Privacy, User Data, and Data Collection Statement

Introduction

Managing a website is usually more than publishing content and assets (such as image) to the web; you will most likely be collecting, analyzing, or managing data from your users. Most typically, this type of data collection comes in the form of contact form information, email newsletter service and sign up, site analytics tools, and website cookies.

While these letter data collection are often considered noninvasive and very typical of day-to-day web browsing, they do involve different forms of tracking a user – and often, that data is shared across the various pieces of software and 3rd party tools that help make the web the integrated place we all love.

As of May 2018, the European Union has enacted the General Data Protection Regulation (GDPR) rules for all users within the EU. However, while these rules apply only to EU “consumers,” since the web is considered worldwide, we think it wise for everyone to consider new privacy functionality for users moving forward. It is ultimately up to you to choose compliance with any or all of these, but we advise at least keeping the below in mind for daily operations.

What are such privacy protection measures, and how do they relate to services, functionality, and the design of your website?

Privacy Policies

A privacy policy is a statement on your website to users detailing your data collection and management policies–what kind of information you may gather, and how you may use it.

Your site’s privacy policy will be subject to the services you use to gather and manage data, and your organizational policy or strategy for use of this data. Though we can point you to existing privacy policies for similar organizations or businesses, these legal statements must be drafted and/or approved and completed by your legal team.

Once you’ve authorized the appropriate privacy policy, you must publish it to your website and make it easily available, either via a footer menu or some other mechanism.

Contact Forms

For full compliance with the GDPR, if you will be storing personal information via a contact form, you must clearly state this intent, and link to your privacy policy within the form.

Furthermore, you must request consent for such storage (through a checkbox opt-in or functionally similar method).

Consumer Right to Data and Right to be Forgotten, and “Easy of Accessibility”

The GDPR requires that you allow all users to have access to the data you’ve collected on them, as well the ability for you to delete all said data. If your site is using WordPress, the newest version (4.9.6) have a very simple way to delete this data or to export it (for sharing with the user), under the Tools menu in the sidebar.

Other Content Management Systems or proprietary systems may have different abilities; please speak to us if you fall under these needs.

GDPR compliance also requires that you be easily reachable and responsive to user requests for data that you’ve collected on them either to view or delete. Another contact form may be useful here, or a prominent way to contact you.

Third-party Data Services

Third-party services which collect or manage user data from your site may require additional design or content management to adhere to any US or international data privacy laws. This management is your responsibility.

Many third party services have already taken steps to ensure built-in compliance with the law, and they will cover their own legal needs regarding the GDPR providing you initially use the GDPR-compliant features.

MailChimp: Easy Compliance with GDPR Tools

Google Analytics: Data Retention

Data Protection: Security & SSL

Under the GDPR, your organization is obligated to ensure the protection and privacy of personal data when that data is being transferred outside the company, to a third party and / or other entity within the same company.

For this reason, we highly recommend that you setup a secure, SSL-encrypted connection (https://), so that all data is encrypted as it passes through a form submission.

Further Reading

Here are a few helpful links on recent changes in international data protection law:

The General Data Protection Regulation (GDPR) and Data Protection in the EU

https://eugdprcompliant.com/knowledge-base/

https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/

Disclaimer

As long time advocates for a privacy-protected web, we are proud to assist with legally-advised regulatory compliance—through design and technical coding changes. All information above is of an informational matter, we do not provide legal advice, and we disclaim any legal responsibility for inaccurate privacy policy language or other edits or design directives which may fail to comply with GDPR or other regulations.