Privacy & GDPR | How it affected us at Insight
*Important note: We’re not lawyers, and none of the following is intended to be legal advice. Discuss these issues with your legal advisers before taking any action.
If you’ve been keeping up with that bad habit called ‘news reading’ lately, you’ll have noticed people everywhere freaking out about online privacy. The latest wave of privacy legislation is being rolled out in the form of the European General Data Protection Regulation (GDPR). It comes into force on May 25th, 2018. Are you ready?
The GDPR carries some serious weight. It has the ability to impose a fine of €20 million or 4 percent of annual worldwide turnover, whichever is higher (gulp!).
If you’re wondering whether this new legislation will affect your business, it covers:
- Organisations residing within the EU
- Organisations providing goods and services to EU citizens regardless of location
- Organisations processing and holding the personal data of citizens residing in the EU regardless of location. See the GDPR FAQ on what constitutes personal data
So, it’s a pretty wide net (with a big stick at the end of it). If you’re not affected directly, chances are you’ll know a company or organisation that is. You might work with EU citizens, or sell goods/services to the EU. Or, perhaps a client in New Zealand has links with EU companies.
After a lot of discussion and research at Insight, we figured that we wanted to try and comply with these new regulations for the following reasons:
- It’s a good thing that we’re becoming more transparent about how we use people’s data.
- We want to be able to give our clients the best advice we can – although we are definitely not lawyers.
- It’s likely that New Zealand will follow suit with similar legislation to the GDPR.
In this post we’ll look at:
- What we’ve done to comply with New Zealand privacy law.
- What we’ve done to comply with the privacy-related terms and conditions of tools like Google Analytics and Google Adwords Remarketing.
- Data transparency at Insight.
- Compliance with the GDPR
Online privacy is a huge issue. In the wake of the Facebook debacle, it’s now even more important that people know exactly what companies are doing with their personal data.
*Our lawyer didn’t feel comfortable commenting on a new EU law, particularly since it would likely be based on other EU laws. It would have involved learning another legal system. We were going to attempt to draw up an EU compliant policy but this isn’t currently possible for us. However, after some debate, we still think that there’s value in posting this article and starting the discussion.
What we’ve done to comply with New Zealand privacy law
I thought our policy felt a bit stale so I went to the NZ privacy website and used their privacy statement generator. It’s an awesome tool, and it allowed me to get a good grasp on what was required from us as an organisation.
Here are the requirements that must be covered on a website to comply with the New Zealand privacy law:
- Personal information. What types of information are collected, e.g. name, phone number, emails.
- Collection. How the information is collected, e.g. asking people or filling in a contact form.
- Applicable laws. Any legal requirements for collecting this information. This didn’t apply to us, but maybe if you’re selling firearms it’d be a good idea to get that gun license…
- Purpose. Why information is collected. You need to have a defined purpose here. If you can’t tell people why you need their information, it’s best not to collect it.
- Sharing. Who the information is shared with and why.
- Contact information. Company contact information so people can view or correct their own personal information.
- Optional information. Letting people know they have a choice in providing their information, but also advising them that they might not get the best service available to them if they decline.
- Security. How personal information is stored and who is allowed to access it.
- Retention. How long people’s personal information is stored for and when is it deleted.
Insight (along with all our clients) uses Google Analytics. We use Google Analytics to make informed decisions on how to get our website to better serve our market. We also build remarketing lists (lists of IP addresses of people who have been to our website before). We use these remarketing lists for…well…advertising. We are a search marketing agency 😛
We need to address user privacy related to these online tools, including disclosure about:
Google Analytics – Standard Tracking
- We have to tell people we’re using Google Analytics and how it collects and processes their data.
- Our reasons for collecting this data.
- We must give users the ability to opt out of having cookies placed in their browsers for Google Analytics.
Google Analytics – Advertising Features
- Remarketing with Google Analytics.
- Google Display Network Impression Reporting.
- Google Analytics Demographics and Interest Reporting.
- Integrated services that require Google Analytics to collect data for advertising purposes, including the collection of data via advertising cookies and identifiers.
We need to address all the stuff above, plus tell users:
- Which of these features we’ve implemented.
- How we’re using the information and, if relevant, how we’re combining the information and using it. Some of these features use a combination of cookies and other third party identifiers to come up with brand new information that wasn’t originally provided but can be worked out.
- How they can opt out and giving them the links to do so.
Google Adwords – Remarketing
We need to cover all the above points, plus:
Data transparency at Insight
I was mulling this over last night as privacy statements and legal documents were drifting around in my head. A few points became clear. Half of the privacy issue seems to be about information that you willingly and knowingly give. Things like your email when you sign up for a blog, or your name and phone number when you’re filling out a payment form.
The other half, which the GDPR are really coming down on, is about the information you may unwittingly give. This might combine with other pieces of information about you (say from that contact form you submitted or another database) to give far more information about yourself than you intended.
As online marketers, we use this information every day. We often don’t think about how it’s collected or assembled. I don’t feel we’ve been as transparent as we could be to our stakeholders. This puts us in conflict with our values, in particular:
- That we are honest with each other and with our stakeholders.
- That we represent ourselves in a genuine way.
Compliance with the GDPR
Okay, extra for experts time! The GDPR puts into place more stringent requirements on how we treat personal information. It places emphasis on transparency (what we collect), clarity (making it easy for people to understand) and accessibility (making it as easy to delete data as to give it and making it easy to update or change).
The GDPR looks to build on what we have in New Zealand’s privacy law. I have to say that I think our legislation does a pretty good job of covering most of the main points, but the GDPR takes a more in-depth stance around consent.
How the GDPR will expand on the main points of New Zealand’s privacy law:
- Personal information. We need to provide users with more details about what we collect.
- Collection. We need to provide more details on how data was collected. Specifically, was there user consent? See more details under the Purpose section.
- Applicable laws. Any specific legal requirements for collecting user information.
- Sharing. Who we share the information with and why.
- Contact information. We must provide contact information so people can view or correct their own information. This is a major point that the GDPR focuses on. It covers the accessibility and individual rights that people have to their data. It also covers the right to data erasure. People can request that any data held about them be deleted unless it’s required to be kept under another legal requirement.
- Optional information. We must let people know they have a choice in providing information, but advise them they might not get optimal service if they opt out. We also have to let people know how they can opt out and make it as clear and as easy as it was to opt in.
- Retention. The new thing here is that Google Analytics has put in place a functionality to enable compliance. Essentially, it’s a data recording setting that tells Analytics how long we want to keep anonymous user and event data for. For consistency across all data in Insight, we want to keep records for four years (50 months) after which data will be deleted.
Last updated: 21/05/2018
Who is Insight Online?
Insight Online Limited is a search marketing agency based in Auckland, New Zealand. We are a registered New Zealand Limited Company. Our company number is: 1875912. Our NZBN number is: 9429033807966.
What information do we collect about you?
We may collect personal information from you, including information about your:
- Contact information (name, phone number, email).
- Work information (job title, company, location).
- Online/digital information through Google Analytics (pages viewed, blogs read, mobile/computer, contact form submissions). More about online information is below.
- Offline interactions with us (meeting notes, call recordings).
- Billing information (address for service, legal company name).
Providing personal information is optional, but if you choose not to enter personal information, we may be unable to:
- Respond to your queries regarding our services.
- Customise our website to suit your browser or device.
- Tailor our marketing to suit your preferences.
How do we collect this information?
Personal information is collected on our website through four methods.
- Filling in an online form such as a contact form or lead generation form to download our content.
- Emailing us from email addresses found on our website.
- Calling us from numbers found on our website. This will result in your call being recorded.
- From cookies put in place by our marketing tools. More information about using cookies is included below.
Why do we collect this information?
We collect your personal information:
- To ensure that content from our site is presented in the most effective manner for you and for your computer.
- To provide you with information, products or services that you request from us.
- To carry out our obligations arising from any contracts entered into between you and us (like payments).
- To notify you about changes to our service.
- To carry out advertising and marketing campaigns, offline or online.
Who do we share your information with and why?
We will not share your information with third parties except:
- as required by law,
- as necessary to protect the Company’s interests,
- with service providers acting on our behalf who have agreed in writing to protect the confidentiality of the data, or
- in instances that you permit OR in accordance with your consent
We have contracted with third parties that have met industry-standards for security to take in necessary data, such as credit card information, to store, transmit and process this transaction securely.
- We’ll NEVER sell your personal information to another organisation for marketing or advertising purposes
What online/digital information do we collect through our marketing tools?
On our website, we have a number of online marketing tools that use a combination of cookies to track what you do on our website and other online interactions. These include:
- Content Management Systems (WordPress and Hubspot). When you fill in forms on our website to download case studies, white papers, e-books or contact us, you may be recorded in WordPress or Hubspot. As a result, we may be able to track your browser activity and link it back to your user profile.
- Google Analytics and Google Adwords Remarketing. These let us build an anonymous list of visitors who have been to our website before. As a result, we can serve you our ads on other websites you’re looking at.
- Google Display Network Impression Reporting. This tells us if you’ve seen one of our Google Display ads and then came back to our website another way. This helps us with attributing conversion actions on the website.
- Google Analytics Demographics and Interest Reporting. Tells us your age, gender, potential interests, what you’ve been looking for online.
- Call Tracking Metrics. A tool that we use to determine which online marketing channels are generating calls. This tool also records calls.
- Integrated services. This is a fancy way of saying how these tools can combine and analyse all the data above to help us (as advertisers) target more specifically.
For example, with the functionality listed above, we could potentially target an audience that was male, in their 40’s and had visited our website before. We could also see how this group reacts after seeing a display ad on a website and whether it leads to a download or a phone call.
This information is still anonymous. We won’t know your name or address. But we can see a virtual “you”. This combination of data might have been more than you intended to give.
Why do we collect this online/digital information through these tools?
The data collected above is primarily used for research and advertising purposes.
Google Analytics is a tool that we use to analyse visitor behaviour on a website. We analyse what people are doing and we guess why they are doing it. So, over time, changes to the website might be made as a result of that analysis. For example, we see people aren’t filling in our contact form, so we highlight more benefits of working with us or we make the contact form shorter.
The other major reason for collecting this data is for marketing and advertising purposes. We might show you ads, primarily through the use of the Google Adwords platform (but also through email marketing from Hubspot). We may also use the data to help optimise our websites for search engines (SEO).
How do we control this online/digital information that we’ve been given?
We want to make it clear that you don’t have to give us this information. There are a number of ways to control the cookies on your website browser:
- You can choose not to accept cookies, but please be aware that services you request may not be available because of this. If you delete your cookies or clear your cache, you may be asked to give your consent again. This is because a cookie is usually used to remember the choice you made the first time.
- If you wish to prevent cookies being set before you visit this website (or most other websites) you can set your browser to block cookies. Most browsers allow you to do this in their settings.
- Otherwise, cookie information set on your browser will generally update in some way each time you visit our website. It’s auto-updating based on its parameters.
- If you would like to know more about cookies, please visit the ICO website
How do we keep your data secure?
- We take appropriate steps to maintain our contact information in a secure environment to prevent unauthorised use. Our data processors are bound by contract to do the same.
- Only Insight Online staff can access this data through password encrypted logins for each service.
- All Insight Online staff are trained in the currently applicable laws. They know what Insight’s privacy practices are and how to process, record and maintain security for the data that we have.
- We keep your information for four years at which point we destroy it by securely erasing all digital copies.
- Any data breaches will be reported to the authorities within 72 hours of us finding out.
How can you access/update/delete/transfer your information?
In terms of the personal information that we have about you (like names, addresses, meeting notes, emails, phone numbers, call recordings), you have the right to ask for a copy of any personal information we hold about you. You can ask for it to be updated, transferred or deleted. If you’d like to ask for a copy of your information or to have it updated, transferred or deleted, please contact us at:
Phone: 09 887 9838
Address: Level 1, 38 Ireland St, Freemans Bay, Auckland, New Zealand.
We’ll always do our best to keep any personal information (names, addresses, phone numbers, emails) we hold about you up to date before we use it.
Changes may be necessary to this policy to reflect legal or data processing developments. If we change the policy we will provide information on our website so that users can review the changes. Any significantly different use of your data will be communicated to you and you will be able to choose whether you agree to the new usage.
If you’ve found any other good resources, privacy policies, any comments or suggestions for corrections, please let us know!
Update 22/05/18: New resource – https://www.cookiebot.com/ – A great GDPR tool for explaining what you need to be compliant and also comes with a few plugins to help get compliant. Thanks to Bruce from Born Digital for the tip!