cookiesAs you’ve browsed many websites recently, you may have noticed more and more that display pop-up banners with a message asking you to accept cookies. Sadly, they’re not offering your choice of chocolate chip or oatmeal or inviting you to a bake-off.

Instead, this privacy notice is in response to the General Data Protection Regulation (GDPR) act, a new law enacted in the European Union on May 25, 2018.

The purpose of the GDPR law is to give control of personal data back to EU citizens. (If you want to really dig in, ESET Sr. Security Researcher Stephen Cobb recently gave a deep dive on what U.S. companies need to know about GDPR.) Essentially it says to businesses and organizations: If you want to offer your services or products to customers who are EU citizens, you must protect their personal data or else be subject to fines.

And besides the addition of a pop-up banner on many websites, the effects of GDPR are being felt. Recent news reports describe how privacy complaints against online businesses like Google, Facebook, Instagram and WhatsApp could carry fines in the billions of dollars.

“But, I am not a European company,” you may say. “Does GDPR affect my website?”

Even if you are not a European business, the answer is probably, yes. If people from the EU can access your website, this regulation applies to your website.

“But, I’m not a big company like Google or Facebook and don’t capture user data like they do on my website,” you may say.

The fact is, your website gathers information about your visitors. This data can be in the form of IP addresses or referring URLs. And if you use visitor analytics software like Google Analytics, lead capture software like Mailchimp, or marketing automation software like HubSpot, then your website will also contain small bits of code, called cookies, to track and gather loads visitor data about their activity on your websites and forms to gather and store visitor contact information.

While GDPR is not the law of the land in the US, it is reasonable to expect similar online data privacy protection legislation in the future, especially in the wake of data breaches from companies like Target and Wells Fargo, and events like the recent Facebook – Cambridge Analytica data scandal.

Here are a few updates you can make to your company website to improve privacy concerns and satisfy many GDPR requirements:

1) Update (or create) your website privacy policy.

Simply put, GDPR requires that companies explain to their website visitors what data they collect, how they collect it, and what they do with the visitor’s personal data. Speak to your company attorney for help creating your website privacy and cookie policy, or create one yourself using a service like Internet Legal Armor or Iubenda.

2) Get consent from online contacts.

Clearly explain what information a visitor is submitting on your web forms, and how you will use that information, using check boxes and links to your privacy policy. Also, explain how contacts can opt-out of receiving more of your information.

3) Install an SSL certificate.

Purchasing and installing an SSL certificate turns the “http” in your website address into “https” as visitors browse your website. SSL encryption has many benefits including satisfy many requirements of GDPR and, not coincidentally, improving search engine rankings.

4) Ask your attorney.

Consult your business attorney if you wonder what your company’s responsibilities are regarding the GDPR rules and how you can stay compliant.{{cta(‘afd2d5a8-19dc-41c6-a3c0-905c796fba18’)}}