The European Union's General Data Protection Regulation or GDPR, is the latest regulation from the EU that is forcing business owners around the globe to re-think their beloved website analytics and other website functionality.
Up to this point collecting all manner of information from web users has been easy, free and incredibly useful for businesses of all sizes. Simply add a small 3rd party script to your website and all kinds of website traffic information is now available to you whenever you want to go and look at it. In the process, companies like Google, Facebook, Yahoo, StatCounter and many others were able to collect great gobs of information about where online users spent their time.
Often times website owners would add additional 3rd party scripts to access functionality such as advertising, site search, translations, traffic counters, or use CDN's to off-load hosting costs. Many of these services either surreptitiously or openly collected even more information from web users.
All of that is being forced into the light as the GDPR comes into force on May 25, 2018.
Sell into the EU? Then the GDPR directly affects you!
The new rules basically say that you have to:
- ask EU members permission before you record anything that might be considered personally identifiable. This includes IP and Email addresses. Anything that might be personally identifiable.
- allow EU members to change their mind and opt in or out,
- provide EU members services even if they opt out,
- provide proof that EU members granted permission upon request,
- honor EU member requests to be forgotten (within reason),
- pay huge fines if you don't,
- pay larger fines if you lose EU member information and can't show due diligence.
Am I affected in Canada selling to my local clients?
That simple and very astute question is answered by an analogy.
Let say that you own one of two hotels in a neighborhood that is really run down. But you are doing pretty well because you have your regular clients and they know that your service is pretty good. This goes on for a while until one day the owner of the hotel beside you starts cleaning up his place, fixing the plumbing and improving how he treats his customers.
We all instinctively know that the second hotel manager has just raised the bar and that you are going to have to step up or risk losing your customers.
The EU has just significantly raised the bar on how companies are expected to treat their customers and their data. All companies within the EU are directly affected and will have to raise the bar. All companies selling into the EU are directly affected and will have to raise the bar. This likely includes your competition or other companies that your clients may be dealing with.
Your clients are going to notice that your website is still following them around and reporting their every step and they are going to start asking questions or go away. Most likely they will just quietly go away.
The requirements are nasty and so are the penalties.
So you consider updating your privacy policy and getting users permission before you turn on the analytics and the other cool features that might creep them out. What would you have to do?
- Well, you will need to create an ugly popup or some other obvious page element that clearly tells your users what you are doing and asks their permission.
- Next you will need to record that permission and save it somewhere safe to ensure you can recover it but also ensure that no hacker can turn it against you. So what information could you possibly record that would be sufficiently unique to that user, hmmmm? That's not going to be a problem.
- Then you will need to provide a way for your users to cancel or possibly later restore their permission.
Never mind the whole question of allowing users to specify that they want to be forgotten from third party data that you likely have zero control over.
Then you would have to expect that enough users will opt-in to your analytics and other functionality to ensure that it will remain useful. Imagine some guy standing at the entrance to a local store asking customers if he can follow them around to track their shopping habits. That's going to go over like a lead balloon.
Most users will simply ignore the cookie notice since they don't want to agree to something they don't completely understand or they will explicitly cancel it.
In-case anyone is interested in trying, I found a pretty good project on GIT that attempts to implement the requirements. It looks pretty good but I still have to ask how many people would agree to loading the extra scripts and being followed around:
- GIT Project
- Demo Site where implemented.
It's just not worth it!
Whether true or not, the costs and hassle associated with the new rules the GDPR imposes is going to leave many business with that same conclusion. It's just not worth it!
- Its not worth the extra development costs,
- Its not worth the ugly addition to my website,
- Its not worth the extra administrative headache,
- It's not worth the legal liability.
Small businesses more than any other succeed when they can keep things simple so that they can focus on their core business.
Simplify
The result is that many companies will respond by simply removing the offending scripts, linking a privacy statement to the page footer, and then moving on.
Below are few more articles on the GDPR: