How the EU GDPR Will Affect Your Website and Marketing Efforts

April 19, 2018

The European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25, 2018.

Back in November, Forrester Research predicted that 80% of firms that are impacted by GDPR will not be ready to comply by May 2018. And as of February, only 26% of firms based in Europe said they were compliant.

What is the GDPR?

The EU is rolling out an aggressive policy that aims to protect the data of all of its citizens. While the harshest regulations will apply to companies with legal entities located inside of the EU, any company that processes the personal data of people who reside in the EU is impacted. And with GDPR, the customer is in charge.

This won’t be the only privacy regulation we’ll start to see governments enforcing — but since consumer perception toward compliance with these regulations is heightened, we’ll want to make our own constituents comfortable, and make sure that they know our marketing is EU-friendly.

The good news is that GDPR gives marketers the opportunity to work with IT and privacy teams to transform their organizations to be truly customer-centric. We’ve been fighting the user-centric battle for years; and this is our chance to propagate that message throughout our organizations.

How to Prepare

You have one month to evaluate, check the boxes, and confirm that you are compliant, so let’s look at the main elements of the GDPR:

  1. Consent: Companies must make consent language easy to understand, transparent, distinguishable, and provide users with the ability to withdraw consent (as well as give it).
  2. Breach Notification: Customers must be notified of data breaches within 72 hours.
  3. Right to Access: Customers have the right to know how their data is being processed and for what purpose, and customers must be able to access all data electronically.
  4. Right to be Forgotten: Customers have the right to have all of their personal data erased and no longer processed (including by third-parties associated with the company).
  5. Data Portability: Customers can not only receive their data, but be able to transport it easily and transmit to another company, if they choose to do so.
  6. Privacy by Design: Data privacy and integrity must be considered at the outset of designing any systems or processes.
  7. Data Protection Officers: Companies are required to appoint a DPO who understands the entire data processing operations and regularly monitors these processes.

Common definitions used in the GDPR:

  • Data Controller — your organization
  • Data Processor — any third-party system that captures or uses user data

What Personal Data Points are Included?

Data points include both direct and indirect information about visitors. In addition to typical user data that is provided through forms such as name or email, personal data also includes IP addresses, cookie identifiers, and GPS locations.

How Does My Organization’s Privacy Policy Need to Change?

Work with your legal team to ensure your Privacy Policy:

  • Is “clear, understandable, and concise” for any website visitor to understand.
  • Is updated with details on personally identifiable information (PII), aggregate tracking (e.g. Google Analytics) information, the use of cookies (what cookies are being used, e.g. website analytics tools, any advertising platforms, personalization, etc.), and instructions to opt-out of tracking on browsers and from your internal processes.
  • Provides detailed information on how cookies work and how to disable them. For example, “You can prevent your browser from accepting new cookies, have the browser notify you when you receive a new cookie, or disable cookies altogether by accessing your browser’s preferences menu.”
  • ​Can be accessed on every page of your website and via organic search.

We really like this example from Pinterest; the updated policy is clear, direct, and doesn’t force you to use a dictionary.

Also, take a look at London School of Economics’ Cookie Policy, one of the best we’ve seen. The policy defines cookies, outlines exactly what cookies are used on the website, and leverages third-party resources for instructions on how to disable cookies and more information.

Do We Need an Automated Notification/Pop-Up About Our Cookie Policy?

Not necessarily required, but it is not a bad idea.

The regulation states “the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application” which means that including instructions on how to disable your cookies in your Privacy Policy may be enough. While you can use this language, it is still encouraged to bring this language to the forefront using a pop-up or text in your header/footer than can be dismissed. provides us with a few models for cookie law consent, including:

  • Explicit Consent: Provides the user with the option to opt-in to cookies or opt-out.
  • Soft Opt-In: Informs the user that cookies are being used, and a user affirms by accepting or dismissing the message.

How to Position Your Cookie Policy

OHO recommends one of three options to be applied to your website:

  • Option 1 (Informational): If you do not have a legal entity located inside the EU, and you have updated your Privacy Policy with information about cookies on your site, then no additional module is needed.

  • Option 2 (Soft Opt-In): Develop a module within your CMS that can enable this notification on every page of your website, until a user “accepts” or dismisses the notification. There are lots of simple text options you can use, such as: “By using this website, you accept the use of cookies. Cookies are used to optimize your experience and improve the performance of the website.” This statement can be followed by a call-to-action button saying “I accept,” “OK,” or “I agree.”

  • Option 3 (Explicit Consent): As easy as it is to opt website visitors into cookies, you can also give them a means to opt-out. Either provide instructions immediately in the notification (such as a link to instructions on disabling cookies from the browser), or provide a call-to-action to “disable” or “decline” cookies. The latter is a bit more complex, but ensures that you are providing your visitors with a clear way to turn off cookies.

  • Bonus: Consider only displaying the notification if a visitor is accessing the website from a country within the EU.

What Other Tasks Can Marketers Complete Now?

  • Update Google Analytics
    • Sign Google Analytics’ Data Processing Amendment
    • Make sure your URLs do not include Personally Identifiable Information (PII).
    • Turn on IP Anonymization within Settings.
    • ​Stay up to date on Google’s compliance practices.
  • Review privacy notices at every data collection point about how to opt out. The regulation states that “it must be as easy to withdraw consent as it is to give it.​”
  • Publicly communicate policies around retention and removal of customer data.
  • ​Ensure that your site is secure.

Other Projects To Consider

As you adjust your site to ensure it complies with GDPR, consider using this as an opportunity to take a step back and kick off the following projects:

  1. Audit all digital data processes.
  2. Map all sources of digital data and ensure they unite into a single profile, especially since customers can ask to access this profile.
    • What data is held? Where did it come from? How is it collected? With whom is it shared? What third party tools and tags are you using?
  3. Always think of ways to optimize the user experience.


Related Reading

3 Marketing Reasons to Move from HTTP to HTTPS

Haven’t made the move from HTTP to HTTPS yet? You’re not alone, but it’s time.

ADA Website Compliance: Preparing Your College or University Website

The American’s with Disabilities Act was first passed in 1990, at a time when the internet was still in its infancy and the bill was focused primarily on physical spaces.

ADA Website Accessibility Compliance in Higher Education

Real-world accessibility solutions have been commonplace for some time.

Website Personalization Approaches: Explicit, Implicit, and Contextual

The concept of website personalization is a simple one.