The General Data Protection Regulation (GDPR) is a data privacy and security law passed by the European Union (EU) which was put into full effect on May 25, 2018. The goal is to provide legal guidelines to protect the personal data of all EU people online. However, many other countries are following suit as they look at the GDPR as the next standard of personal privacy and data protection. For example, the United Kingdom (UK) has already adopted its own version of the GDPR called the UK-GDPR. This was done due to separating from the EU in December 31, 2021.
The GDPR, UK-GDPR and Cookie Compliance Explained for Businesses
Laws like the GDPR, UK-GDPR, CCPA/ CPRA are steps governments are taking to protect the personal data of its citizens. Personal data is information collected that may include things like IP address, location, contact info, ethnicity or any data which contains details that make a person individually identifiable. Under the GDPR, this applies to all websites, not just the websites owned in the EU. Those who ignore this law may face penalties reaching €20 million or 4% global revenues. This could be why over half of US based companies are making compliance a top priority, of which 77% are budgeting at least $1 million on GDPR optimization.
Was the “Cookie Law” Replaced?
The GDPR is NOT the ePrivacy Directive (EPD) or “Cookie Law” that was passed in 2002, but expands to data collection practices as a whole within the EU, rather than a focus on just tracking methods. Although in some areas the EPD may supersede the GDPR, one doesn’t replace the other.
Who Does the GDPR Apply To?
If You Process Data of EU Citizens: Any person or entity that processes data of or sells products to EU citizens or residents, falls under the GDPR rules. These regulations apply to any website around the world who handles or stores any personal or private data of those who live in the EU.
If You Are an EU Based Company: These regulations provide protection to ALL visitors to a website if the data controller (website owner collecting the data) is based in the EU. For example, a citizen of the United States is protected by the same law as a person who lives in the EU if the website owner is based in the EU.
In short, unless you plan to deny website access to ALL EU visitors online and hold no operations within EU countries, then the GDPR will apply to your website and business.
7 Principles of GDPR
- Lawfulness, fairness and transparency – People need to have the ability to know how their data will be handled and processing must follow established laws and fairness practices.
- Purpose limitation – A person’s data cannot be used for anything outside of what is specified.
- Data minimization – Only collect information necessary to accomplish the objective.
- Accuracy -personal records must be current.
- Storage limitation – Personally Identifying Information may be held no longer than how long it’s needed for processing.
- Integrity and confidentiality – Business must keep personal data secure and not share it unnecessarily without consent.
- Accountability – Any person who is collecting and processing personal data must show proof following these principles.
GDPR Website & Cookie Compliance
Despite its length, the GDPR only mentions the term “cookies” once within its 88 pages. According to the GDPR, any cookie that is not strictly for the functioning of your website AND collects personal data (EU) must be deactivated until users manually opt into those scripts being used.
There are four major types of cookies:
- Necessary Cookies. These cookies belong to the website’s owner and are needed to be active for your website to function properly. They usually only last as long as the session and don’t follow the user off the website.
- Preference Cookies. These remember the user’s settings like language and saving form information.
- Statistics Cookies. These are for third-party programs like Google Analytics that collect and measure data.
- Marketing Cookies. These allow for ad customization to be served based on the user characteristics like location and collect behavior and data to be sent back to the ads service for remarketing. Facebook and Google Ads make use of such cookies.
Under the GDPR and EPD, your website must allow visitors to choose which cookies to enable on your website. Only cookies considered “necessary” can bypass being opted out by the user. Your website must receive user consent before allowing any unnecessary cookies to run, provide clear and easy to read privacy policy, give ability to users to withdraw you consent, and ultimately, the ability to use your website regardless of opting into cookies. Below is more of this in detail.
How To Optimize Website for GDPR
- Create a Cookie Notification: Have a cookie notification through a banner or pop-up where visitors can opt-in to what cookies they want turned on. It is not allowed to have boxes pre-checked or assume users opt-in if they ignore the box. Any set of cookies that are NOT necessary must be actively opted-in by the user.
- Have a Cookie Policy: Within your notification, have links to your policy on your cookies and any third-party cookies like Google Analytics. Policy should explain the “what” and “why” about the cookies in use.
- Update Privacy Policy: Make sure your website’s privacy policy is current with a more detailed explanation about the cookie policy. It should mention how you collect and store data, as well as, what you do with the data. There should be contact information listed so users can get in touch with you on how to access, modify or delete their data. Include things like IP addresses are captured or tracked for specific purposes.
- Purchase SSL: If you don’t have one, then it would be worth getting one. It’s important because it secures data transfer between user’s devices and web servers, and it’s Google best practices. Plus, do you want to be that website that displays “not-secured” in the URL bar of a user’s browser?
- Capturing Leads: Don’t store any digital user information that is unnecessary. If you do, make sure that stored information is encrypted. Make sure your email service provider (Gmail, Yahoo, Hotmail, Outlook, etc) also has a GDPR policy in place as well. Lead information can be passed through email, so you want to be covered there. On lead forms, don’t pre-check any boxes like “terms & conditions” or “subscribe me to newsletter” on the form. If you print any digital copy with user information on it, shred it or dispose of it securely when you are finished with it. That cannot be left out.
- Third-Party Services: Make sure any third-party services that you use within your business and website have GDPR policies in place to protect you from being liable for violations. These services include payment gateways, cloud storage, website chat bots, analytics, email providers, or any other service which collects, stores, and processes personal data.
- E-commerce: Must delete or “cleanse” any personal information after a reasonable amount of time.
The Difference Between the UK-GDPR and the GDPR
The UK-GDPR (United Kingdom General Data Protection Regulation) took effect on January 31, 2020 alongside the Data Protection Act of 2018 and the PECR. Due to leaving the European Union on December 31, 2021, the UK was quickly drafted and accepted the UK-GDPR. The UK-GDPR is almost identical to the EU GDPR, except that it has changed to accommodate UK law rather than EU law.
Similarities Between the UK-GDPR and GDPR:
- Both require websites to obtain explicit consent from users before processing their personal data via cookies and third-party trackers.
- Both require storing and documenting each valid consent.
- Both require websites to enable users to easily change their consent.
- Both provide citizens the right to delete and correct already collected personal data.
- Both share core definitions like personal data, the rights of data subjects, controller, and processor.
Differences Between the UK-GDPR and GDPR:
- Although UK is now considered a “third-country” by the GDPR, the EU adopted an adequacy decision for the UK to allow free flow of personal data from individuals within the EU to the UK. However, the UK adequacy decision by the European Commission is limited to June 2025 and will not automatically renew.
- The Data Protection, Privacy and Electronic Communications (EU Exit) Regulation (DPPEC regulation) which was adopted by the UK. This document is what adapts the EU laws to the domestic UK laws, as well as revising the Data Protection Act of 2018.
- The UK-GDPR expanded and changed areas like National Security, Intelligent Services, and Immigration, which are outside the scope of the European GDPR.
- The leading data protection authority in the UK, the Information Commissioner, is the lead supervisor, regulator, and enforcer (ICO) of the UK-GDPR. In the EU GDPR, this role was assigned to the European Data Protection Board.
- The UK Secretary of State has been given powers to determine or revoke adequacy decisions on behalf of the UK-GDPR, without consulting the ICO.
- EU companies doing business within the UK will have to appoint a “natural or legal person established in the United Kingdom” to represent them.
- In the UK-GDPR, the age of valid consent is lowered to 13 years old in the UK. It’s 16 years in the EU.
Is GDPR and UK-GDPR Compliance Necessary?
GTo understand why taking these steps are necessary, you must first know the purpose of documents like the GDPR and UK-GDPR. These rules have been put into place by the government authorities to do as much as they can to eliminate data breaches of personal data by reducing the amount and frequency of data freely passing unsecured from place to place. It is also forcing transparency and accountability between businesses and people who use the business services.
Although it may seem like a hassle, following the GDPR and UK-GDPR regulations, along with cookie compliance, puts power of choice back into the hands of the end-user…the customer! In addition, it validates the businesses who take these steps as being more responsible and respectful of the privacy and protection of personal data. Additionally, what business wants to pay compliance penalties up to €20M ($28M) or 4% of its global revenue?
Is your ProductCart website GDPR compliant?
We are here to help you navigate through global website compliance to privacy laws like the GDPR and UK-GDPR. Let our professional automated services keep you legal and current with best practices. Contact us today for a free consultation!
*NOTE: This article is not professional legal advice, rather a summary of GDPR key points and its implications as it entails to websites and cookies. To ensure complete compliance, speak with an attorney certified in the appropriate areas of law for official legal counsel.