Very simple websites
- That warm, fuzzy feeling from having Dealt With It!
- Demonstrate to clients and, who knows, maybe even the data protection police, that you take privacy seriously, have some awareness of the laws, and have made an effort to comply.
- Going through the process will make you more aware of your own practices and may even reveal that you were processing data in ways you were not aware of.
- State the identity of the data controller – This is a legal entity and should include a registration number where appropriate – in the case of a company, the data controller will be the company. More likely, you are an individual and should state your name. Do not hide behind your business name though unless it is a company in the legal sense.
- State how you can be contacted – A link to your contact page or email address is adequate if you don’t want to disclose your telephone number or address.
- State what you do with that data and why – Very likely it sits in your email archives. Perhaps indefinitely? Just state that you collect whatever you collect (name and email address perhaps) in order to reply to their enquiry. If you want to be all legal about it, your legal basis for doing this is probably legitimate interest*. You may also want to state how long you keep the data before destroying it.
- Cookies State very simply what a cookie is (see my policy for suggestions). Try to find out if your website is setting cookies, what they are and what they are for, and list them.** State very simply how cookies can be controlled by the user in their browser (see my policy for suggestions).
- Users’ rights under GDPR These are extensive, so my preference is to provide a very brief synopsis, accompanied by a link to more information, and information about how to contact me should they wish to exercise those rights (see my policy for help). This section really is a formality. With a super simple website that does not collect personal data, nobody is going to be exercising those rights!
* You do NOT need a checkbox to record consent on your contact form if all it is used for is to send you a message. If you want to get people to subscribe to your mailing list at the same time, or plan to use their submitted data in any other way, that’s another matter entirely.
This is the trickiest bit for most. I covered cookies in some depth in my previous post, so have a look there if you’re ready to grasp the nettle on this one! If that all sounds too terrifying though, it’s still worth trying to find out what cookies your website uses, and the free Cookiebot tool is very easy. Don’t be alarmed when the result comes back saying NON COMPLIANT – they want you to buy their services. What’s especially helpful about the Cookiebot test is that they categorise the cookies for you.
- If your site sets no cookies – great – say so!
- If there are cookies listed in the marketing category (apart from Google Analytics), you really ought to dig a little deeper, try to understand where these are coming from and clearly state in your cookies section how your visitors may be being tracked and by whom. Likely candidates are Facebook (do you have a pixel installed?), Google (in various guises), AddToAny and ShareThis (social sharing), etc. Do attempt also to provide links to information about how to manage these cookies. In most cases, the companies in question will have information available for you to link to.
Cookie notification banners & consent
A note on consent as applied to cookies
At present, in some EU states (e.g. France and The Netherlands), you are required, not just to notify users of the cookies you use, and to assume their implicit consent from their continued use of your website, but in fact to obtain their explicit consent, through an affirmative action (scroll, button click, etc) before placing the cookies on their browsing device. Under GDPR you are also supposed to retain a record of that consent. This is technically a very difficult thing to achieve, and is typically what is provided by the commercial vendors of cookie consent solutions, such as Cookiebot, OneTrust, etc. The same functionality is also available for free from Civic Cookie Control. It’s worth noting that in very few cases (in France at least) is this actually implemented correctly. Yet despite being more than capable of implementing a super-compliant solution like this, and despite being of rather a conservative nature in these regards, after much research and reflection, I have chosen not to do so on the sites that I maintain. This is partly because I find them to be intrusive to users and to have a detrimental impact on the usefulness of whatever services are setting the cookies, and partly because I have a suspicion that within a year they will be redundant.
I hope this slightly irreverent but hopefully pragmatic approach has provided some achievable steps to help you to feel more in control and less daunted by GDPR as applied to your ultra simple website. If your website is not quite so simple however, or if you would like assistance to identify the cookies used by your website, as well as any other potential areas of concern: contact me for a quote.