named in your consent opt-in is a huge no-no. I mean, if you didn’t know this already, I’m a little concerned.
The punishments are severe and business ending.
The equivalent of a casual few million dollars for the small guy, and more for the big guys. I have a casual hundred bucks, so I’m like, nearly able to pay the fine, but yeah, I’d rather not.
Matter Solutions recommends having these privacy features added to your website as soon as possible to stay ahead of the curve. If you want to get ahead of the coming legislation, contact us and we will be in touch with a quote to implement for you.