So if you've been keeping up with that bad habit called news reading, you'll see that people are FREAKING OUT about online privacy. The latest version of this is the EU General Data Protection Regulation (GDPR) coming into force on May 25th, 2018. It's got some real weight behind it too with the ability to impose a fine of €20million or 4 percent of annual worldwide turnover, whichever is higher. You might be wondering whether legislation like this would affect your business. Well, it covers:
- Organisations residing within the EU
- Organisation providing goods and services to EU citizens regardless of location
- Organisations processing and holding the personal data of citizens residing in EU regardless of location - See the GDPR FAQ on what constitutes personal data
It's a wide net with a big stick at the end of it. It's likely if you're not affected directly, you'll know a company or organisation that is. You might work with EU citizens, or sell goods/services to the EU, perhaps a client in New Zealand has links with EU companies. After a lot of discussion and research at Insight, we figured that we'd want to comply with the regulations for the following reasons:
- It's probably a good thing that we're more transparent about how we use people's data
- We want to be able to advise clients as much as we can - although we are definitely not lawyers
- It's likely that following the EU, New Zealand will follow suit with similar legislation
- It's not that difficult to comply
This post will cover:
- What we need to comply with New Zealand privacy law
- What we need to comply with the privacy-related terms and conditions of common online tools - like Google Analytics and Google Ads Remarketing
- What we need to take to comply with the GDPR
- Insight Online privacy policy as a result of the first three - which we'll get checked by our lawyers
Remember again, we're not lawyers, but maybe by reading our experience you can help your organisation comply with the law and become more transparent, at a time where privacy is a BIG issue.
Complying with New Zealand privacy law
First question: Do we have a privacy policy? Yes. (Phew)It's a bit archaic but it's there and it seems to comply with the laws in New Zealand. Here's our old policy wording - Insight Online Privacy Policy I thought it was a bit stale so I went to the NZ privacy website and used their privacy statement generator. This tool is awesome. And it allowed me get a real grasp of what was required from us as an organisation. From the tool, here are the requirements for New Zealand privacy law:
- Personal information | What types of information do we collect? e.g. name, phone number, emails
- Collection | How do we collect the information? E.g. Asking people, filling in a contact form
- Applicable Laws | Any legal requirements for collecting this information. This didn't apply to us but maybe if you're selling firearms, it'd be a good idea to get that gun license
- Purpose | Why you collect the information. You need to have a defined purpose here. If you can't tell people why, best not to collect it.
- Sharing | Who you share the information with and why
- Contact information | Insight's contact information so people can view or correct their information
- Optional Info | Letting people know they have a choice in providing information but advising what we might not be able to do as a result
- Security | How you store the personal information and who you allow to access it
- Retention | How long do you keep people's personal information for and when do you delete it?
It seems like a lot but the privacy policy that came out of this was pretty short. About 200 words. Once I went through the tool and wrapped my head around it. It all seemed pretty reasonable. If someone is collection information about me, I'd like to know all those things.
Complying with the terms & conditions for online tools
Next step. Insight, along with all our clients, uses Google Analytics and we also build remarketing lists (lists of IP addresses of people who have been to our website before). We use Google Analytics to try and make better decisions on how to get our website to better serve our market and we use remarketing lists for, well, advertising. We are a search marketing agency? So what are the additional requirements that these tools require?
Google Analytics - Standard Tracking
- You have to have a privacy policy on your website - Boom. Covered.
- You have to tell people you're using Google Analytics and how it collects and processes data - This sounds pretty familiar
- Your reasons for collecting this data - Familiar
- Give users the ability to opt out of having cookies placed for Google Analytics - Sweet
Google Analytics - Advertising Features
- Remarketing with Google Analytics
- Google Display Network Impression Reporting
- Google Analytics Demographics & Interest Reporting
- Integrated services that require Google Analytics to collect data for advertising purposes, including the collection of data via advertising cookies and identifiers
All the stuff above, plus:
- Which of those features we've implemented
- How we're using the information and, if relevant, how we're combining the information to use (Some of these features use a combination of cookies and other third party identifiers to come up with brand new information that wasn't originally provided - but it can be worked out)
- How people can opt out and giving them the links
Google Ads - Remarketing
All the stuff above, plus:
- Your privacy policy should state that you use cookies to track users who visit your website and then may display ads to them when they are on other websites through the use of Google Analytics & Google Ads
Thinking harder & being more transparent
So I was mulling over this last night as all these privacy statements and legal documents were in my head. And a few points have become clear. Half of privacy seems to be about the information that you willingly and knowingly give. Things like your email when you sign up to a blog or your name and phone number when you're filling out a payment form. The other half, the half which the GDPR is really coming down on, is about what information you may unwittingly give and how that might combine with other pieces of information about you, say from that contact form you submitted or another database like Google, to give far more information about yourself that you ever intended. As an online marketer, we use this information every day often without thinking about how it's collected or assembled. And I don't think we've been as transparent as we could be to our stakeholders. This brings us in conflict with our values. Particularly:
- We are honest with each other and with our stakeholders
- We represent ourselves in a genuine way
So now, I think, I'm going to include an entirely separate section in our privacy policy for that type of information: online usage of website, use of Google's tools, which I hope will make it more transparent for our website visitors. We're also going to start advising our clients on what they should be looking at.
Complying with the GDPR
Ok, extra for experts time. The GDPR puts into place more stringent requirements on how we treat personal information putting emphasis on transparency (what we collect), clarity (making it easy for people to understand) and accessibility (making it as easy to delete data as give it, easy to update, change).It seems to build on what we have in New Zealand's privacy law. So I've copied down the above and made additional notes if needed. I have to say that I think New Zealand law does a pretty good job of covering most of the main points that make up the GDPR.
Main points of NZ Privacy Law
- Personal information | What information do we collect? E.g. name, phone number, emails
• We need to provide more detail on what we collect - Collection | How do we collect the information? E.g. Asking people, filling in a contact form
• Providing more detail on how data was collected – Specifically, was there user consent. More detail under purpose. - Applicable Laws | Any legal requirements for collecting this information. I don’t think this affected us but maybe if you’re selling firearms, it’d be a good idea to get that gun license
- Purpose | Why you collect the information. You need to have a defined purpose here. If you can’t tell people why, best not to collect it.
• GDPR goes much further in saying that you must have a legal basis for collecting this information and that legal basis should be outlined in the privacy policy.
• The most common legal basis is user consent. The express consent of your users to collect and record their data and have the means to document and prove that consent.
• User consent must be actively given, usually by means of a checkbox or clicked agreement. - Sharing | Who you share the information with and why
- Contact information | Insight’s contact information so people can view or correct their information
• This is a major thing that the GDPR focuses on which comes under accessibility and individual rights that people have to their data. The point over and above informing people about their data, accessing and correcting their information that NZ law covers are:
• Right to data erasure – People can request any data we hold about them to be deleted unless required to be kept by another legal requirement - Optional Info | Letting people know they have a choice in providing information but advising what we might not be able to do as a result
• We also have to let people know how they can opt out and make it as clear and as easy as opting in - Security | How you store the personal information and who you allow to access it
• GDPR states that additionally, any changes you make to your privacy policy needs to be communicated in a timely manner and advise people in your policy
• Any data breaches need to be reported to the authorities within 72 hours from when you find out and have this in your policy
• Any individual that has access to all this data should also be trained in the currently applicable laws, know what our (Insight’s) privacy practices are and how to process, record and maintain security for the data that we have - Retention | How long do you keep people’s personal information for and when do you delete it?
• The new thing here will be that Google Analytics has put in place new functionality on Google Analytics that allows us to comply with this. Essentially, it’s a data recording setting that allows us to tell Analytics how long we want to keep anonymised user and event data for.
• For consistency across all data in Insight, I want to keep records for four years (50 months) after which data will be deleted.
References