When building and launching digital campaigns, many of the key determinants of success are evaluated through digital engagement measurement and tracking. However, as websites and ad-tech have evolved in recent years, so have protections and privacy policies. It’s easy to write off the need for a comprehensive privacy policy, however, this is a recipe for disaster in the age of big data regulation and enforcement. To avoid the FTC and International regulators ire, digital agencies such as Bluetext recommend taking data privacy measures that cater to the most comprehensive regulations in effect. 

For businesses with users outside of the United States, being aware of the General Data Protection Regulation (GDPR) and similar legislation is an essential consideration. The GDPR has created strict provisions for EU web users’ privacy and data rights, which extends to US browsers. As global privacy legislation evolves, North American businesses that handle global users’ data must comply with current regulations and build with an eye on future compliance. Top digital marketing agencies advise and design campaigns and websites with these policies in mind to provide frictionless engagements. 

What is the GDPR?

The GDPR is an extraterritorial set of provisions that updated Europe’s data protection standards. The privacy policy strengthens the protections set in 1995, adding requirements for greater transparency and disclosure to users, in addition to modernizing the “cookie law” of 2002.

The GDPR goes beyond earlier regulation, focusing on personal data protection regardless of the type of data and how companies must document user consent in a transparent fashion. These protections apply to all persons browsing within or originating from the European Union. 

The term “personal data” is not synonymous with “personally identifiable information”, or PII. PII has traditionally been a legal concern for American businesses, and it refers to a more defined set of information than the GDPR model. PII does not have to be context-specific to be regulated, in contrast, the GDPR emphasizes the consumer risks of data aggregation.

My business isn’t located in Europe, why should I care?

The GDPR’s reach is far greater than the medley of privacy protections in effect across the United States. Violators of the regulations risk penalties of €20 million ($22.6 million as of writing) or 4 percent of global annual revenues for the preceding fiscal year, whichever is greater. Comprehensive legislation at the state level in the U.S. has been varied, many forward-thinking businesses are beginning to take steps to adapt their practices to comply with the California Consumer Privacy Act (CCPA). Ultimately every website will have to comply with some set of standards, so it is wise to be proactive and implement privacy protection now. Top digital marketing agencies such as Bluetext are taking steps to protect against potential violations of the CCPA and GDPR by changing cookie collection practices, recommending new data collection practices, and designing clear consent forms. 

Changing privacy policies impact sites from the bottom up, starting with development and design

In a digital-first world, data is a critical component of many businesses online and offline strategies. With the implementation of the GDPR, marketers and web developers must be more diligent about what data we collect, the means by which we collect it, and how we handle sensitive information. When building or updating websites, web developers, and digital project managers should take this as an opportunity to rethink how sites can be more transparent and adopt the Privacy by Design framework. 

The Privacy by Design framework highlights design-thinking approaches to development prior to launch to eliminate the need for post-hoc privacy fixes once a project is live. Solutions such as making privacy the default setting for site visitors, making privacy standards visible and open, and giving users specific privacy information notices are easy considerations to add to the development plan.

If your site is already live, consider a development sprint focused on auditing areas of potential weakness. In assessing your data hygiene, your team can look for unsafe or unnecessary modules that can be disabled, particularly those found in APIs and third-party libraries. Adtech integrations may help source leads and retarget with better precision, but validating that their pixels and tracking are in alignment with GDPR best practices is essential. 

The aesthetic design of websites is also impacted by changing privacy practices. GDPR consent requires clear and explicit opt-in notices to users. Designers, user experience experts, and marketers should work collaboratively to update existing landing page components to incorporate new disclosure features. One simple mantra to internalize in the design phase? Offer accessible, clean choices around cookies and pixels.

When building clear user permissions for data capture, the GDPR requires that websites define data retention and deletion plans for all the personal data collected. Adding GDPR conscious logic to scripts at the code level of your site can save time for site custodians and business analysts alike in the future. 

Updating best practices for common marketing tactics and tools 

Updating the fine print on your Privacy Policy is just the first step of complying with new regulations; common marketing campaign tactics such as cookies should also be rethought through the lens of compliance.  Cookies are the small data files that can be placed on users’ browsers and provide a trove of useful insight to website operators. Under the GDPR, businesses are legally liable for any activities on their sites, specifically protecting user data from third-party cookie tracking.

Many businesses use cookie tracking to better measure the impact of their marketing strategies, and they combine tracking with other user data to build user personas. While this has been an accepted practice in the past, the new regulation now requires clear permission from European users to collect this information, whether the site is for an American or French company. As noted in the impact of GDPR on design, cookie usage has to be explained on either the homepage or a  second-level page on the navigation. This immediate opt-in should allow users to understand how their data is collected, the purpose of the data, and how long they are consenting to these cookies.

As a website operator, sites must withhold all cookies and trackers on your website until you have received clear and explicit user consent on each type of cookie and tracker. This consent has to be given freely, described in explicit plain language, and users must have the ability to withdraw consent. The rights of users under the GDPR are extensive — to comply, website custodians must update their privacy policies and opt-in tools. 

This sounds like a lot of work, why should I care?

Ultimately, thoughtful privacy policies, development, and design provide a safeguard for both businesses and users. The GDPR gives consumers new rights to access and manage their data on digital platforms, and businesses that do not adapt to meet these regulatory requirements can face steep fines. While these changes can seem overwhelming, a top digital marketing agency such as Bluetext can guide your business through the murkiness of data privacy design and compliance.